Malware Analysis Report

2024-11-13 18:04

Sample ID 241104-ttkd5stbrp
Target Activation.exe
SHA256 7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5
Tags
discovery execution exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5

Threat Level: Likely malicious

The file Activation.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery execution exploit

Possible privilege escalation attempt

Modifies file permissions

Command and Scripting Interpreter: PowerShell

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 16:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 16:20

Reported

2024-11-04 16:25

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Activation.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Activation.exe

"C:\Users\Admin\AppData\Local\Temp\Activation.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title Windows Activation Fix

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 0b

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 16:20

Reported

2024-11-04 16:25

Platform

win7-20241010-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Activation.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IME\permissions.bat C:\Users\Admin\AppData\Local\Temp\Activation.exe N/A
File created C:\Windows\IME\reset.bat C:\Users\Admin\AppData\Local\Temp\Activation.exe N/A
File created C:\Windows\IME\activator.bat C:\Users\Admin\AppData\Local\Temp\Activation.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2668 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2668 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2668 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2668 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2668 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2668 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2668 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2668 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2668 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2324 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Activation.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Activation.exe

"C:\Users\Admin\AppData\Local\Temp\Activation.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title Windows Activation Fix

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c color 0b

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo.

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo Starting...

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\sppsvc.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant administrators:F /T

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\spp /grant administrators:F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo Applying permissions...

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat

C:\Windows\system32\net.exe

net stop sppsvc

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sppsvc

C:\Windows\system32\net.exe

net start sppsvc

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start sppsvc

C:\Windows\system32\cscript.exe

cscript.exe C:\Windows\System32\slmgr.vbs /rilc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c %windir%\IME\activator.bat

Network

N/A

Files

C:\Windows\IME\permissions.bat

MD5 4be7ca8b30ea192628228857b5005655
SHA1 588a60df54f8ff2924b2fd569dfc39ce5ae17cfd
SHA256 5e56203e437e3a219fcc9f295c8bcf31961585de816212ce0a6a306a465bc853
SHA512 169b735f5b72ff12910451cf9fbab231b0d9e8b9481f9e01824e5c85075caf17283bb4a54353a9c5958c5ff7eebc6dc932630c1e824be5ebe416bc608306c7b4

memory/2404-6-0x000000001B590000-0x000000001B872000-memory.dmp

memory/2404-7-0x0000000002A70000-0x0000000002A78000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 58b0adc4bfb05ae9dc5d011870994aa7
SHA1 721f2c33b5a97609920f63a1fea6f970b5ee7591
SHA256 4806a41dfd8e71daaa678227d0a86b7d2763e8be8660ae0828e0817fc84ea04b
SHA512 353374926d2ee7e86f8adb0934d17add38827a2327cb70ac5b8137134a4743c2e3bb76741c7ca3f19546501872872975ff8f87a4a3ba12a55f96d435c34483a1

memory/2952-13-0x000000001B570000-0x000000001B852000-memory.dmp

memory/2952-14-0x00000000029F0000-0x00000000029F8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\IME\reset.bat

MD5 939378e1c9e25f424c618a379e61fc48
SHA1 45822124d56b6e6efcfbaab246feff695b7098d4
SHA256 fd805584b817ad0b320c85653a5bd7342650359feae60e5a3e722d5571542146
SHA512 3833f14692f5cdfea285654f91ac814a89bf189a4db99b0fc1e817905d9929f6f4b184db5a51269f9b82170a14af2c5e0510150201cea03177cab04fb26494fb

C:\Windows\IME\activator.bat

MD5 365b88395524dec0af52387ed73317ce
SHA1 66a6e96fb198e8749c9086e35b2b2f85aa21c63c
SHA256 99ada36422b17257eba9d9cc5d123907589f638aa9564bc8fb000261cc9c1c10
SHA512 46efce6af2a90ace25842fd0d85212463c3b6ba2a6f8e089ee29381d960a745a278b86b49bf3330d686b140e3fc66c9cc8ac70df7f05d8e0ecac694dc542cff5