9a1ceb9bf93c1a7c920105b55755ea8d773f24989a0a0179d5d9f5a891e9d37a

Resubmissions

25/07/2024, 13:21

240725-ql2fxatemf 8

25/07/2024, 13:17

240725-qjq76azhrl 8

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS_VL_ALL_AIO.cmd
Size

305KB
MD5

33f59b72aaa2d7257384f15e5fd9a536
SHA1

f2b980813fc36e39bfa45e14bf87ec18368a3cf4
SHA256

9a1ceb9bf93c1a7c920105b55755ea8d773f24989a0a0179d5d9f5a891e9d37a
SHA512

f71e0a7da3f4d4d41519be05eb5e3aaa18e6502087c2f30351c7498a297493945a4d63010912edc6ba62f3a0a211419b62cce1a2e51a9e3628f34392d6a630fc
SSDEEP

6144:YTJ9JzFmdIc8dGT6SLCc6Ekr6gIeQ6TsHjcqBD+N8H5:yJ9JzoIcfN6EkrzISTsHAqN26

Score

8^/10

execution persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\GlobalFlag = "256"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_Emulation = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDebug = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierFlags = "2147483648"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "43200"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "43200"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_HWID = "4187226795851251830"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1816	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2752	powershell.exe
4796	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\SppExtComObjHook.dll	powershell.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3036	sc.exe
1488	sc.exe
3048	sc.exe
2560	sc.exe
4324	sc.exe

Modifies registry key 1 TTPs 38 IoCs

Modify Registry

T1112

pid	Process
4820	reg.exe
2264	reg.exe
4188	reg.exe
4692	reg.exe
4336	reg.exe
1988	reg.exe
1676	reg.exe
4056	reg.exe
3620	reg.exe
2952	reg.exe
1752	reg.exe
3928	reg.exe
2832	reg.exe
2936	reg.exe
3620	reg.exe
1652	reg.exe
1828	reg.exe
3092	reg.exe
2488	reg.exe
3588	reg.exe
4664	reg.exe
2820	reg.exe
3484	reg.exe
3200	reg.exe
416	reg.exe
896	reg.exe
1580	reg.exe
4908	reg.exe
2324	reg.exe
392	reg.exe
4980	reg.exe
1492	reg.exe
2676	reg.exe
4672	reg.exe
1864	reg.exe
1752	reg.exe
1496	reg.exe
4412	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4872	powershell.exe
4872	powershell.exe
4596	powershell.exe
4596	powershell.exe
4796	powershell.exe
4796	powershell.exe
2752	powershell.exe
2752	powershell.exe
2752	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4620	WMIC.exe
Token: SeSecurityPrivilege	4620	WMIC.exe
Token: SeTakeOwnershipPrivilege	4620	WMIC.exe
Token: SeLoadDriverPrivilege	4620	WMIC.exe
Token: SeSystemProfilePrivilege	4620	WMIC.exe
Token: SeSystemtimePrivilege	4620	WMIC.exe
Token: SeProfSingleProcessPrivilege	4620	WMIC.exe
Token: SeIncBasePriorityPrivilege	4620	WMIC.exe
Token: SeCreatePagefilePrivilege	4620	WMIC.exe
Token: SeBackupPrivilege	4620	WMIC.exe
Token: SeRestorePrivilege	4620	WMIC.exe
Token: SeShutdownPrivilege	4620	WMIC.exe
Token: SeDebugPrivilege	4620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4620	WMIC.exe
Token: SeRemoteShutdownPrivilege	4620	WMIC.exe
Token: SeUndockPrivilege	4620	WMIC.exe
Token: SeManageVolumePrivilege	4620	WMIC.exe
Token: 33	4620	WMIC.exe
Token: 34	4620	WMIC.exe
Token: 35	4620	WMIC.exe
Token: 36	4620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4620	WMIC.exe
Token: SeSecurityPrivilege	4620	WMIC.exe
Token: SeTakeOwnershipPrivilege	4620	WMIC.exe
Token: SeLoadDriverPrivilege	4620	WMIC.exe
Token: SeSystemProfilePrivilege	4620	WMIC.exe
Token: SeSystemtimePrivilege	4620	WMIC.exe
Token: SeProfSingleProcessPrivilege	4620	WMIC.exe
Token: SeIncBasePriorityPrivilege	4620	WMIC.exe
Token: SeCreatePagefilePrivilege	4620	WMIC.exe
Token: SeBackupPrivilege	4620	WMIC.exe
Token: SeRestorePrivilege	4620	WMIC.exe
Token: SeShutdownPrivilege	4620	WMIC.exe
Token: SeDebugPrivilege	4620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4620	WMIC.exe
Token: SeRemoteShutdownPrivilege	4620	WMIC.exe
Token: SeUndockPrivilege	4620	WMIC.exe
Token: SeManageVolumePrivilege	4620	WMIC.exe
Token: 33	4620	WMIC.exe
Token: 34	4620	WMIC.exe
Token: 35	4620	WMIC.exe
Token: 36	4620	WMIC.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeIncreaseQuotaPrivilege	2752	WMIC.exe
Token: SeSecurityPrivilege	2752	WMIC.exe
Token: SeTakeOwnershipPrivilege	2752	WMIC.exe
Token: SeLoadDriverPrivilege	2752	WMIC.exe
Token: SeSystemProfilePrivilege	2752	WMIC.exe
Token: SeSystemtimePrivilege	2752	WMIC.exe
Token: SeProfSingleProcessPrivilege	2752	WMIC.exe
Token: SeIncBasePriorityPrivilege	2752	WMIC.exe
Token: SeCreatePagefilePrivilege	2752	WMIC.exe
Token: SeBackupPrivilege	2752	WMIC.exe
Token: SeRestorePrivilege	2752	WMIC.exe
Token: SeShutdownPrivilege	2752	WMIC.exe
Token: SeDebugPrivilege	2752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2752	WMIC.exe
Token: SeRemoteShutdownPrivilege	2752	WMIC.exe
Token: SeUndockPrivilege	2752	WMIC.exe
Token: SeManageVolumePrivilege	2752	WMIC.exe
Token: 33	2752	WMIC.exe
Token: 34	2752	WMIC.exe
Token: 35	2752	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 1880	3088	cmd.exe	87
PID 3088 wrote to memory of 1880	3088	cmd.exe	87
PID 3088 wrote to memory of 1788	3088	cmd.exe	88
PID 3088 wrote to memory of 1788	3088	cmd.exe	88
PID 3088 wrote to memory of 896	3088	cmd.exe	89
PID 3088 wrote to memory of 896	3088	cmd.exe	89
PID 3088 wrote to memory of 1132	3088	cmd.exe	90
PID 3088 wrote to memory of 1132	3088	cmd.exe	90
PID 3088 wrote to memory of 4620	3088	cmd.exe	91
PID 3088 wrote to memory of 4620	3088	cmd.exe	91
PID 3088 wrote to memory of 1808	3088	cmd.exe	92
PID 3088 wrote to memory of 1808	3088	cmd.exe	92
PID 3088 wrote to memory of 4872	3088	cmd.exe	94
PID 3088 wrote to memory of 4872	3088	cmd.exe	94
PID 3088 wrote to memory of 3436	3088	cmd.exe	95
PID 3088 wrote to memory of 3436	3088	cmd.exe	95
PID 3088 wrote to memory of 1900	3088	cmd.exe	97
PID 3088 wrote to memory of 1900	3088	cmd.exe	97
PID 3088 wrote to memory of 2112	3088	cmd.exe	98
PID 3088 wrote to memory of 2112	3088	cmd.exe	98
PID 2112 wrote to memory of 4812	2112	cmd.exe	99
PID 2112 wrote to memory of 4812	2112	cmd.exe	99
PID 3088 wrote to memory of 2724	3088	cmd.exe	100
PID 3088 wrote to memory of 2724	3088	cmd.exe	100
PID 3088 wrote to memory of 1640	3088	cmd.exe	101
PID 3088 wrote to memory of 1640	3088	cmd.exe	101
PID 1640 wrote to memory of 1524	1640	cmd.exe	102
PID 1640 wrote to memory of 1524	1640	cmd.exe	102
PID 3088 wrote to memory of 4512	3088	cmd.exe	103
PID 3088 wrote to memory of 4512	3088	cmd.exe	103
PID 3088 wrote to memory of 2104	3088	cmd.exe	104
PID 3088 wrote to memory of 2104	3088	cmd.exe	104
PID 3088 wrote to memory of 2268	3088	cmd.exe	105
PID 3088 wrote to memory of 2268	3088	cmd.exe	105
PID 3088 wrote to memory of 2348	3088	cmd.exe	106
PID 3088 wrote to memory of 2348	3088	cmd.exe	106
PID 3088 wrote to memory of 3628	3088	cmd.exe	107
PID 3088 wrote to memory of 3628	3088	cmd.exe	107
PID 3088 wrote to memory of 2132	3088	cmd.exe	108
PID 3088 wrote to memory of 2132	3088	cmd.exe	108
PID 3088 wrote to memory of 4576	3088	cmd.exe	109
PID 3088 wrote to memory of 4576	3088	cmd.exe	109
PID 3088 wrote to memory of 3036	3088	cmd.exe	110
PID 3088 wrote to memory of 3036	3088	cmd.exe	110
PID 3088 wrote to memory of 4688	3088	cmd.exe	111
PID 3088 wrote to memory of 4688	3088	cmd.exe	111
PID 3088 wrote to memory of 3904	3088	cmd.exe	112
PID 3088 wrote to memory of 3904	3088	cmd.exe	112
PID 3088 wrote to memory of 1068	3088	cmd.exe	113
PID 3088 wrote to memory of 1068	3088	cmd.exe	113
PID 3088 wrote to memory of 1752	3088	cmd.exe	114
PID 3088 wrote to memory of 1752	3088	cmd.exe	114
PID 3088 wrote to memory of 392	3088	cmd.exe	115
PID 3088 wrote to memory of 392	3088	cmd.exe	115
PID 3088 wrote to memory of 2872	3088	cmd.exe	116
PID 3088 wrote to memory of 2872	3088	cmd.exe	116
PID 3088 wrote to memory of 4772	3088	cmd.exe	117
PID 3088 wrote to memory of 4772	3088	cmd.exe	117
PID 3088 wrote to memory of 1680	3088	cmd.exe	118
PID 3088 wrote to memory of 1680	3088	cmd.exe	118
PID 3088 wrote to memory of 3928	3088	cmd.exe	119
PID 3088 wrote to memory of 3928	3088	cmd.exe	119
PID 3088 wrote to memory of 3416	3088	cmd.exe	120
PID 3088 wrote to memory of 3416	3088	cmd.exe	120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KMS_VL_ALL_AIO.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\System32\cmd.exe
  cmd /v:on /c echo(^!param^!
  2⤵
  PID:1880
- C:\Windows\System32\findstr.exe
  findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^"
  2⤵
  PID:1788
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start
  2⤵
  - Modifies registry key
  PID:896
- C:\Windows\System32\find.exe
  find /i "0x4"
  2⤵
  PID:1132
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_ComputerSystem get CreationClassName /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\find.exe
  find /i "ComputerSystem"
  2⤵
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $ExecutionContext.SessionState.LanguageMode
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\System32\find.exe
  find /i "Full"
  2⤵
  PID:3436
- C:\Windows\System32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR
    3⤵
    PID:1524
- C:\Windows\System32\reg.exe
  reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:4512
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2104
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:2268
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2348
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:3628
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
  2⤵
  PID:4576
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\addons 2>nul
  2⤵
  PID:4688
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
  2⤵
  PID:3904
- C:\Windows\System32\mode.com
  mode con cols=80 lines=34
  2⤵
  PID:1068
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:1752
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:392
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*retail"
  2⤵
  PID:2872
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:4772
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:1680
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:3928
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*retail"
  2⤵
  PID:3416
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:1248
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:2136
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:4692
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*volume"
  2⤵
  PID:1676
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:4716
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:2936
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:2488
- C:\Windows\System32\findstr.exe
  findstr /i /r ".*volume"
  2⤵
  PID:2036
- C:\Windows\System32\findstr.exe
  findstr /i /v "project visio"
  2⤵
  PID:4188
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:436
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:1496
- C:\Windows\System32\findstr.exe
  findstr /i /r "project.*"
  2⤵
  PID:2084
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:2736
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:4412
- C:\Windows\System32\findstr.exe
  findstr /i /r "project.*"
  2⤵
  PID:4624
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:4708
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:3588
- C:\Windows\System32\findstr.exe
  findstr /i /r "visio.*"
  2⤵
  PID:1560
- C:\Windows\System32\find.exe
  find /i "0x2"
  2⤵
  PID:4520
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
  2⤵
  - Modifies registry key
  PID:2832
- C:\Windows\System32\findstr.exe
  findstr /i /r "visio.*"
  2⤵
  PID:3632
- C:\Windows\System32\find.exe
  find /i "0x3"
  2⤵
  PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %B in (1) do rem"
  2⤵
  PID:4880
- C:\Windows\System32\choice.exe
  choice /c 1234567890EDRSVX /n /m "> Choose a menu option, or press 0 to Exit: "
  2⤵
  PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f
  2⤵
  PID:2528
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:1488
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:3248
- C:\Windows\System32\net.exe
  net stop sppsvc /y
  2⤵
  PID:768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sppsvc /y
    3⤵
    PID:1996
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:3048
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2820
- C:\Windows\System32\Wbem\WMIC.exe
  WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll" Force=True
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "$d='C:\Windows\System32';$f=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\KMS_VL_ALL_AIO.cmd') -split ':embdbin\:.*';iex ($f[1]);X 2"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\4f2gawsp\4f2gawsp.cmdline"
    3⤵
    PID:4452
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RES554F.tmp" "c:\Windows\Temp\4f2gawsp\CSC757C551370C54951B735BE1CF4D3E4E6.TMP"
      4⤵
      PID:548
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v Debugger
  2⤵
  PID:4300
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDlls /t REG_SZ /d "SppExtComObjHook.dll"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4444
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDebug /t REG_DWORD /d 0x00000000
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4012
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierFlags /t REG_DWORD /d 0x80000000
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2520
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v GlobalFlag /t REG_DWORD /d 0x00000100
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3960
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_Emulation /t REG_DWORD /d 1
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4260
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 43200
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:404
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 43200
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2144
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_HWID /t REG_QWORD /d "0x3A1C049600B60076"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"
  2⤵
  PID:4324
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
    3⤵
    PID:4856
- - C:\Windows\System32\find.exe
    FIND /I "CurrentVersion"
    3⤵
    PID:4612
- C:\Windows\System32\reg.exe
  REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288" /v "CurrentState"
  2⤵
  PID:4720
- C:\Windows\System32\find.exe
  FIND /I "0x70"
  2⤵
  PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ECHO Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288
  2⤵
  PID:2872
- C:\Windows\System32\reg.exe
  REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.264" /v "CurrentState"
  2⤵
  PID:392
- C:\Windows\System32\find.exe
  FIND /I "0x70"
  2⤵
  PID:1680
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  PID:1752
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:3720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL" get LicenseFamily /value 2>nul
  2⤵
  PID:4784
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL" get LicenseFamily /value
    3⤵
    PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
  2⤵
  PID:1844
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
    3⤵
    PID:4024
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:5044
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1988
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
  2⤵
  - Modifies registry key
  PID:4980
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2936
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
  2⤵
  - Modifies registry key
  PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:4692
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:3440
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:2084
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1568
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:3572
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1260
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
  2⤵
  PID:4204
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:2820
- C:\Windows\System32\findstr.exe
  findstr /I /C:"MondoVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4520
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProPlusVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:3844
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectProVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2904
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioProVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2444
- C:\Windows\System32\findstr.exe
  findstr /I /C:"StandardVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4832
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:3800
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStdVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4844
- C:\Windows\System32\findstr.exe
  findstr /I /C:"AccessVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1916
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:388
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OneNoteVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4308
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ExcelVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1000
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OutlookVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2772
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPointVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2964
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PublisherVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4924
- C:\Windows\System32\findstr.exe
  findstr /I /C:"WordVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1980
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectProXVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4960
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStdXVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2708
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioProXVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:228
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStdXVolume" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1788
- C:\Windows\System32\findstr.exe
  findstr /I /C:"MondoRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:3436
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProPlusRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1264
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectProRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4512
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioProRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2104
- C:\Windows\System32\findstr.exe
  findstr /I /C:"StandardRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4812
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:3312
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStdRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:384
- C:\Windows\System32\findstr.exe
  findstr /I /C:"AccessRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4612
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4660
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OneNoteRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:380
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ExcelRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:900
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OutlookRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1584
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPointRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2316
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PublisherRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4828
- C:\Windows\System32\findstr.exe
  findstr /I /C:"WordRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1412
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:972
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4768
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2824
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:4824
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2324
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:2260
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\c2rchk.txt"
  2⤵
  PID:1460
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
  2⤵
  - Modifies registry key
  PID:4672
- C:\Windows\System32\findstr.exe
  findstr 2019
  2⤵
  PID:1720
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
  2⤵
  - Modifies registry key
  PID:3484
- C:\Windows\System32\findstr.exe
  findstr 2021
  2⤵
  PID:4980
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
  2⤵
  - Modifies registry key
  PID:3200
- C:\Windows\System32\findstr.exe
  findstr 2024
  2⤵
  PID:1676
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe"
  2⤵
  PID:3988
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where "Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%'" get Name /value
  2⤵
  PID:5100
- C:\Windows\System32\find.exe
  find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2736
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%'" get Name /value
  2⤵
  PID:4488
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:3160
- C:\Windows\System32\find.exe
  find /i "Office 14"
  2⤵
  PID:1260
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:3588
- C:\Windows\System32\find.exe
  find /i "Office 15"
  2⤵
  PID:1560
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2076
- C:\Windows\System32\find.exe
  find /i "Office 16"
  2⤵
  PID:2752
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:3380
- C:\Windows\System32\find.exe
  find /i "Office 19"
  2⤵
  PID:2904
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1808
- C:\Windows\System32\find.exe
  find /i "Office 21"
  2⤵
  PID:3760
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4296
- C:\Windows\System32\find.exe
  find /i "Office 24"
  2⤵
  PID:2776
- C:\Windows\System32\find.exe
  find /i "Office16ProPlusR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:64
- C:\Windows\System32\find.exe
  find /i "Office16StandardR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4880
- C:\Windows\System32\find.exe
  find /i "Office16AccessR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:3016
- C:\Windows\System32\find.exe
  find /i "Office16SkypeforBusinessR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:632
- C:\Windows\System32\find.exe
  find /i "Office16ExcelR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4892
- C:\Windows\System32\find.exe
  find /i "Office16OutlookR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4360
- C:\Windows\System32\find.exe
  find /i "Office16PowerPointR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4300
- C:\Windows\System32\find.exe
  find /i "Office16PublisherR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4444
- C:\Windows\System32\find.exe
  find /i "Office16WordR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2800
- C:\Windows\System32\find.exe
  find /i "Office16ProfessionalR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2520
- C:\Windows\System32\find.exe
  find /i "Office16HomeBusinessR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1632
- C:\Windows\System32\find.exe
  find /i "Office16HomeStudentR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:3944
- C:\Windows\System32\find.exe
  find /i "Office16ProjectProR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:3500
- C:\Windows\System32\find.exe
  find /i "Office16ProjectStdR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2392
- C:\Windows\System32\find.exe
  find /i "Office16VisioProR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2144
- C:\Windows\System32\find.exe
  find /i "Office16VisioStdR" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:4856
- C:\Windows\System32\sc.exe
  sc query ClickToRunSvc
  2⤵
  - Launches sc.exe
  PID:2560
- C:\Windows\System32\sc.exe
  sc query OfficeSvc
  2⤵
  - Launches sc.exe
  PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:1068
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:1476
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:4984
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:2588
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:4448
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
  2⤵
  PID:564
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID" 2>nul
  2⤵
  PID:4024
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID
    3⤵
    - Modifies registry key
    PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
  2⤵
  PID:2088
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration" 2>nul
  2⤵
  PID:904
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration
    3⤵
    - Modifies registry key
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:3368
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:4692
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingService get Version /value
  2⤵
  PID:3440
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService get Version /value
    3⤵
    PID:1496
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND LicenseStatus='1' AND PartialProductKey is not NULL" get Description
  2⤵
  PID:3572
- C:\Windows\System32\findstr.exe
  findstr /V /R "^$"
  2⤵
  PID:2288
- C:\Windows\System32\find.exe
  find /i "RETAIL channel" "C:\Windows\Temp\crvRetail.txt"
  2⤵
  PID:2820
- C:\Windows\System32\find.exe
  find /i "RETAIL(MAK) channel" "C:\Windows\Temp\crvRetail.txt"
  2⤵
  PID:1560
- C:\Windows\System32\find.exe
  find /i "TIMEBASED_SUB channel" "C:\Windows\Temp\crvRetail.txt"
  2⤵
  PID:3844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "$f=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\KMS_VL_ALL_AIO.cmd') -split ':embdbin\:.*';iex ($f[5])"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663'" get LicenseFamily
  2⤵
  PID:4880
- C:\Windows\System32\findstr.exe
  findstr /V /R "^$"
  2⤵
  PID:3044
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Professional2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4892
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeBusiness2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4960
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeStudent2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2708
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Home2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2976
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProPlus2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4872
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Standard2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3436
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Excel2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1264
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Outlook2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4512
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPoint2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4212
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Word2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2104
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Access2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3312
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusiness2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4000
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectPro2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4876
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStd2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:380
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioPro2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4820
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStd2024Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1584
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Professional2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:900
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeBusiness2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4828
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeStudent2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2264
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProPlus2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2780
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Standard2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1588
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Excel2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3668
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Outlook2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1652
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPoint2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1844
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Publisher2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:416
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Word2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2036
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Access2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2324
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusiness2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1720
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectPro2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4188
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStd2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4980
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioPro2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1492
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStd2021Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1676
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Professional2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2488
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4500
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeStudent2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3988
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProPlus2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:5016
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Standard2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4056
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Excel2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1496
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Outlook2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4624
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPoint2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2012
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Publisher2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4576
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Word2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4220
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Access2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3316
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3160
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1716
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2956
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3996
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4680
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1724
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4452
- C:\Windows\System32\findstr.exe
  findstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:548
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365ProPlusRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:388
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1000
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2904
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3380
- C:\Windows\System32\findstr.exe
  findstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2692
- C:\Windows\System32\findstr.exe
  findstr /I /C:"MondoRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2440
- C:\Windows\System32\findstr.exe
  findstr /I /C:"StandardRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2752
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ExcelRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2176
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OutlookRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2204
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPointRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3044
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PublisherRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1980
- C:\Windows\System32\findstr.exe
  findstr /I /C:"WordRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4300
- C:\Windows\System32\findstr.exe
  findstr /I /C:"AccessRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4444
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1788
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectProRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:228
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3976
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioProRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2112
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStdRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:848
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OneNoteRetail" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2392
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProPlus2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2144
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Standard2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4604
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Excel2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4720
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Outlook2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4772
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPoint2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4116
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Publisher2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4688
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Word2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1864
- C:\Windows\System32\findstr.exe
  findstr /I /C:"Access2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1476
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusiness2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2316
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:972
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1752
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3276
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1412
- C:\Windows\System32\findstr.exe
  findstr /I /C:"MondoVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:332
- C:\Windows\System32\findstr.exe
  findstr /I /C:"StandardVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4824
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ExcelVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:564
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OutlookVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3772
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PowerPointVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:4024
- C:\Windows\System32\findstr.exe
  findstr /I /C:"PublisherVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2544
- C:\Windows\System32\findstr.exe
  findstr /I /C:"WordVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3344
- C:\Windows\System32\findstr.exe
  findstr /I /C:"AccessVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3924
- C:\Windows\System32\findstr.exe
  findstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:904
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectProVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3200
- C:\Windows\System32\findstr.exe
  findstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:2528
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioProVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3444
- C:\Windows\System32\findstr.exe
  findstr /I /C:"VisioStdVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:3464
- C:\Windows\System32\findstr.exe
  findstr /I /C:"OneNoteVolume" "C:\Windows\Temp\crvProductIds.txt"
  2⤵
  PID:1756
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\ProPlusRetail.16
  2⤵
  - Modifies registry key
  PID:3620
- C:\Windows\System32\find.exe
  find /i "Office16ProPlusVL_KMS_Client" "C:\Windows\Temp\crvVolume.txt"
  2⤵
  PID:3560
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\ProPlusVolume.16
  2⤵
  - Modifies registry key
  PID:2952
- C:\Windows\System32\find.exe
  find /i "Office16MondoVL_KMS_Client" "C:\Windows\Temp\crvVolume.txt"
  2⤵
  PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8857491a4a65a9a1d560c4705786a312

SHA1
4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

SHA256
b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

SHA512
d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5bfec1063a497048fffb231a0621403

SHA1
97cf6a89f237f43b9c22e3e081f7d45924d435ba

SHA256
325d1ffa65e9593a834f3662168d0c1950de148c63f1e43b86727087f3881d6f

SHA512
e38c5189054cf09fb15de017d0bbe226338124ee02bb04530943c8fcfc303dbe5fe5fd28c9c1aea1b552d1a2b0b76cabbedd284a38a07d41ec9cf9e55b44dd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xca2t3la.j0x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\SppExtComObjHook.dll

Filesize
19KB

MD5
5ee1dd6608439d755f7161bb83c62216

SHA1
1a6a3e40f610a6394ef539a039308dbe2f526ac1

SHA256
5420b32332112564ab739d2305bba45f0c6559a708c360bf76becf8ef0cfba7a

SHA512
555a1cebb5d68f49ca4eb9785c98b317561781681d68f39c77b4c2d0924899a052db2f341048fa9883e8e3843326e1195e59f5adca250b3078fab5c8c9adb0f8

Download Submit
C:\Windows\Temp\4f2gawsp\4f2gawsp.dll

Filesize
4KB

MD5
1fe7a13dadcbcca0afd80faaf61755ef

SHA1
a2b553ce04300ddd591ef2a49fe366f40df107b7

SHA256
e4cb9fc24b980dd9de2806d7aee5e5a683f6ac8b60a6278683dd61679c7e6cd7

SHA512
1f69ac564510d912c0e942239554e3b29e48d5a2b3e953e6f98c2dc859516f61d912bb7d08a5eeb314d3ab65d257eb8a1873f77ea2b8249dd04be3c00af80de1

Download Submit
C:\Windows\Temp\RES554F.tmp

Filesize
1KB

MD5
f32f75144a585bf260a99c470d1dec39

SHA1
a55200bf64643019c0498fa2982640e05d38a5fc

SHA256
fef33e5a843d4965514d90eaa7593601e190bbecff798ab7cea2bc92fb63df24

SHA512
3ac91de558613e0da11c0bf603483d145a824074b67e88735cb31ec10a945630da9deccf7719081c680be1500c4e87a871a6b3605757cb00b294be0a2f27db43

Download Submit
C:\Windows\Temp\c2rchk.txt

Filesize
15B

MD5
606d9abf768025ebe0b25958d417be6c

SHA1
81b33a8807f17530f00225d09943a30a2d2bc94d

SHA256
5e2af1accb0147d7d52f896091e14821abd697a04a67855eee2b8219281c8f9d

SHA512
e3ebded19b43b85453750127f866e92e6623509559bd30048da8685dc9f3a784a0cd0a0f36e64760f6cfb9e55145e560151e8ecfb97499dca9684d6f6fec0d1f

Download Submit
C:\Windows\Temp\crvRetail.txt

Filesize
80B

MD5
8bf63053cd3d9b456db6f0f5364fbdd8

SHA1
66f296e2f8f2557651948768d23940a364fbbd8b

SHA256
6745801207605da64109696eb8edc436e5599da0012092fc5b5b0d3fc58649d8

SHA512
06f09dde15ae5077b19149f4ef682ece57cd8d83ab1ab1dc30b342b24f534e7926a6671d7268e365dcd9378529bf6f9af682798dd985a4f5522044c047e901a0

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
764B

MD5
8456d990c84b5638c6ba6753dd31b114

SHA1
63c7d3d35294c74b8340d8e6b077b4b95c68e06e

SHA256
16f408b7d9474efb9893f7a090f51e72ea679ae0cd3e16a8701685f357bec4d2

SHA512
ce30e2af40d3c05fe5b2c17e9ddbdd29231229fdb50b1ce290590c8cf91867800f8c84468c4f9e133d8b766b6c5aa56bac1deac17577bbc7719a0c209f29f40f

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
1KB

MD5
9ca430ff9d23c91111e7f982880bb1b5

SHA1
d19b69dfcf697895275aadc5c4d43cf77c5f2de9

SHA256
9297e408b04114294f766ca92924527538621948c094adbdc70255af3ef92634

SHA512
01df1ae217f1ed261984cd09bb864874b2a945886bc3e565477c5769710e80fd307f28247edc119167992cc7d4d8c1e1a926eb9ac029e5d27ba9169474465dcb

Download Submit
\??\c:\Windows\Temp\4f2gawsp\4f2gawsp.0.cs

Filesize
884B

MD5
eafbb318108fc62a15b458ebba405940

SHA1
0c5f45d0cab61ef4fa12f13f020ca45cba04863a

SHA256
45ee3dd57aa47fcf92c09a44276de5ef1688bb0563e09206d8e882528e6de9d2

SHA512
bac80550d7fedc768522907ba72f2802ac2fead886015356a417533f9fc0e2a767b992c58010e67160b4ee071971c7cc6a5337ffb948cf685dca0811ccaa52f8

Download Submit
\??\c:\Windows\Temp\4f2gawsp\4f2gawsp.cmdline

Filesize
333B

MD5
694bf9e16642666ad0268a832e72bd16

SHA1
9d205d7d3022aae3269562d30f83b12bbc5ace2a

SHA256
b084d7878863e305a370a95463d27166f3460e0475dcc741c20a41056697203c

SHA512
ad93d027fabbe076d7f27807e07910fce5ebd8d4197b13507cd6d604fb5624158cf35b2614b377a8b6deb2e61e4331f19ffac77db227580c67b2e46d50be7074

Download Submit
\??\c:\Windows\Temp\4f2gawsp\CSC757C551370C54951B735BE1CF4D3E4E6.TMP

Filesize
652B

MD5
0e5769851683ed9b0d96ffa6339e4db0

SHA1
e2eba6419143a2b0579bbf0ff5ae28acc8a07a6c

SHA256
f76fbfcc5406451bc3ccb8d93547aaa747418d26953b739844e9b5d77061afa9

SHA512
d778a786b8f90d91e180b6a2ae8263b70e58af0152140ee57fdd0ae27608bcc76e9250baf04a3b87f6222270cc6bcc6f2bca2a274783ea3b7743ebae383d66c8

Download Submit
memory/4796-50-0x00000251E4C50000-0x00000251E4C58000-memory.dmp

Filesize
32KB

Download
memory/4872-0-0x00007FF8AD153000-0x00007FF8AD155000-memory.dmp

Filesize
8KB

Download
memory/4872-15-0x00007FF8AD150000-0x00007FF8ADC11000-memory.dmp

Filesize
10.8MB

Download
memory/4872-12-0x00007FF8AD150000-0x00007FF8ADC11000-memory.dmp

Filesize
10.8MB

Download
memory/4872-11-0x00007FF8AD150000-0x00007FF8ADC11000-memory.dmp

Filesize
10.8MB

Download
memory/4872-10-0x000002304EFC0000-0x000002304EFE2000-memory.dmp

Filesize
136KB

Download