MalwareBytes Anti-Exploit occasionally triggering on a CMD/Powershell get softwarelicensing something from 55c92734-d682-4d71-983e-d6ec3f16059f

Question

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe (([WMISEARCHER]'SELECT ID FROM SoftwareLicensingProduct WHERE ApplicationID=''55c92734-d682-4d71-983e-d6ec3f16059f''').Get()).ID | % {echo ('ID

The above is as much of the command as the popup for anti-exploit shows me. I've confirmed it's a real popup and not one from my browser. It's happened a few times in the last week, though I didn't check the command very closely at the time (though I'll be on the watch for it now). I expect it's similar each time if not the same.

Something appears to be running in the background or triggered based on what I'm browsing maybe? I was browsing Reddit when this one came up.

The only enabled apps on startup are the anti-exploit app itself, iCue (for corsair keyboard), and SecurityHEalthSystray.exe (windows defender).

I have many other types of applications open, but stuff I usually would. I can methodically close each and see if it doesn't come up, but that would take forever and have a lot of impact on my computer user.Is there any way to debug or discover what could be causing this outside of methodical shutdown and waiting?

Answer 1

It's possible to find the owner process of any window or dialog by using the free Process Explorer.

Once the window is displayed, open Process Explorer and drag the bullseye icon and drop it over the window. The owning process will automatically be selected in Process Explorer, so you can examine its properties and those of its parent(s).

Double-click the entry of the selected process to examine its properties.

Answer 2

I finally thought to look in MalwareBytes Anti-exploit logs and I can see a series of these. Four attempts each, once a week at the same time, 12:00. They run similar commands looking for Windows or Office and "KMS Client" or whatever.

Realizing it might be a scheduled task, I checked the task scheduler and looked to see if anything last run at that time and found an Online_KMS_Activation_Script-Renewal - Weekly activation task. This is clearly the culprit and now I just need to figure out what it belongs to.

Bottom line, I should have checked the logs and then gone from there :)