URL:

https://github.com/massgravel/Microsoft-Activation-Scripts

Full analysis: https://app.any.run/tasks/b1dbceca-837a-4b5b-956e-db55740e94b1
Verdict: Malicious activity
Analysis date: December 01, 2024, 16:59:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MD5:

AFD6FF84DA2D0BA12E52C775DF44B55B

SHA1:

01C9074D7E2703A728921432F53128804DA08B5E

SHA256:

9E176C48748F3D4D4303D5D603F477906CE34A381ACACC46ADB8DC346A2F00D9

SSDEEP:

3:N8tEd4PKoHXuukGR3RLLLGXUw:2uuPKzukGv/LGXUw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7392)
      • cmd.exe (PID: 7492)
      • cmd.exe (PID: 8016)

    • Starts CMD.EXE for commands execution

      • pwsh.exe (PID: 5544)
      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 7392)
      • powershell.exe (PID: 7884)
      • cmd.exe (PID: 5240)
      • powershell.exe (PID: 7344)
      • cmd.exe (PID: 7492)
      • cmd.exe (PID: 7676)
      • cmd.exe (PID: 8016)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7392)
      • cmd.exe (PID: 8016)
      • cmd.exe (PID: 7492)
      • cmd.exe (PID: 7828)

    • Executing commands from ".cmd" file

      • pwsh.exe (PID: 5544)
      • cmd.exe (PID: 7392)
      • powershell.exe (PID: 7884)
      • cmd.exe (PID: 8016)
      • powershell.exe (PID: 7344)
      • cmd.exe (PID: 7492)

    • Application launched itself

      • cmd.exe (PID: 7392)
      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 8016)
      • cmd.exe (PID: 5240)
      • cmd.exe (PID: 7492)
      • powershell.exe (PID: 5576)
      • cmd.exe (PID: 7676)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 7720)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 7828)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7720)
      • cmd.exe (PID: 7392)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 8016)
      • cmd.exe (PID: 7828)
      • cmd.exe (PID: 7492)
      • powershell.exe (PID: 5576)
      • cmd.exe (PID: 7664)
      • cmd.exe (PID: 7756)
      • cmd.exe (PID: 7776)
      • cmd.exe (PID: 396)
      • cmd.exe (PID: 3696)
      • cmd.exe (PID: 7228)
      • cmd.exe (PID: 3792)
      • cmd.exe (PID: 6988)
      • cmd.exe (PID: 4360)
      • cmd.exe (PID: 4872)
      • cmd.exe (PID: 936)
      • cmd.exe (PID: 7396)
      • cmd.exe (PID: 8140)
      • cmd.exe (PID: 5268)
      • cmd.exe (PID: 4576)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 7720)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 7828)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 6848)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 5576)

    • Hides command output

      • cmd.exe (PID: 6156)
      • cmd.exe (PID: 7796)
      • cmd.exe (PID: 7728)
      • cmd.exe (PID: 7920)
      • cmd.exe (PID: 8012)

    • The process hides Powershell's copyright startup banner

      • powershell.exe (PID: 5576)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6156)
      • cmd.exe (PID: 7920)

    • Executable content was dropped or overwritten

      • Dism.exe (PID: 7904)
      • Dism.exe (PID: 7808)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 4944)
      • DismHost.exe (PID: 6428)

    • Uses WMIC.EXE to obtain service application data

      • cmd.exe (PID: 7492)

  • INFO

    • Reads the computer name

      • pwsh.exe (PID: 5544)

    • Application launched itself

      • chrome.exe (PID: 6292)

    • Manual execution by a user

      • pwsh.exe (PID: 5544)

    • Checks operating system version

      • cmd.exe (PID: 7392)
      • cmd.exe (PID: 8016)
      • cmd.exe (PID: 7492)

    • Checks supported languages

      • pwsh.exe (PID: 5544)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7316)
      • mode.com (PID: 5748)
      • mode.com (PID: 7328)
      • mode.com (PID: 7288)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 7528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
404
Monitored processes
263
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs pwsh.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs fltmc.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs fltmc.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs cmd.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs fltmc.exe no specs powershell.exe no specs find.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs choice.exe no specs mode.com no specs cmd.exe no specs find.exe no specs wmic.exe no specs sc.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs dism.exe find.exe no specs dismhost.exe tiworker.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs dism.exe findstr.exe no specs dismhost.exe cmd.exe no specs wmic.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs mode.com no specs chrome.exe mode.com no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs chrome.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs chrome.exe no specs cmd.exe no specs powershell.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs sppextcomobj.exe no specs slui.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=1932,i,13899568886106625310,11182392149807670529,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
188C:\WINDOWS\System32\cmd.exe /S /D /c" echo " ProfessionalEducation ProfessionalWorkstation Education ProfessionalCountrySpecific ProfessionalSingleLanguage ServerRdsh IoTEnterprise Enterprise " "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
396C:\WINDOWS\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('PidGenX', 'pidgenx.dll', 'Public, Static', 1, [int], @([String], [String], [String], [int], [IntPtr], [IntPtr], [IntPtr]), 1, 3); $r = [byte[]]::new(0x04F8); $r[0] = 0xF8; $r[1] = 0x04; $f = [Runtime.InteropServices.Marshal]::AllocHGlobal(0x04F8); [Runtime.InteropServices.Marshal]::Copy($r, 0, $f, 0x04F8); [void]$TypeBuilder.CreateType()::PidGenX('+', 'C:\WINDOWS\System32\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms', '00000', 0, 0, 0, $f); [Runtime.InteropServices.Marshal]::Copy($f, $r, 0, 0x04F8); [Runtime.InteropServices.Marshal]::FreeHGlobal($f); [Text.Encoding]::Unicode.GetString($r, 1016, 128)"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
440C:\WINDOWS\System32\cmd.exe /S /D /c" echo " ProfessionalEducation ProfessionalWorkstation Education ProfessionalCountrySpecific " "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
540C:\WINDOWS\System32\cmd.exe /S /D /c" echo " ProfessionalEducation ProfessionalWorkstation Education ProfessionalCountrySpecific ProfessionalSingleLanguage ServerRdsh IoTEnterprise Enterprise " "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
628C:\WINDOWS\System32\cmd.exe /S /D /c" echo "AMD64 " "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
768find /i " ServerRdsh " C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
768C:\WINDOWS\System32\cmd.exe /S /D /c" echo Education "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
936C:\WINDOWS\System32\cmd.exe /c powershell.exe "$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('PidGenX', 'pidgenx.dll', 'Public, Static', 1, [int], @([String], [String], [String], [int], [IntPtr], [IntPtr], [IntPtr]), 1, 3); $r = [byte[]]::new(0x04F8); $r[0] = 0xF8; $r[1] = 0x04; $f = [Runtime.InteropServices.Marshal]::AllocHGlobal(0x04F8); [Runtime.InteropServices.Marshal]::Copy($r, 0, $f, 0x04F8); [void]$TypeBuilder.CreateType()::PidGenX('+', 'C:\WINDOWS\System32\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms', '00000', 0, 0, 0, $f); [Runtime.InteropServices.Marshal]::Copy($f, $r, 0, 0x04F8); [Runtime.InteropServices.Marshal]::FreeHGlobal($f); [Text.Encoding]::Unicode.GetString($r, 1016, 128)"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1080C:\WINDOWS\System32\cmd.exe /S /D /c" echo " ProfessionalEducation ProfessionalWorkstation Education ProfessionalCountrySpecific ProfessionalSingleLanguage ServerRdsh IoTEnterprise Enterprise " "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
118 292
Read events
118 264
Write events
22
Delete events
6

Modification events

(PID) Process:(6292) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6292) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6292) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6292) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6292) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(2408) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31147026
(PID) Process:(2408) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(6292) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Common\Rlz\Events\C
Operation:writeName:C1I
Value:
1
(PID) Process:(6292) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Common\Rlz\Events\C
Operation:writeName:C2I
Value:
1
(PID) Process:(6292) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Common\Rlz\Events\C
Operation:writeName:C7I
Value:
1
Executable files
105
Suspicious files
100
Text files
84
Unknown types
1

Dropped files

PID
Process
Filename
Type
6292chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF1365a3.TMP
MD5:
SHA256:
6292chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6292chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF1365b2.TMP
MD5:
SHA256:
6292chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF1365b2.TMP
MD5:
SHA256:
6292chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF1365b2.TMP
MD5:
SHA256:
6292chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6292chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
6292chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF1365c2.TMP
MD5:
SHA256:
6292chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
6292chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
99
DNS requests
63
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5544
pwsh.exe
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5544
pwsh.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
7272
SIHClient.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7272
SIHClient.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5968
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7520
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2356
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2.16.204.158:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.147
  • 23.48.23.173
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.143
  • 23.48.23.167
whitelisted
www.microsoft.com
  • 23.37.237.227
whitelisted
google.com
  • 142.250.185.206
whitelisted
www.bing.com
  • 2.16.204.158
  • 2.16.204.139
  • 2.16.204.141
  • 2.16.204.150
  • 2.16.204.153
  • 2.16.204.135
  • 2.16.204.134
  • 2.16.204.160
  • 2.16.204.157
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.4
  • 20.190.159.64
  • 40.126.31.73
  • 40.126.31.71
  • 20.190.159.75
  • 20.190.159.68
whitelisted
go.microsoft.com
  • 23.52.181.141
whitelisted
github.com
  • 140.82.121.3
shared
accounts.google.com
  • 64.233.167.84
whitelisted

Threats

PID
Process
Class
Message
5544
pwsh.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
Process
Message
Dism.exe
PID=7808 TID=7824 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=7808 TID=7824 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=7808 TID=7824 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=7808 TID=7824 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=7808 TID=7824 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=7808 TID=7824 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
DismHost.exe
PID=6428 TID=2152 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProvider
DismHost.exe
PID=6428 TID=2152 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
DismHost.exe
PID=6428 TID=2152 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
Dism.exe
PID=7808 TID=7824 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/massgravel/Microsoft-Activation-Scripts