Malware Analysis Report

2024-10-16 05:03

Sample ID 240809-chpfaavdqq
Target MediaCreationTool.bat
SHA256 4b1486451a42cfc8d1372026c91ac09ae47bd010ec88d0233b93c0f4f8113296
Tags
dropper execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4b1486451a42cfc8d1372026c91ac09ae47bd010ec88d0233b93c0f4f8113296

Threat Level: Likely malicious

The file MediaCreationTool.bat was found to be: Likely malicious.

Malicious Activity Summary

dropper execution

Download via BitsAdmin

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Drops file in Windows directory

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 02:04

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 02:04

Reported

2024-08-09 02:07

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

130s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MediaCreationTool.bat"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\System32\bitsadmin.exe N/A
N/A N/A C:\Windows\System32\bitsadmin.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\System32\expand.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\System32\expand.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3952 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3952 wrote to memory of 372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3952 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\attrib.exe
PID 3952 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\attrib.exe
PID 3952 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Robocopy.exe
PID 3952 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Robocopy.exe
PID 3952 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3952 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 1724 wrote to memory of 1284 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\chcp.com
PID 1724 wrote to memory of 1284 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\chcp.com
PID 1724 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\attrib.exe
PID 1724 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MediaCreationTool.bat"

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\reg.exe

reg add HKCU\Console /v ForceV2 /d 0x01 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ScreenColors /d 31 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable00 /d 0x000000 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable08 /d 0x767676 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable01 /d 0x9e5a00 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable09 /d 0xff783b /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable02 /d 0x0ea113 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable10 /d 0x0cc616 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable03 /d 0xdd963a /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable11 /d 0xd6d661 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable04 /d 0x1f0fc5 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable12 /d 0x5648e7 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable05 /d 0x981788 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable13 /d 0x9e00b4 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable06 /d 0x009cc1 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable14 /d 0xa5f1f9 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable07 /d 0xcccccc /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable15 /d 0xffffff /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v QuickEdit /d 0x0000 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v LineWrap /d 0 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v LineSelection /d 0x0001 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v CtrlKeyShortcutsDisabled /d 0 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v WindowSize /d 2097272 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ScreenBufferSize /d 655294584 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v FontSize /d 0x00100008 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v FaceName /d "Consolas" /t reg_sz /f

C:\Windows\System32\attrib.exe

attrib -R -S -H "C:\ESD"

C:\Windows\System32\Robocopy.exe

robocopy "C:\Users\Admin\AppData\Local\Temp\/" "C:\ESD/" "MediaCreationTool.bat"

C:\Windows\System32\cmd.exe

cmd /d /x /c set "ROOT=C:\Users\Admin\AppData\Local\Temp" & call "C:\ESD\MediaCreationTool.bat" set

C:\Windows\System32\chcp.com

chcp 437

C:\Windows\System32\attrib.exe

attrib -R -S -H "C:\ESD"

C:\Windows\System32\Robocopy.exe

robocopy "C:\ESD\/" "C:\ESD/" "MediaCreationTool.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo prompt $h$s$h:|cmd /d

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo prompt $h$s$h:"

C:\Windows\System32\cmd.exe

cmd /d

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" 2>nul

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!

C:\Windows\System32\cmd.exe

cmd /q /v:on /c echo !.:~2,1!

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!

C:\Windows\System32\cmd.exe

cmd /q /v:on /c echo !.:~2,1!

C:\Windows\System32\findstr.exe

findstr /c:\ /a:f0 " Detected Media "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:6f " en-US "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:9f " Professional "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:2f " x64 "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "3 Auto USB : MCT gets detected media, script assists making USB stick target "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "4 Select : MCT gets selected Edition, Language, Arch onto specified target "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "5 MCT Defaults : MCT runs unassisted, creating media without script modification "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:17 "1-4 adds to media: PID.txt, EI.cfg, $ISO$ dir, auto.cmd for upgrade and tpm checks "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:17 "can rename script: "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "def MediaCreationTool.bat"\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:17 " to always create unmodified MCT media "\..\c nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"

C:\Windows\System32\windowspowershell\v1.0\powershell.exe

powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\attrib.exe

attrib -R -S -H "C:\ESD" /D

C:\Windows\System32\findstr.exe

findstr /c:\ /a:f0 " Windows 10 Version "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:5f " 1803 "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:f1 " 17134.112.180619-1212.rs4_release_svc_refresh "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:6f " en-US "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:9f " Consumer "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:2f " x64 "\..\c nul

C:\Windows\System32\windowspowershell\v1.0\powershell.exe

powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"

C:\Windows\System32\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 638587659788329374 /priority foreground http://software-download.microsoft.com/download/pr/MediaCreationTool1803.exe C:\ESD\MCT\MediaCreationTool1803.exe

C:\Windows\System32\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 638587659807860838 /priority foreground https://software-download.microsoft.com/download/pr/MediaCreationTool1803.exe C:\ESD\MCT\MediaCreationTool1803.exe

C:\Windows\System32\windowspowershell\v1.0\powershell.exe

powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"

C:\Windows\System32\expand.exe

expand.exe -R products1803.cab -F:* .

C:\Windows\System32\findstr.exe

findstr /c:\ /a:4f " ERROR "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:0f " Check urls in browser | del ESD dir | use powershell v3.0+ | unblock powershell | enable BITS serv "\..\c nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 software-download.microsoft.com udp
US 152.199.19.161:80 software-download.microsoft.com tcp
US 8.8.8.8:53 software-static.download.prss.microsoft.com udp
US 152.199.21.175:80 software-static.download.prss.microsoft.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 152.199.19.161:80 software-download.microsoft.com tcp
US 152.199.21.175:80 software-static.download.prss.microsoft.com tcp
US 152.199.21.175:80 software-static.download.prss.microsoft.com tcp
US 152.199.19.161:443 software-download.microsoft.com tcp
US 152.199.21.175:443 software-static.download.prss.microsoft.com tcp
US 152.199.19.161:443 software-download.microsoft.com tcp
US 152.199.21.175:443 software-static.download.prss.microsoft.com tcp
US 8.8.8.8:53 download.microsoft.com udp
GB 95.100.245.121:80 download.microsoft.com tcp
GB 95.100.245.121:443 download.microsoft.com tcp
US 8.8.8.8:53 121.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\ESD\MediaCreationTool.bat

MD5 998ca6b423965b3a357e57c27a4a850b
SHA1 b18a2ad0999bf7a9f898d771503020eacb5d617d
SHA256 4b1486451a42cfc8d1372026c91ac09ae47bd010ec88d0233b93c0f4f8113296
SHA512 23b63cb6c0beca86bdbef612dbfe3150ed6295e5987843e3ead36b038133f17cbf0860aef28fc3b3021056afac2996bc2eca1d35186a4a9c934a995ecfaef6e8

C:\Users\Admin\AppData\Roaming\c

MD5 28d397e87306b8631f3ed80d858d35f0
SHA1 08534f33c201a45017b502e90a800f1b708ebcb3
SHA256 a9253dc8529dd214e5f22397888e78d3390daa47593e26f68c18f97fd7a3876b
SHA512 0a0cd116c2c57fb125fd9ada131f6ca964587a9958a214814a623db1821ed5ce32daeec4085a14e31d900a357b1e2549319b2e0cc2c8cfbafc6a4a4aafebe203

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlrpxszm.2oj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3856-7-0x000001375CD90000-0x000001375CDB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 a8abfac46fecead606749e07ddd5fde3
SHA1 b016ccf671ed81f4d1687c5614169bfc516b36db
SHA256 d84f53499110d4dfe73bf1cc9e6a0a167d5c02a18bd07e90d053b9f475eb70e5
SHA512 0d135b229051d857c360cdae26f974bbf70256c0743d0b1b56f9d2bc9b6e1671e6ab0e9711326f69563943f00d79d8a3b2ca3e1551a40046026d7a3e34fbc4bf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 667045c59e581a86e3c631dbfb08a083
SHA1 924e72ccb1a5679bd07032c2f1b6b506d805c1da
SHA256 20af0263adaf76d15bdf41aa3c5cb02d6868bbb2a13ae96cb839202df7421275
SHA512 6a4184be6ffdd498f503255cf29e439448a10b2a1eba16f3d7d697d2225b96feca062cf72f91845f69ba4200df6b47d46357ff565eb0b0f39c3834e721d0d5f0

memory/4408-30-0x00000226F09C0000-0x00000226F09E6000-memory.dmp

memory/4408-31-0x00000226F0A30000-0x00000226F0A44000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8e16939e1c08c53d76d61d7ed974ecf8
SHA1 6a2185d65319c7cbc6629daf8c0dd1404173d041
SHA256 861bb189fb8050f7962a94067616b0332d3e90007c2721dc773bcbb7a836e1c0
SHA512 7bc73bb757a8b1f7594cd3463070a129229bc544b1707b00e1d67e6a8f98f577f83ff5d9c3cd330629ed193034913b2e1060d3f565e1550bb84bfafcc12fe995

memory/924-43-0x000001B1F0E00000-0x000001B1F0E26000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 02:04

Reported

2024-08-09 02:06

Platform

win7-20240705-en

Max time kernel

60s

Max time network

52s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\MediaCreationTool.bat"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\System32\bitsadmin.exe N/A
N/A N/A C:\Windows\System32\bitsadmin.exe N/A
N/A N/A C:\Windows\System32\bitsadmin.exe N/A
N/A N/A C:\Windows\System32\bitsadmin.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Robocopy.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\windowspowershell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2776 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2776 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2776 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2776 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\MediaCreationTool.bat"

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\reg.exe

reg add HKCU\Console /v ForceV2 /d 0x01 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ScreenColors /d 31 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable00 /d 0x000000 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable08 /d 0x767676 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable01 /d 0x9e5a00 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable09 /d 0xff783b /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable02 /d 0x0ea113 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable10 /d 0x0cc616 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable03 /d 0xdd963a /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable11 /d 0xd6d661 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable04 /d 0x1f0fc5 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable12 /d 0x5648e7 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable05 /d 0x981788 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable13 /d 0x9e00b4 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable06 /d 0x009cc1 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable14 /d 0xa5f1f9 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable07 /d 0xcccccc /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ColorTable15 /d 0xffffff /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v QuickEdit /d 0x0000 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v LineWrap /d 0 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v LineSelection /d 0x0001 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v CtrlKeyShortcutsDisabled /d 0 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v WindowSize /d 2097272 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v ScreenBufferSize /d 655294584 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v FontSize /d 0x00100008 /t reg_dword /f

C:\Windows\system32\reg.exe

reg add "HKCU\Console\MCT" /v FaceName /d "Consolas" /t reg_sz /f

C:\Windows\System32\attrib.exe

attrib -R -S -H "C:\ESD"

C:\Windows\System32\Robocopy.exe

robocopy "C:\Users\Admin\AppData\Local\Temp\/" "C:\ESD/" "MediaCreationTool.bat"

C:\Windows\System32\cmd.exe

cmd /d /x /c set "ROOT=C:\Users\Admin\AppData\Local\Temp" & call "C:\ESD\MediaCreationTool.bat" set

C:\Windows\System32\chcp.com

chcp 437

C:\Windows\System32\attrib.exe

attrib -R -S -H "C:\ESD"

C:\Windows\System32\Robocopy.exe

robocopy "C:\ESD\/" "C:\ESD/" "MediaCreationTool.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo prompt $h$s$h:|cmd /d

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo prompt $h$s$h:"

C:\Windows\System32\cmd.exe

cmd /d

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" 2>nul

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!

C:\Windows\System32\cmd.exe

cmd /q /v:on /c echo !.:~2,1!

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!

C:\Windows\System32\cmd.exe

cmd /q /v:on /c echo !.:~2,1!

C:\Windows\System32\findstr.exe

findstr /c:\ /a:f0 " Detected Media "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:6f " en-US "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:9f " Ultimate "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:2f " x64 "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "3 Auto USB : MCT gets detected media, script assists making USB stick target "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "4 Select : MCT gets selected Edition, Language, Arch onto specified target "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "5 MCT Defaults : MCT runs unassisted, creating media without script modification "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:17 "1-4 adds to media: PID.txt, EI.cfg, $ISO$ dir, auto.cmd for upgrade and tpm checks "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:17 "can rename script: "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:1f "def MediaCreationTool.bat"\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:17 " to always create unmodified MCT media "\..\c nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"

C:\Windows\System32\windowspowershell\v1.0\powershell.exe

powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\attrib.exe

attrib -R -S -H "C:\ESD" /D

C:\Windows\System32\findstr.exe

findstr /c:\ /a:f0 " Windows 10 Version "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:5f " 1809 "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:f1 " 17763.379.190312-0539.rs5_release_svc_refresh "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:6f " en-US "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:9f " Consumer "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:2f " x64 "\..\c nul

C:\Windows\System32\windowspowershell\v1.0\powershell.exe

powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"

C:\Windows\System32\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 638587659149588000 /priority foreground http://software-download.microsoft.com/download/pr/MediaCreationTool1809.exe C:\ESD\MCT\MediaCreationTool1809.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\System32\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 638587659258764000 /priority foreground https://software-download.microsoft.com/download/pr/MediaCreationTool1809.exe C:\ESD\MCT\MediaCreationTool1809.exe

C:\Windows\System32\windowspowershell\v1.0\powershell.exe

powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"

C:\Windows\System32\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 638587659345500000 /priority foreground http://download.microsoft.com/download/8/E/8/8E852CBF-0BCC-454E-BDF5-60443569617C/products_20190314.cab C:\ESD\MCT\products1809.cab

C:\Windows\System32\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 638587659463124000 /priority foreground https://download.microsoft.com/download/8/E/8/8E852CBF-0BCC-454E-BDF5-60443569617C/products_20190314.cab C:\ESD\MCT\products1809.cab

C:\Windows\System32\findstr.exe

findstr /c:\ /a:4f " ERROR "\..\c nul

C:\Windows\System32\findstr.exe

findstr /c:\ /a:0f " Check urls in browser | del ESD dir | use powershell v3.0+ | unblock powershell | enable BITS serv "\..\c nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 software-download.microsoft.com udp
US 152.199.19.161:80 software-download.microsoft.com tcp
US 8.8.8.8:53 software-static.download.prss.microsoft.com udp
US 152.199.21.175:80 software-static.download.prss.microsoft.com tcp
US 152.199.21.175:80 software-static.download.prss.microsoft.com tcp
US 152.199.19.161:80 software-download.microsoft.com tcp
US 152.199.21.175:80 software-static.download.prss.microsoft.com tcp
US 152.199.19.161:443 software-download.microsoft.com tcp
US 152.199.19.161:443 software-download.microsoft.com tcp
US 152.199.19.161:443 software-download.microsoft.com tcp
US 152.199.19.161:443 software-download.microsoft.com tcp
US 152.199.19.161:443 software-download.microsoft.com tcp
US 152.199.19.161:443 software-download.microsoft.com tcp
US 8.8.8.8:53 download.microsoft.com udp
GB 95.100.245.121:80 download.microsoft.com tcp
GB 95.100.245.121:443 download.microsoft.com tcp
GB 95.100.245.121:443 download.microsoft.com tcp
GB 95.100.245.121:80 download.microsoft.com tcp
GB 95.100.245.121:443 download.microsoft.com tcp
GB 95.100.245.121:443 download.microsoft.com tcp
GB 95.100.245.121:443 download.microsoft.com tcp
GB 95.100.245.121:443 download.microsoft.com tcp

Files

C:\ESD\MediaCreationTool.bat

MD5 998ca6b423965b3a357e57c27a4a850b
SHA1 b18a2ad0999bf7a9f898d771503020eacb5d617d
SHA256 4b1486451a42cfc8d1372026c91ac09ae47bd010ec88d0233b93c0f4f8113296
SHA512 23b63cb6c0beca86bdbef612dbfe3150ed6295e5987843e3ead36b038133f17cbf0860aef28fc3b3021056afac2996bc2eca1d35186a4a9c934a995ecfaef6e8

C:\Users\Admin\AppData\Roaming\c

MD5 28d397e87306b8631f3ed80d858d35f0
SHA1 08534f33c201a45017b502e90a800f1b708ebcb3
SHA256 a9253dc8529dd214e5f22397888e78d3390daa47593e26f68c18f97fd7a3876b
SHA512 0a0cd116c2c57fb125fd9ada131f6ca964587a9958a214814a623db1821ed5ce32daeec4085a14e31d900a357b1e2549319b2e0cc2c8cfbafc6a4a4aafebe203

memory/2084-12-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2084-13-0x0000000002340000-0x0000000002348000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 cf8066f14821f1577ea6b7ca4130f0d7
SHA1 b9945591b92de31aaa03a39536cbd209897b6059
SHA256 b28eec137862442f50d9f5c2f2eae8cb26aee21b125e030e39bf170484c8fb69
SHA512 c0743b89d2c6a83d341c7cd1d2b3e773b59ceb87626bc352f358566b2e401badd48f8534883f93f4b00bc7a9b5233cf79cdf1e6f86d328871440d08c36cdba05

memory/2064-20-0x000000001B5B0000-0x000000001B892000-memory.dmp

memory/2064-21-0x00000000021D0000-0x00000000021D8000-memory.dmp

memory/2064-22-0x000000001B4B0000-0x000000001B4D2000-memory.dmp

memory/2064-23-0x00000000028C0000-0x00000000028D2000-memory.dmp

memory/1676-29-0x0000000002AE0000-0x0000000002B02000-memory.dmp

memory/1676-30-0x0000000002D30000-0x0000000002D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA98A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA99D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b