Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
3Windows-Ac...tn.ps1
windows7-x64
3Windows-Ac...tn.ps1
windows10-2004-x64
3Windows-Ac...sn.ps1
windows7-x64
3Windows-Ac...sn.ps1
windows10-2004-x64
3Windows-Ac...te.exe
windows10-2004-x64
1Windows-Ac...lc.dll
windows7-x64
1Windows-Ac...lc.dll
windows10-2004-x64
1Windows-Ac...te.exe
windows10-2004-x64
1Windows-Ac...lc.dll
windows7-x64
1Windows-Ac...lc.dll
windows10-2004-x64
1Windows-Ac...or.bat
windows7-x64
1Windows-Ac...or.bat
windows10-2004-x64
1Analysis
-
max time kernel
46s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/07/2024, 23:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Windows-Activator-main/BIN/entn.ps1
Resource
win7-20240705-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Windows-Activator-main/BIN/entn.ps1
Resource
win10v2004-20240709-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral3
Sample
Windows-Activator-main/BIN/entsn.ps1
Resource
win7-20240704-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral4
Sample
Windows-Activator-main/BIN/entsn.ps1
Resource
win10v2004-20240709-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral5
Sample
Windows-Activator-main/BIN/x64/gatherosstate.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral6
Sample
Windows-Activator-main/BIN/x64/slc.dll
Resource
win7-20240705-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral7
Sample
Windows-Activator-main/BIN/x64/slc.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
Windows-Activator-main/BIN/x86/gatherosstate.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral9
Sample
Windows-Activator-main/BIN/x86/slc.dll
Resource
win7-20240708-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral10
Sample
Windows-Activator-main/BIN/x86/slc.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral11
Sample
Windows-Activator-main/Windows-Activator.bat
Resource
win7-20240704-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral12
Sample
Windows-Activator-main/Windows-Activator.bat
Resource
win10v2004-20240709-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
Windows-Activator-main/Windows-Activator.bat
-
Size
16KB
-
MD5
6c4a49f9d6cc22f3d177140477d22c0e
-
SHA1
bbfd0c0603a23f9e8dfecbcbdcd5cf7db3473c92
-
SHA256
408262209ea1b70bc6b65a2c01caa7a06f2ab72191189b9e3cb3f256129474ab
-
SHA512
cfcc50da5ba0651299cb45163f920e5c503d4afd399998c9f6c93b583cca55f85a40633b93a037e00f732fd342b286e33d1be4a707cb56130043373107735682
-
SSDEEP
384:WlWMFEhZDW4KpO42db+xHo/1C7RcI3CwXgOHIb:eFEhpoZHo/1C7Rt3CwXgOHg
Score
1/10
Malware Config
Signatures
-
Delays execution with timeout.exe 1 IoCs
pid Process 2336 timeout.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2712 WMIC.exe Token: SeSecurityPrivilege 2712 WMIC.exe Token: SeTakeOwnershipPrivilege 2712 WMIC.exe Token: SeLoadDriverPrivilege 2712 WMIC.exe Token: SeSystemProfilePrivilege 2712 WMIC.exe Token: SeSystemtimePrivilege 2712 WMIC.exe Token: SeProfSingleProcessPrivilege 2712 WMIC.exe Token: SeIncBasePriorityPrivilege 2712 WMIC.exe Token: SeCreatePagefilePrivilege 2712 WMIC.exe Token: SeBackupPrivilege 2712 WMIC.exe Token: SeRestorePrivilege 2712 WMIC.exe Token: SeShutdownPrivilege 2712 WMIC.exe Token: SeDebugPrivilege 2712 WMIC.exe Token: SeSystemEnvironmentPrivilege 2712 WMIC.exe Token: SeRemoteShutdownPrivilege 2712 WMIC.exe Token: SeUndockPrivilege 2712 WMIC.exe Token: SeManageVolumePrivilege 2712 WMIC.exe Token: 33 2712 WMIC.exe Token: 34 2712 WMIC.exe Token: 35 2712 WMIC.exe Token: SeIncreaseQuotaPrivilege 2712 WMIC.exe Token: SeSecurityPrivilege 2712 WMIC.exe Token: SeTakeOwnershipPrivilege 2712 WMIC.exe Token: SeLoadDriverPrivilege 2712 WMIC.exe Token: SeSystemProfilePrivilege 2712 WMIC.exe Token: SeSystemtimePrivilege 2712 WMIC.exe Token: SeProfSingleProcessPrivilege 2712 WMIC.exe Token: SeIncBasePriorityPrivilege 2712 WMIC.exe Token: SeCreatePagefilePrivilege 2712 WMIC.exe Token: SeBackupPrivilege 2712 WMIC.exe Token: SeRestorePrivilege 2712 WMIC.exe Token: SeShutdownPrivilege 2712 WMIC.exe Token: SeDebugPrivilege 2712 WMIC.exe Token: SeSystemEnvironmentPrivilege 2712 WMIC.exe Token: SeRemoteShutdownPrivilege 2712 WMIC.exe Token: SeUndockPrivilege 2712 WMIC.exe Token: SeManageVolumePrivilege 2712 WMIC.exe Token: 33 2712 WMIC.exe Token: 34 2712 WMIC.exe Token: 35 2712 WMIC.exe Token: SeIncreaseQuotaPrivilege 2892 WMIC.exe Token: SeSecurityPrivilege 2892 WMIC.exe Token: SeTakeOwnershipPrivilege 2892 WMIC.exe Token: SeLoadDriverPrivilege 2892 WMIC.exe Token: SeSystemProfilePrivilege 2892 WMIC.exe Token: SeSystemtimePrivilege 2892 WMIC.exe Token: SeProfSingleProcessPrivilege 2892 WMIC.exe Token: SeIncBasePriorityPrivilege 2892 WMIC.exe Token: SeCreatePagefilePrivilege 2892 WMIC.exe Token: SeBackupPrivilege 2892 WMIC.exe Token: SeRestorePrivilege 2892 WMIC.exe Token: SeShutdownPrivilege 2892 WMIC.exe Token: SeDebugPrivilege 2892 WMIC.exe Token: SeSystemEnvironmentPrivilege 2892 WMIC.exe Token: SeRemoteShutdownPrivilege 2892 WMIC.exe Token: SeUndockPrivilege 2892 WMIC.exe Token: SeManageVolumePrivilege 2892 WMIC.exe Token: 33 2892 WMIC.exe Token: 34 2892 WMIC.exe Token: 35 2892 WMIC.exe Token: SeIncreaseQuotaPrivilege 2892 WMIC.exe Token: SeSecurityPrivilege 2892 WMIC.exe Token: SeTakeOwnershipPrivilege 2892 WMIC.exe Token: SeLoadDriverPrivilege 2892 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 496 wrote to memory of 2180 496 cmd.exe 31 PID 496 wrote to memory of 2180 496 cmd.exe 31 PID 496 wrote to memory of 2180 496 cmd.exe 31 PID 496 wrote to memory of 2272 496 cmd.exe 32 PID 496 wrote to memory of 2272 496 cmd.exe 32 PID 496 wrote to memory of 2272 496 cmd.exe 32 PID 496 wrote to memory of 2276 496 cmd.exe 33 PID 496 wrote to memory of 2276 496 cmd.exe 33 PID 496 wrote to memory of 2276 496 cmd.exe 33 PID 496 wrote to memory of 2332 496 cmd.exe 35 PID 496 wrote to memory of 2332 496 cmd.exe 35 PID 496 wrote to memory of 2332 496 cmd.exe 35 PID 2332 wrote to memory of 2932 2332 cmd.exe 36 PID 2332 wrote to memory of 2932 2332 cmd.exe 36 PID 2332 wrote to memory of 2932 2332 cmd.exe 36 PID 2332 wrote to memory of 2192 2332 cmd.exe 37 PID 2332 wrote to memory of 2192 2332 cmd.exe 37 PID 2332 wrote to memory of 2192 2332 cmd.exe 37 PID 2332 wrote to memory of 2244 2332 cmd.exe 38 PID 2332 wrote to memory of 2244 2332 cmd.exe 38 PID 2332 wrote to memory of 2244 2332 cmd.exe 38 PID 496 wrote to memory of 2472 496 cmd.exe 39 PID 496 wrote to memory of 2472 496 cmd.exe 39 PID 496 wrote to memory of 2472 496 cmd.exe 39 PID 2472 wrote to memory of 984 2472 cmd.exe 40 PID 2472 wrote to memory of 984 2472 cmd.exe 40 PID 2472 wrote to memory of 984 2472 cmd.exe 40 PID 496 wrote to memory of 2748 496 cmd.exe 41 PID 496 wrote to memory of 2748 496 cmd.exe 41 PID 496 wrote to memory of 2748 496 cmd.exe 41 PID 2748 wrote to memory of 2712 2748 cmd.exe 42 PID 2748 wrote to memory of 2712 2748 cmd.exe 42 PID 2748 wrote to memory of 2712 2748 cmd.exe 42 PID 496 wrote to memory of 2900 496 cmd.exe 44 PID 496 wrote to memory of 2900 496 cmd.exe 44 PID 496 wrote to memory of 2900 496 cmd.exe 44 PID 2900 wrote to memory of 2892 2900 cmd.exe 45 PID 2900 wrote to memory of 2892 2900 cmd.exe 45 PID 2900 wrote to memory of 2892 2900 cmd.exe 45 PID 496 wrote to memory of 2628 496 cmd.exe 46 PID 496 wrote to memory of 2628 496 cmd.exe 46 PID 496 wrote to memory of 2628 496 cmd.exe 46 PID 496 wrote to memory of 320 496 cmd.exe 47 PID 496 wrote to memory of 320 496 cmd.exe 47 PID 496 wrote to memory of 320 496 cmd.exe 47 PID 496 wrote to memory of 2164 496 cmd.exe 48 PID 496 wrote to memory of 2164 496 cmd.exe 48 PID 496 wrote to memory of 2164 496 cmd.exe 48 PID 496 wrote to memory of 2740 496 cmd.exe 49 PID 496 wrote to memory of 2740 496 cmd.exe 49 PID 496 wrote to memory of 2740 496 cmd.exe 49 PID 496 wrote to memory of 2656 496 cmd.exe 50 PID 496 wrote to memory of 2656 496 cmd.exe 50 PID 496 wrote to memory of 2656 496 cmd.exe 50 PID 496 wrote to memory of 2660 496 cmd.exe 51 PID 496 wrote to memory of 2660 496 cmd.exe 51 PID 496 wrote to memory of 2660 496 cmd.exe 51 PID 496 wrote to memory of 2624 496 cmd.exe 52 PID 496 wrote to memory of 2624 496 cmd.exe 52 PID 496 wrote to memory of 2624 496 cmd.exe 52 PID 496 wrote to memory of 2336 496 cmd.exe 53 PID 496 wrote to memory of 2336 496 cmd.exe 53 PID 496 wrote to memory of 2336 496 cmd.exe 53 PID 496 wrote to memory of 2444 496 cmd.exe 54
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Windows-Activator-main\Windows-Activator.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:2180
-
-
C:\Windows\system32\mode.commode con cols=60 lines=252⤵PID:2272
-
-
C:\Windows\system32\choice.exechoice /C:12345 /N /M "YOUR CHOICE : "2⤵PID:2276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" | findstr CurrentVersion | findstr REG_SZ2⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"3⤵PID:2932
-
-
C:\Windows\system32\findstr.exefindstr CurrentVersion3⤵PID:2192
-
-
C:\Windows\system32\findstr.exefindstr REG_SZ3⤵PID:2244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "PROCESSOR_ARCHITECTURE"2⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\reg.exereg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "PROCESSOR_ARCHITECTURE"3⤵PID:984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (Name LIKE '%Windows%' and PartialProductKey is not null) get LicenseStatus /format:list"2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (Name LIKE '%Windows%' and PartialProductKey is not null) get LicenseStatus /format:list3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (Name LIKE '%Windows%' and LicenseStatus='2') get name /value"2⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (Name LIKE '%Windows%' and LicenseStatus='2') get name /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
-
C:\Windows\system32\mode.commode con cols=97 lines=152⤵PID:2628
-
-
C:\Windows\system32\mode.commode con cols=97 lines=482⤵PID:320
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\Tokens" /v "Channel" /t REG_SZ /d "Retail" /f2⤵PID:2164
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\Tokens\Kernel" /v "Kernel-ProductInfo" /t REG_DWORD /d /f2⤵PID:2740
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\Tokens\Kernel" /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 1 /f2⤵PID:2656
-
-
C:\Windows\system32\cscript.execscript /nologo C:\Windows\system32\slmgr.vbs -ipk2⤵PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\Windows-Activator-main\bin\x64\gatherosstate.exe"bin\x64\gatherosstate.exe"2⤵PID:2624
-
-
C:\Windows\system32\timeout.exetimeout /t 32⤵
- Delays execution with timeout.exe
PID:2336
-
-
C:\Windows\system32\cscript.execscript /nologo C:\Windows\system32\slmgr.vbs -ato2⤵PID:2444
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\Tokens" /f2⤵PID:1876
-
-
C:\Windows\system32\mode.commode con cols=60 lines=252⤵PID:2984
-
-
C:\Windows\system32\choice.exechoice /C:12345 /N /M "YOUR CHOICE : "2⤵PID:2904
-