File name:

Microsoft-Activation-Scripts-master.zip

Full analysis: https://app.any.run/tasks/fba62328-6d0c-419d-b6e8-6ccbf9ac14f5
Verdict: Malicious activity
Analysis date: March 13, 2024, 21:41:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

D7A74FB92A9A40D597459E86FFA12F11

SHA1:

6009E6E50EECE5B58D72976DED182E07CE221640

SHA256:

7863586F017D773B133E4CCE9814B0C8249CC629FB7265BA7C8408FA7D70A61A

SSDEEP:

12288:+afOzLaRAs/u6nHcGDeXbJpFVcZiF4zYxCklr:+kOzLaRAsW6nHcGDeXbJpFVcwF4zmlr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 3248)
      • cmd.exe (PID: 2148)

  • SUSPICIOUS

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2624)
      • cmd.exe (PID: 2148)

    • Application launched itself

      • cmd.exe (PID: 2624)
      • cmd.exe (PID: 2148)

    • Executing commands from ".cmd" file

      • cmd.exe (PID: 2624)
      • powershell.exe (PID: 116)
      • cmd.exe (PID: 2148)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2624)
      • cmd.exe (PID: 2148)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2624)
      • cmd.exe (PID: 2148)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2624)
      • powershell.exe (PID: 116)
      • cmd.exe (PID: 2148)

    • Reads the Internet Settings

      • powershell.exe (PID: 116)
      • WMIC.exe (PID: 3056)
      • WMIC.exe (PID: 3940)
      • WMIC.exe (PID: 552)
      • WMIC.exe (PID: 4064)
      • WMIC.exe (PID: 2584)
      • WMIC.exe (PID: 2068)
      • WMIC.exe (PID: 1264)
      • WMIC.exe (PID: 2024)
      • WMIC.exe (PID: 3564)
      • WMIC.exe (PID: 3312)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 2148)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2148)

    • Starts NET.EXE to map network drives

      • cmd.exe (PID: 2148)

    • Hides command output

      • cmd.exe (PID: 2128)
      • cmd.exe (PID: 3976)
      • cmd.exe (PID: 316)
      • cmd.exe (PID: 448)
      • cmd.exe (PID: 2992)
      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 2588)
      • cmd.exe (PID: 2672)
      • cmd.exe (PID: 2744)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 2308)
      • cmd.exe (PID: 896)

    • Uses WMIC.EXE to obtain service application data

      • cmd.exe (PID: 1928)

  • INFO

    • Checks operating system version

      • cmd.exe (PID: 2624)
      • cmd.exe (PID: 2148)

    • Manual execution by a user

      • cmd.exe (PID: 2624)

    • Checks supported languages

      • mode.com (PID: 1652)
      • mode.com (PID: 3048)
      • mode.com (PID: 2652)
      • mode.com (PID: 2772)
      • mode.com (PID: 3504)
      • mode.com (PID: 1348)

    • Reads Microsoft Office registry keys

      • reg.exe (PID: 840)
      • reg.exe (PID: 1892)
      • reg.exe (PID: 1484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:03:13 04:22:44
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Microsoft-Activation-Scripts-master/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
229
Monitored processes
185
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs powershell.exe no specs cmd.exe find.exe no specs sc.exe no specs findstr.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs find.exe no specs reg.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs reg.exe no specs find.exe no specs find.exe no specs reg.exe no specs find.exe no specs reg.exe no specs reg.exe no specs find.exe no specs reg.exe no specs findstr.exe no specs mode.com no specs findstr.exe no specs choice.exe no specs findstr.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs wmic.exe no specs find.exe no specs net.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs powershell.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs find.exe no specs sc.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs find.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs wmic.exe no specs findstr.exe no specs findstr.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs find.exe no specs net.exe no specs net1.exe no specs find.exe no specs sc.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs findstr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116powershell.exe "start cmd.exe -arg '/c \""""C:\Users\admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version\MAS_AIO-CRC32_9AE8AFBA.cmd""" -el \"' -verb runas" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
116powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
120sc query Null C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
120reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceNameC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
316C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nulC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
448C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nulC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
548powershell.exe write-host -back '"Red"' -fore '"white"' '"==== ERROR ===="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
548C:\Windows\system32\net1 stop sppsvc /y C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
552wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' ) get Name /value C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
668powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to Go back..."'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
23 680
Read events
23 637
Write events
25
Delete events
18

Modification events

(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2472) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Microsoft-Activation-Scripts-master.zip
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
0
Suspicious files
18
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
2472WinRAR.exeC:\Users\admin\Desktop\Microsoft-Activation-Scripts-master\LICENSEtext
MD5:5B4473596678D62D9D83096273422C8C
SHA256:E57F1C320B8CF8798A7D2FF83A6F9E06A33A03585F6E065FEA97F1D86DB84052
2472WinRAR.exeC:\Users\admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Activators\Ohook_Activation_AIO.cmdtext
MD5:1A3C0E9C8C391AD8F90E840061FC4469
SHA256:D80C8290736C16734FAA5956FAA2553C28BEAEFAF033B48AE54D9A5844F2BCB2
2472WinRAR.exeC:\Users\admin\Desktop\Microsoft-Activation-Scripts-master\MAS\All-In-One-Version\MAS_AIO-CRC32_9AE8AFBA.cmdtext
MD5:8D6EAD8D6F2A0DBC7C139EEC0711BBF6
SHA256:F8318F5FFD88335576A6B39F4BC6C1C7DFCFBC47FB91552D7EE293D5B4C926E5
2472WinRAR.exeC:\Users\admin\Desktop\Microsoft-Activation-Scripts-master\README.mdhtml
MD5:FEA86B7C29E75AFDA5D30B58EC364702
SHA256:FB6D7CEE48FCB34831740F38D570A9CEB3E29F8C744A1F79F9DC1DD38F88AB2F
116powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2472WinRAR.exeC:\Users\admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Activators\Online_KMS_Activation.cmdtext
MD5:0E4A3CB70D3E84F7C4B03755AF3F5489
SHA256:92FBC958D109285C35E805770ABD29ECBF9FD5B32B61403071BF73037039FFB5
2472WinRAR.exeC:\Users\admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Check-Activation-Status-wmi.cmdtext
MD5:FC7DFD4ABBD167E7303301FA7F593CC2
SHA256:DE2A3F3016732D6C46CEFA13BA70889EDEDA8FAE3A244DD1C507F1B80D4579F3
2472WinRAR.exeC:\Users\admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Check-Activation-Status-vbs.cmdtext
MD5:97B92ADBE161D5A5731719E18585CFF0
SHA256:839B7EEFB255A5B53EFBA8980193854B4ABFB472939DDEC0EB248428F08B6C57
116powershell.exeC:\Users\admin\AppData\Local\Temp\y41kjtec.50z.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2472WinRAR.exeC:\Users\admin\Desktop\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Extract_OEM_Folder.cmdtext
MD5:37A2205CAF8DC4386761BDFC150997C6
SHA256:2013EDA675C560A377753CE2AE69F2BDCDC13D17D1E1B484393FA548F8AC0C68
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

Domain
IP
Reputation
updatecheck.massgrave.dev
  • 127.69.2.5
unknown
kms.zhuxiaole.org
  • 202.5.28.218
unknown
xincheng213618.cn
  • 124.223.166.218
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Microsoft-Activation-Scripts-master.zip