File name:

WindowsAddict-microsoft-activation-scripts-eb9de73d37a4.zip

Full analysis: https://app.any.run/tasks/a1590b34-97fb-4391-a06f-2c1bd32fa3a4
Verdict: Malicious activity
Analysis date: January 25, 2024, 16:49:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

436359519F321EDF8AD0CF252D7FD86C

SHA1:

80487DD1E4543DEA96210A46F7EE0FEFEC64E5FD

SHA256:

865D954ECEE1F5D9BF0DB057F381FDF2C49A3CCB0A8F3E9012675B0F49332CDE

SSDEEP:

12288:haJWw4HIyb2/0kK9WxDe4HzJpBj+ntLO4MYxJklA:hKWw4HIyb2/0kK9WxDe4HzJpBj+nti4/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 4004)
      • cmd.exe (PID: 2372)
      • net.exe (PID: 1696)

  • SUSPICIOUS

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2372)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2372)
      • cmd.exe (PID: 2480)
      • cmd.exe (PID: 2584)

    • Application launched itself

      • cmd.exe (PID: 2372)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2372)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2372)

    • Executing commands from ".cmd" file

      • cmd.exe (PID: 2372)

    • Reads the Internet Settings

      • WMIC.exe (PID: 3408)
      • WMIC.exe (PID: 3216)
      • WMIC.exe (PID: 1288)
      • WMIC.exe (PID: 1632)
      • WMIC.exe (PID: 1216)
      • WMIC.exe (PID: 2240)
      • WMIC.exe (PID: 3792)
      • WMIC.exe (PID: 3468)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 2372)
      • cmd.exe (PID: 3444)
      • cmd.exe (PID: 2024)
      • cmd.exe (PID: 2480)
      • cmd.exe (PID: 2584)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 2372)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 2372)

    • Checks operating system version

      • cmd.exe (PID: 2372)

    • Checks supported languages

      • mode.com (PID: 2768)
      • mode.com (PID: 3828)
      • mode.com (PID: 3688)
      • mode.com (PID: 2028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:01:01 03:59:42
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: WindowsAddict-microsoft-activation-scripts-eb9de73d37a4/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
76
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs ping.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs mode.com no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs sc.exe no specs net.exe no specs net1.exe no specs findstr.exe no specs wmic.exe no specs net1.exe no specs net.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs mode.com no specs findstr.exe no specs findstr.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120sc query osppsvc C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
848findstr /i VOLUME_KMSCLIENT C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
884sc query Null C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
984"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1028C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.devC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1112findstr /a:0A /f:`.txt "."C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1216wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /valueC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1288wmic path OfficeSoftwareProtectionProduct where (ApplicationID='59a52881-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1492C:\Windows\system32\net1 start osppsvc /y C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
1496findstr /i TIMEBASED_ C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
Total events
4 037
Read events
4 027
Write events
10
Delete events
0

Modification events

(PID) Process:(984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
0
Suspicious files
8
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Activators\KMS38_Activation.cmdtext
MD5:BEF5B180D317FB7713C5B4BA9BF00BBB
SHA256:9C9B7D7ABA4CE7B0D5B30CF278DB1A1DEBD76857A6C37982D25C61BB82CF0B1D
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Activators\HWID_Activation.cmdtext
MD5:89847B9A44398D71A3886222959D23A8
SHA256:05F12B8F88BDF6ADF89154AFF767EBD417A7E042C0B7C4F8B98FA7841A0C179E
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Activators\Ohook_Activation_AIO.cmdtext
MD5:F4F7B936D380CBC609AEFB1CCC02CF25
SHA256:202BAF2D427D49E05ED0FE6586F9351DC59013CE3025D4D9DEE359AD78F5C495
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\.gitattributestext
MD5:87EB06393A7628EA5CE171C620ECB45E
SHA256:0AD46C92E5970CD411D921177BCBE77FB73A14901EE619312D6445E03E74C47F
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Activators\Online_KMS_Activation.cmdtext
MD5:38B73CE97282C793F581F52A2C26D4E0
SHA256:ED4D9F0525C57A352E0A4F1719579D979BFCBE3D143074F3CDD46AFBC61CDB46
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Change_Edition.cmdtext
MD5:7EEEA421CC09379C0EF4CA6138C15101
SHA256:444DC6FD384498B5A56C2988C9F166700CB3A5B988918FCC791B54DC89BABA0D
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Check-Activation-Status-vbs.cmdtext
MD5:97B92ADBE161D5A5731719E18585CFF0
SHA256:839B7EEFB255A5B53EFBA8980193854B4ABFB472939DDEC0EB248428F08B6C57
2372cmd.exeC:\Windows\Temp\`.txttext
MD5:C48DE30A6D93DE10929A00F17D725A24
SHA256:96BA30BF853B79CD26E5399DB76DEF0F6BE3C936FC1263232937FBC8A0C8C5B5
984WinRAR.exeC:\Users\admin\Desktop\WindowsAddict-microsoft-activation-scripts-eb9de73d37a4\MAS\Separate-Files-Version\Activators\ReadMe.txttext
MD5:B7FA33165116723BC2F83676FD62CC69
SHA256:B0218B2723A32157A094EE3B852159B339EC3E01CE25AA05E19B28F55A0E9528
3584powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

Domain
IP
Reputation
updatecheck.massgrave.dev
  • 127.69.2.5
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WindowsAddict-microsoft-activation-scripts-eb9de73d37a4.zip