URL:	https://dev.azure.com/massgrave/Microsoft-Activation-Scripts/_apis/git/repositories/Microsoft-Activation-Scripts/items?path=/MAS/All-In-One-Version-KL/MAS_AIO.cmd&download=true
Full analysis:	https://app.any.run/tasks/ed026d7b-c8c8-46c2-8b19-8407a43a10a5
Verdict:	Malicious activity
Analysis date:	April 29, 2026, 21:04:32
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	powershell anti-evasion
Indicators:
MD5:	4B9E9D16AF12FC9B9185FFA3B491CE23
SHA1:	1B9B2050425F559A0F5C35712371D1371EE61462
SHA256:	05F593221E3AC774F6D9DB8F1DF05F794C33DF2CD50E44AE0DDA7FEBFCAD65A4
SSDEEP:	3:N8Ykf+MgXuukGR3RLLLGXUMCoKL2ZZukGR3RLLLGXUlnXstIqLAOAh9wldKZRl:2Ykf+lXuukGv/LGXUM9KC7ukGv/LGXUT


(PID) Process:	(2852) powershell.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2852) powershell.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2852) powershell.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2852) powershell.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

PID	Process	Filename		Type
3816	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\ClientCertificates\LOG.old~RF14979b.TMP		—
		MD5:—	SHA256:—
3816	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\ClientCertificates\LOG.old		—
		MD5:—	SHA256:—
3816	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\parcel_tracking_db\LOG.old~RF1497ba.TMP		—
		MD5:—	SHA256:—
3816	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\discounts_db\LOG.old~RF1497ba.TMP		—
		MD5:—	SHA256:—
3816	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\LOG.old~RF1497ba.TMP		—
		MD5:—	SHA256:—
3816	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\discounts_db\LOG.old		—
		MD5:—	SHA256:—
3816	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
3816	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\LOG.old		—
		MD5:—	SHA256:—
3816	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\commerce_subscription_db\LOG.old~RF1497ba.TMP		—
		MD5:—	SHA256:—
3816	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7048	msedge.exe	GET	200	150.171.109.193:443	https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=VN	US	—	—	whitelisted
7048	msedge.exe	GET	304	150.171.27.11:443	https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist	US	—	—	whitelisted
3248	svchost.exe	GET	200	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e4c6dcb54f4bde95	US	compressed	73.5 Kb	unknown
7048	msedge.exe	GET	200	150.171.27.11:80	http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:h8NMJc5gS0fdTdEFkuXPG4srOzSfET7qdaVfzAOjeCU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	94 b	whitelisted
1936	firefox.exe	POST	200	23.11.40.157:80	http://ocsp.digicert.com/	NL	binary	471 b	whitelisted
3536	svchost.exe	HEAD	200	104.102.63.189:443	https://fs.microsoft.com/fs/windows/config.json	US	—	—	whitelisted
7048	msedge.exe	GET	200	104.18.22.222:443	https://copilot.microsoft.com/c/api/user/eligibility	US	text	25 b	whitelisted
7048	msedge.exe	GET	200	52.123.243.211:443	https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=-307948261743016929&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.22000&wu=1&devicefamily=desktop&uma=0&sessionid=78&mngd=0&installdate=1645822881&edu=0&soobedate=1645822879&bphint=2&fg=1&lbfgdate=1759429959&lafgdate=0	US	text	4.15 Kb	whitelisted
7048	msedge.exe	GET	200	150.171.73.16:443	https://dev.azure.com/massgrave/Microsoft-Activation-Scripts/_apis/git/repositories/Microsoft-Activation-Scripts/items?path=/MAS/All-In-One-Version-KL/MAS_AIO.cmd&download=true	US	text	743 Kb	malicious
7048	msedge.exe	GET	200	150.171.27.11:443	https://edge.microsoft.com/entityextractiontemplates/api/v1/assets/find-assets?name=domains_config_gz&version=3..&channel=stable&key=d414dd4f9db345fa8003e32adc81b362	US	text	267 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2160	OfficeC2RClient.exe	52.110.17.70:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	52.110.17.70:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3336	SDXHelper.exe	52.110.17.70:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4756	SDXHelper.exe	52.110.17.70:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	34.120.208.123:443	incoming.telemetry.mozilla.org	GOOGLE-CLOUD-PLATFORM	US	whitelisted
5424	pingsender.exe	34.120.208.123:443	incoming.telemetry.mozilla.org	GOOGLE-CLOUD-PLATFORM	US	whitelisted
1936	firefox.exe	34.120.208.123:443	incoming.telemetry.mozilla.org	GOOGLE-CLOUD-PLATFORM	US	whitelisted
1936	firefox.exe	23.11.40.157:80	ocsp.digicert.com	AKAMAI-AMS	NL	whitelisted
5212	rundll32.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1380	svchost.exe	2.18.64.200:80	—	AKAMAI-ASN1	NL	whitelisted

Domain	IP	Reputation
officeclient.microsoft.com	52.110.17.70 52.110.17.38 52.110.17.15 52.110.17.61	whitelisted
incoming.telemetry.mozilla.org	34.120.208.123	whitelisted
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	whitelisted
ocsp.digicert.com	23.11.40.157	whitelisted
eip-terr-eu.cdp1.digicert.com.akahost.net	23.11.40.157 2600:14e1:20:6d::	whitelisted
google.com	142.250.154.102 142.250.154.100 142.250.154.101 142.250.154.139 142.250.154.138 142.250.154.113	whitelisted
edge.microsoft.com	150.171.27.11 150.171.28.11	whitelisted
api.edgeoffer.microsoft.com	150.171.109.193	whitelisted
dev.azure.com	150.171.73.16 150.171.74.16	whitelisted
config.edge.skype.com	52.123.243.211 52.123.243.93 52.123.243.206	whitelisted

PID	Process	Class	Message
7048	msedge.exe	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Get-WmiObject Cmdlet has been detected
7048	msedge.exe	A Network Trojan was detected	ET ATTACK_RESPONSE PowerShell Internet Connectivity Check via Network GUID Inbound
7048	msedge.exe	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Windows OS Version extraction by PS.Script has been detected
7048	msedge.exe	Potentially Bad Traffic	ET HUNTING schtasks delete Command in HTTP Body Response
7048	msedge.exe	Potentially Bad Traffic	ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers
7048	msedge.exe	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Windows security identifiers S-1-5-18 (NT AuthoritySystem) has been detected
7048	msedge.exe	Potentially Bad Traffic	ET ATTACK_RESPONSE PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2
7048	msedge.exe	Potentially Bad Traffic	ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M2
7048	msedge.exe	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Check Security.Principal.WindowsBuiltInRole has been detected
7048	msedge.exe	Misc activity	SUSPICIOUS [ANY.RUN] The Principal.WindowsIdentity in PS.Script has been detected

General Info

https://dev.azure.com/massgrave/Microsoft-Activation-Scripts/_apis/git/repositories/Microsoft-Activation-Scripts/items?path=/MAS/All-In-One-Version-KL/MAS_AIO.cmd&download=true

4B9E9D16AF12FC9B9185FFA3B491CE23

1B9B2050425F559A0F5C35712371D1371EE61462

05F593221E3AC774F6D9DB8F1DF05F794C33DF2CD50E44AE0DDA7FEBFCAD65A4

3:N8Ykf+MgXuukGR3RLLLGXUMCoKL2ZZukGR3RLLLGXUlnXstIqLAOAh9wldKZRl:2Ykf+lXuukGv/LGXUM9KC7ukGv/LGXUT

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Usage of PowerShell observed

Starts CMD.EXE for commands execution

SUSPICIOUS

Usage of PowerShell observed

Starts CMD.EXE with AutoRun commands disabled

Starts CMD.EXE for commands execution

Starts CMD.EXE with special quote handling

Application launched itself

Executing commands from ".cmd" file

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

Executes script without checking the security policy

Windows service management via SC.EXE

Reads the Internet Settings

Hides command output

Probably obfuscated PowerShell command line is found

Converts TXT file into a string

Gets content of a file (POWERSHELL)

Uses base64 encoding (POWERSHELL)

Uses sleep to delay execution (POWERSHELL)

Queries Computer System Information (Win32_ComputerSystem) (SCRIPT)

Uses REG/REGEDIT.EXE to modify or delete registry entries

INFO

Application launched itself

Checks supported languages

Reads the computer name

Reads Environment values

Checks operating system version

Search a value from a registry key

Launching a file from the Downloads directory

Creates a byte array (POWERSHELL)

Converts byte array into ASCII string (POWERSHELL)

Checks whether the specified file exists (POWERSHELL)

Starts MODE.COM to configure console settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections