File name:

WindowsAddict-microsoft-activation-scripts-eb9de73d37a4.zip

Full analysis: https://app.any.run/tasks/a1590b34-97fb-4391-a06f-2c1bd32fa3a4
Verdict: Malicious activity
Analysis date: January 25, 2024, 16:49:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

436359519F321EDF8AD0CF252D7FD86C

SHA1:

80487DD1E4543DEA96210A46F7EE0FEFEC64E5FD

SHA256:

865D954ECEE1F5D9BF0DB057F381FDF2C49A3CCB0A8F3E9012675B0F49332CDE

SSDEEP:

12288:haJWw4HIyb2/0kK9WxDe4HzJpBj+ntLO4MYxJklA:hKWw4HIyb2/0kK9WxDe4HzJpBj+nti4/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 4004)
      • cmd.exe (PID: 2372)
      • net.exe (PID: 1696)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 2372)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2372)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2372)
      • cmd.exe (PID: 2480)
      • cmd.exe (PID: 2584)

    • Executing commands from ".cmd" file

      • cmd.exe (PID: 2372)

    • Reads the Internet Settings

      • WMIC.exe (PID: 3216)
      • WMIC.exe (PID: 3408)
      • WMIC.exe (PID: 1288)
      • WMIC.exe (PID: 1632)
      • WMIC.exe (PID: 1216)
      • WMIC.exe (PID: 3468)
      • WMIC.exe (PID: 2240)
      • WMIC.exe (PID: 3792)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2372)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 2372)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2372)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 2372)
      • cmd.exe (PID: 3444)
      • cmd.exe (PID: 2480)
      • cmd.exe (PID: 2024)
      • cmd.exe (PID: 2584)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 2372)

    • Checks supported languages

      • mode.com (PID: 3688)
      • mode.com (PID: 3828)
      • mode.com (PID: 2768)
      • mode.com (PID: 2028)

    • Checks operating system version

      • cmd.exe (PID: 2372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:01:01 03:59:42
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: WindowsAddict-microsoft-activation-scripts-eb9de73d37a4/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
76
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs ping.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs mode.com no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs sc.exe no specs net.exe no specs net1.exe no specs findstr.exe no specs wmic.exe no specs net1.exe no specs net.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120sc query osppsvc C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
848findstr /i VOLUME_KMSCLIENT C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
884sc query Null C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
984"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1028C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.devC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1112findstr /a:0A /f:`.txt "."C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1216wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /valueC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1288wmic path OfficeSoftwareProtectionProduct where (ApplicationID='59a52881-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1492C:\Windows\system32\net1 start osppsvc /y C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
1496findstr /i TIMEBASED_ C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
Total events
4 037
Read events
4 027
Write events
10
Delete events
0

Modification events

(PID) Process:(984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
0
Suspicious files
8
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\.gitattributestext
MD5:87EB06393A7628EA5CE171C620ECB45E
SHA256:0AD46C92E5970CD411D921177BCBE77FB73A14901EE619312D6445E03E74C47F
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\All-In-One-Version\MAS_AIO.cmdtext
MD5:721E3F8CACEDDB2BCB8CD85FA400F61A
SHA256:2AED5BB373191CB92B3284BE3DE8B2EE6DD746FF71ACC8AE10968CB6A514C95F
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Activators\KMS38_Activation.cmdtext
MD5:BEF5B180D317FB7713C5B4BA9BF00BBB
SHA256:9C9B7D7ABA4CE7B0D5B30CF278DB1A1DEBD76857A6C37982D25C61BB82CF0B1D
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Activators\Online_KMS_Activation.cmdtext
MD5:38B73CE97282C793F581F52A2C26D4E0
SHA256:ED4D9F0525C57A352E0A4F1719579D979BFCBE3D143074F3CDD46AFBC61CDB46
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\LICENSEtext
MD5:5B4473596678D62D9D83096273422C8C
SHA256:E57F1C320B8CF8798A7D2FF83A6F9E06A33A03585F6E065FEA97F1D86DB84052
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Activators\Ohook_Activation_AIO.cmdtext
MD5:F4F7B936D380CBC609AEFB1CCC02CF25
SHA256:202BAF2D427D49E05ED0FE6586F9351DC59013CE3025D4D9DEE359AD78F5C495
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Activators\HWID_Activation.cmdtext
MD5:89847B9A44398D71A3886222959D23A8
SHA256:05F12B8F88BDF6ADF89154AFF767EBD417A7E042C0B7C4F8B98FA7841A0C179E
2372cmd.exeC:\Windows\Temp\`.txttext
MD5:C48DE30A6D93DE10929A00F17D725A24
SHA256:96BA30BF853B79CD26E5399DB76DEF0F6BE3C936FC1263232937FBC8A0C8C5B5
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Troubleshoot.cmdtext
MD5:454AA88549FA33A2663CC6A400099BF7
SHA256:B63700BB397A91AE2147D3B87F754D59A7BE4BD680B0697DE2BDC77213449D77
2372cmd.exeC:\Windows\Temp\'binary
MD5:5058F1AF8388633F609CADB75A75DC9D
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

Domain
IP
Reputation
updatecheck.massgrave.dev
  • 127.69.2.5
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WindowsAddict-microsoft-activation-scripts-eb9de73d37a4.zip