Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

Activator/...ot.cmd

windows7-x64

1

Activator/...ot.cmd

windows10-2004-x64

8

Activator/...or.cmd

windows7-x64

8

Activator/...or.cmd

windows10-2004-x64

8

Activator/...ce.cmd

windows7-x64

8

Activator/...ce.cmd

windows10-2004-x64

8

Activator/...ws.cmd

windows7-x64

1

Activator/...ws.cmd

windows10-2004-x64

8

Activator/...TO.exe

windows7-x64

7

Activator/...TO.exe

windows10-2004-x64

7

Activator/...or.lnk

windows7-x64

1

Activator/...or.lnk

windows10-2004-x64

1

Activator/...er.exe

windows7-x64

1

Activator/...er.exe

windows10-2004-x64

1

Activator/...it.exe

windows7-x64

7

Activator/...it.exe

windows10-2004-x64

7

mini-KMS_A...NG.exe

windows7-x64

7

mini-KMS_A...NG.exe

windows10-2004-x64

7

mini-KMS_A...US.exe

windows7-x64

7

mini-KMS_A...US.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    88s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2023, 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Activator/ActivatorWindows.cmd

  • Size

    4KB

  • MD5

    60ad31f88dc50283ad7acedc7d8ef9a0

  • SHA1

    93be2e8b6e1c748c7739ac42faff8e3d3eabf7dd

  • SHA256

    5a93eb2bf9e6fb38edf42aae69007cec41360c80d982925dadd54e981ca6f9e1

  • SHA512

    ad36fb6d62bc235132e1d7380588a0f96efd2f888b4eb2e1f3bbd0d10cd8f7bee380ea59d3ad98af9ceb0c2318fed40b897ef0d51a081459350b673b9cab28a7

  • SSDEEP

    96:TLwprDbaDEa+lq4bi0/BO/B5/BZJS7LAA8zhPpi+4yH6dv7F0tvsmGv26FdJvTy:TjuqoyH0v7QvsRvvpvm

Score
1/10

Malware Config

Signatures

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Activator\ActivatorWindows.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\system32\schtasks.exe
      schtasks /create /f /xml "C:\Users\Admin\AppData\Local\Temp\Activator\ActivationNextBoot.xml" /TN "ActivationNextBoot"
      2⤵
      • Creates scheduled task(s)
      PID:2380
    • C:\Windows\system32\cscript.exe
      CSCRIPT C:\Windows\system32\slmgr.vbs -dli
      2⤵
        PID:1704
      • C:\Windows\system32\findstr.exe
        FINDSTR "Licensed ½¿µÑ¡º¿ε"
        2⤵
          PID:2392
        • C:\Windows\system32\reg.exe
          REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
          2⤵
            PID:1544
          • C:\Windows\system32\findstr.exe
            FINDSTR /i 7
            2⤵
              PID:2568
            • C:\Windows\system32\cscript.exe
              CSCRIPT C:\Windows\system32\slmgr.vbs -dli
              2⤵
                PID:2820
              • C:\Windows\system32\findstr.exe
                FINDSTR "VOLUME_KMSCLIENT"
                2⤵
                  PID:3032

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads