Windows10Activator.cmd
This report is generated from a file or URL submitted to this webservice on June 8th 2022 17:29:46 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v9.2.1 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Spawns a lot of processes
- Evasive
- References security related windows services
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
System Security
-
References security related windows services
- details
-
"p-service clipsvc %nul%
if exist "%ProgramData%\Microsoft\Windows\ClipSVC\*.dat" del /f /q "%ProgramData%\Microsoft\Windows\ClipSVC\*.dat" %nul%
if exist "%ProgramData%\Microsoft\Windows\ClipSVC\*.dat" set tokerr_=1
Powershell Restart-Service clipsvc %nul%
:: starting clipsvc service will rebuild the tokens if not exist, although in older windows 10 versions, tokens will rebuild when ticket is applied.
if defined tokerr_ (
call :Color 4F "%ReTok% [Unsuccessful]" &echo:
) else (
echo %ReTok% [Successful]
)
echo.
set _1=ClipSVC
set _2=wlidsvc
set _3=sppsvc
set _4=wuauserv
for %%# in (%_1% %_2% %_3% %_4%) do call :ServiceCheck %%#
set "CLecho=Checking %_1% [Service Status -%Cl_state%] [Startup Type -%Cl_start_type%]"
set "wlecho=Checking %_2% [Service Status -%wl_state%] [Startup Type -%wl_start_type%]"
set "specho=Checking %_3% [Service Status -%sp_state%] [Startup Type -%sp_start_type%]"
set "wuecho=Checking %_4%" (Indicator: "wuauserv"), "for %%# in (Cl_u,wl_u,sp_u,wu_u) do if defined %%# set s_u=1
if defined s_u (call :Color 4F "Error in starting services [ %Cl_u%%wl_u%%sp_u%%wu_u%]" &echo:)
if defined wust_u (
echo.
call :Color 5F "Most likely a Windows Update blocker program has securely disabled the wuauserv, identify and unblock it" &echo:
)
echo.
cscript /nologo %windir%\system32\slmgr.vbs -ipk %key%
start /wait Files\%gatherosstate%
if not exist "%~dp0Files\GenuineTicket.xml" call Files\%gatherosstate%
if not exist "%~dp0Files\GenuineTicket.xml" Files\%gatherosstate%
if exist "%G15%.exe" del /f /q "%G15%.exe"
set "GenTicket=Generating GenuineTicket.xml "
if not exist "%~dp0Files\GenuineTicket.xml" (
call :Color 4F "%GenTicket% [Unsuccessful]" &echo:
) else (
echo %GenTicket% [Successful]
)
echo Installing GenuineTicket.xml
clipup -v -o -altto Files\
echo.
set "Act=Activation "
cscript /nologo %windir%\system32\slmgr.vbs -ato %nul%
call :CheckPerm" (Indicator: "wuauserv") - source
- File/Memory
- relevance
- 7/10
- ATT&CK ID
- T1574.010 (Show technique in the MITRE ATT&CK™ matrix)
-
References security related windows services
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "cmd.exe" with commandline "/c ""%WINDIR%\0Activator.cmd" "" (Show Process)
Spawned process "cmd.exe" with commandline "/c ver" (Show Process)
Spawned process "cmd.exe" with commandline "/c "prompt #$H#$E# & echo on & for %b in (1) do rem"" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /v:on /c echo(^!param^!" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; '
|]*^"" (Show Process)
Spawned process "reg.exe" with commandline "reg query HKEY_USERS\S-1-5-20" (Show Process)
Spawned process "mode.com" with commandline "mode con cols=98 lines=30" (Show Process)
Spawned process "choice.exe" with commandline "choice /C:ABCDEFG /N /M ". Enter Your Choice in the Keyboard [A
B
C
D
E
F
G] : "" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Suspicious Indicators 5
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/57 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistence
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\findstr.exe" (Handle: 132)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 132)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 132)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\reg.exe" (Handle: 140)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\reg.exe" (Handle: 140)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\reg.exe" (Handle: 140)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\mode.com" (Handle: 132)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\mode.com" (Handle: 132)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\mode.com" (Handle: 132)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\choice.exe" (Handle: 136)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\choice.exe" (Handle: 136)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\choice.exe" (Handle: 136) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
-
"XKMStxt
@echo off
:: For unattended mode, run the script with /u parameter.
::========================================================================================================================================
:: Change to 1 to enable debug mode
set _Debug=0
:: Change to 0 to turn OFF Windows or Office activation via the script
:: - This is not effective if Windows and/or Office installation is already Volume (GVLK installed)
:: - In [Online KMS + Digital License] $OEM$ preactivation, Windows KMS activation is turned off by default.
set ActWindows=1
set ActOffice=1
:: Change to 0 to revert Windows 10 KMS38 to normal KMS
set SkipKMS38=1
:: Server List - You can edit the Online KMS Servers in below line.
set "servers=kms.srv.crsoo.com kms.digiboy.ir kms8.MSGuides.com kms.loli.beer kms.lolico.moe kms.moeclub.org kms.garybear.tk kms.chinancce.com"
:: Change to 1 to clear KMS cache after the activation.
:: - Registered KMS server address (cache) enables the system to automatica" (Indicator: "servers=")
"x_servers=!n!-1
set server_num=1
set /a online_server_count=0
echo.
:server
if %online_server_count%==2 (
%EchoRed% Error: Activation was not successful.
echo Restart the system and try again.
echo Read the troubleshoot guide in ReadMe.txt
echo.
echo ------------------------------------------------------------------
echo.
exit /b 1
)
set /a activation_ok=1
if %server_num% gtr !max_servers! (
echo ------------------------------------------------------------------
echo.
%EchoRed% Error: Internet is not connected.
echo.
echo ------------------------------------------------------------------
echo.
exit /b 1
)
set KMS_IP=!server[%server_num%]!
if %WinBuild% GEQ 9600 powershell -nologo -command test-netconnection %KMS_IP% -port 1688 -InformationLevel Quiet | findstr /i true %_Nul3%
if %WinBuild% LSS 9600 powershell New-Object System.Net.Sockets.TCPClient -ArgumentList %KMS_IP%, 1688 | findstr /irC:"connected.*true" %_Nul3%
if %errorlevel% NEQ 0 (
set /a server_num+=1
goto :server
)" (Indicator: "servers=") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1095 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"cmd.exe" wrote bytes "c04e0a7720540b77e0650b77b5380c770000000000d0df7500000000c5eadf750000000088eadf7500000000e968217582280c77ee290c7700000000d2692175000000007dbbdf750000000009be217500000000ba18df7500000000" to virtual address "0x771C1000" (part of module "NSI.DLL")
"findstr.exe" wrote bytes "c04e0a7720540b77e0650b77b5380c770000000000d0df7500000000c5eadf750000000088eadf7500000000e968217582280c77ee290c7700000000d2692175000000007dbbdf750000000009be217500000000ba18df7500000000" to virtual address "0x771C1000" (part of module "NSI.DLL")
"reg.exe" wrote bytes "c04e0a7720540b77e0650b77b5380c770000000000d0df7500000000c5eadf750000000088eadf7500000000e968217582280c77ee290c7700000000d2692175000000007dbbdf750000000009be217500000000ba18df7500000000" to virtual address "0x771C1000" (part of module "NSI.DLL")
"mode.com" wrote bytes "c04e0a7720540b77e0650b77b5380c770000000000d0df7500000000c5eadf750000000088eadf7500000000e968217582280c77ee290c7700000000d2692175000000007dbbdf750000000009be217500000000ba18df7500000000" to virtual address "0x771C1000" (part of module "NSI.DLL")
"choice.exe" wrote bytes "c04e0a7720540b77e0650b77b5380c770000000000d0df7500000000c5eadf750000000088eadf7500000000e968217582280c77ee290c7700000000d2692175000000007dbbdf750000000009be217500000000ba18df7500000000" to virtual address "0x771C1000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1056.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"findstr.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"findstr.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"findstr.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"reg.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"reg.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"mode.com" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Informative 10
-
General
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MODE.COM.62A0DD1C.bin" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Found API related strings
- details
-
"=======================
: Self-elevate passing args and preventing loop
: Written by @AveYo aka @BAU
: ================================================
setlocal
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul && goto GotPrivileges_1
If "%ElevError%"=="Y" goto Elev_Err_1
set "args="%~f0" %*" & call set "args=%%args:"=\"%%"
echo Initializing...
powershell -c "start cmd -ArgumentList '/c set ElevError=Y& call %args%' -verb runas" && exit /b
:Elev_Err_1
%ErrLine%
echo Right click on this file and select 'Run as administrator'
goto MASend
:GotPrivileges_1
endlocal
:======================================================================================================================================================
:MainMenu
cls
title Microsoft Activation Scripts 1.0
mode con cols=98 lines=30
if exist "%SystemRoot%\Temp\MAS" @RD /S /Q "%SystemRoot%\Temp\MAS" >nul 2>&1
echo.
echo.
echo _______________________________________________________________
echo" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin
"d"
call :ExtractTxt KMS38KMSsetup "%Dir%\SetupComplete.cmd"
call :ExtractTxt KMS38KMShashes "%Dir%\checksums.sha1"
goto $OEM$FolderCreated
:TXKMS38KMShashes
55e8ca516df8ee586fee43159be6f3ef21b529d2 *Activation Renewal\Auto Renewal - Task Scheduler\Create_Renewal_And_Activation_Task.cmd
a0b2e40c14bac681a27b26a1ca8ab59584098b76 *Activation Renewal\Manual Renewal - Desktop Context Menu\Add_Desktop_Context_Menu.cmd
60fc8d34185affdbe6a7b8b74ce34aa85aa5b8cb *Files.cmd
6a00b43e8b88f9a51d7ce0e49e39bcc75c813a4d *KMS38_Activation.cmd
2593d5f25b35a6a90837402c04adf7c185a97be7 *Online_KMS_Activation.cmd
5858f1b7dc58ae72f1c330bebab1dedf4c667c8c *SetupComplete.cmd
:TXKMS38KMShashes
::=============================================================================================================
:TXHWIDsetup
@Echo off
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul || (
echo.
echo ==== Error ====
echo Right click on this file and select 'Run as administrator'
echo Press any key to exit...
pause >nul
exit" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin
"/b
)
cd /d "%~dp0"
call Files.cmd >nul 2>&1
call Digital_License_Activation.cmd /u
if exist "%~dp0Files" @RD /S /Q "%~dp0Files"
cd /d "%SystemRoot%\Setup\"
if exist "%SystemRoot%\Setup\Scripts" @RD /S /Q "%SystemRoot%\Setup\Scripts"
exit /b
:TXHWIDsetup
:TXKMS38setup
@Echo off
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul || (
echo.
echo ==== Error ====
echo Right click on this file and select 'Run as administrator'
echo Press any key to exit...
pause >nul
exit /b
)
cd /d "%~dp0"
call Files.cmd >nul 2>&1
call KMS38_Activation.cmd /u
if exist "%~dp0Files" @RD /S /Q "%~dp0Files"
cd /d "%SystemRoot%\Setup\"
if exist "%SystemRoot%\Setup\Scripts" @RD /S /Q "%SystemRoot%\Setup\Scripts"
exit /b
:TXKMS38setup
:TXKMSsetup
@Echo off
:: Change value to 1 from 0 to enable KMS activation desktop context menu
set kms_context_menu=1
============================================================================
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul || (
echo.
echo ==== Erro" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin
"r ====
echo Right click on this file and select 'Run as administrator'
echo Press any key to exit...
pause >nul
exit /b
)
cd /d "%~dp0"
if exist "%~dp0Activation Renewal\Auto Renewal - Task Scheduler\Create_Renewal_And_Activation_Task.cmd" (
call "%~dp0Activation Renewal\Auto Renewal - Task Scheduler\Create_Renewal_And_Activation_Task.cmd" /u
)
cd /d "%~dp0"
if %kms_context_menu% EQU 1 (
if exist "%~dp0Activation Renewal\Manual Renewal - Desktop Context Menu\Add_Desktop_Context_Menu.cmd" (
call "%~dp0Activation Renewal\Manual Renewal - Desktop Context Menu\Add_Desktop_Context_Menu.cmd" /u
)
)
cd /d "%SystemRoot%\Setup\"
if exist "%SystemRoot%\Setup\Scripts" @RD /S /Q "%SystemRoot%\Setup\Scripts"
exit /b
:TXKMSsetup
:TXHWIDKMSsetup
@Echo off
:: Change value to 1 from 0 to enable KMS activation desktop context menu
set kms_context_menu=0
============================================================================
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul || (
echo.
echo" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin
"==== Error ====
echo Right click on this file and select 'Run as administrator'
echo Press any key to exit...
pause >nul
exit /b
)
cd /d "%~dp0"
call Files.cmd >nul 2>&1
call Digital_License_Activation.cmd /u
cd /d "%~dp0"
(
echo @set "SkipWin=1"
)>"%~dp01.."
copy /y /b "%~dp01.." + "%~dp0-Online_KMS_Activation.cmd" "%~dp0Online_KMS_Activation.cmd" >nul 2>&1
cd /d "%~dp0"
if exist "%~dp0Activation Renewal\Auto Renewal - Task Scheduler\Create_Renewal_And_Activation_Task.cmd" (
call "%~dp0Activation Renewal\Auto Renewal - Task Scheduler\Create_Renewal_And_Activation_Task.cmd" /u
)
cd /d "%~dp0"
if %kms_context_menu% EQU 1 (
if exist "%~dp0Activation Renewal\Manual Renewal - Desktop Context Menu\Add_Desktop_Context_Menu.cmd" (
call "%~dp0Activation Renewal\Manual Renewal - Desktop Context Menu\Add_Desktop_Context_Menu.cmd" /u
)
)
if exist "%~dp0Files" @RD /S /Q "%~dp0Files"
if exist "%~dp01.." del /f /q "%~dp01.."
if exist "%~dp0Online_KMS_Activation.cmd" del /f /q "%~dp0Online" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin, "_KMS_Activation.cmd"
cd /d "%SystemRoot%\Setup\"
if exist "%SystemRoot%\Setup\Scripts" @RD /S /Q "%SystemRoot%\Setup\Scripts"
exit /b
:TXHWIDKMSsetup
:TXKMS38KMSsetup
@Echo off
:: Change value to 1 from 0 to enable KMS activation desktop context menu
set kms_context_menu=1
============================================================================
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul || (
echo.
echo ==== Error ====
echo Right click on this file and select 'Run as administrator'
echo Press any key to exit...
pause >nul
exit /b
)
cd /d "%~dp0"
call Files.cmd >nul 2>&1
call KMS38_Activation.cmd /u
cd /d "%~dp0"
if exist "%~dp0Activation Renewal\Auto Renewal - Task Scheduler\Create_Renewal_And_Activation_Task.cmd" (
call "%~dp0Activation Renewal\Auto Renewal - Task Scheduler\Create_Renewal_And_Activation_Task.cmd" /u
)
cd /d "%~dp0"
if %kms_context_menu% EQU 1 (
if exist "%~dp0Activation Renewal\Manual Renewal - Desktop Context Menu\Add_Desktop_Context_Menu.cmd"" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin
"as" && exit /b
:Elev_Err
%ELine%
echo Right click on this file and select 'Run as administrator'
goto Done
:GotPrivileges
::========================================================================================================================================
mode con: cols=110 lines=35
cd /d "%~dp0"
pushd "%~dp0"
if not exist "%~dp0Files\" (
%ELine%
echo 'Files' Folder does not exist in current directory.
echo It's supposed to have files required for the Activation.
goto Done
)
::========================================================================================================================================
copy /y nul "%~dp0Files\#.rw" %nul% && (
if exist "%~dp0Files\#.rw" del /f /q "%~dp0Files\#.rw"
) || (
%ELine%
echo 'Files' Folder in current directory is write protected.
echo Copy the Activator's package to a writable directory.
goto Done
)
::==================================================================================================================" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin, "sstateLTSB15.txt
if defined _miss goto Done
type "%G15%.txt">"%G15%.cmd"
call "%G15%.cmd" %nul%
if exist "%G15%.cmd" del /f /q "%G15%.cmd"
if not exist "%G15%.exe" (
%ELine%
echo gatherosstateLTSB15.txt to .exe conversion is failed. Aborting...
goto Done
)
set gatherosstate=gatherosstateLTSB15.exe
) else (
set gatherosstate=gatherosstate.exe
)
call :check %gatherosstate% slc.dll
if defined _miss goto Done
::========================================================================================================================================
cd /d "%~dp0"
if exist "%~dp0Files\*.xml" del /f /q "%~dp0Files\*.xml"
Powershell Restart-Service sppsvc %nul%
cls
echo Checking OS Info [%osedition% ^| %winbuild% ^| %arch%]
set "Chkint=Checking Internet Connection "
ping www.microsoft.com %nul% && (
echo %Chkint% [Connected]
) || (
call :Color 4F "%Chkint% [Not connected]" &echo:
)
set "ReTok=Rebuilding ClipSVC tokens "
Powershell sto" (Indicator: "connect") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin, ""args=%%args:"=\"%%"
echo Initializing...
powershell -c "start cmd -ArgumentList '/c set ElevError=Y& call %args%' -verb runas" && exit /b
:Elev_Err
%ELine%
echo Right click on this file and select 'Run as administrator'
goto Done
:GotPrivileges
::========================================================================================================================================
mode con: cols=110 lines=32
cd /d "%~dp0"
pushd "%~dp0"
if not exist "%~dp0Files\" (
%ELine%
echo 'Files' Folder does not exist in current directory.
echo It's supposed to have files required for the Activation.
goto Done
)
::========================================================================================================================================
copy /y nul "%~dp0Files\#.rw" %nul% && (
if exist "%~dp0Files\#.rw" del /f /q "%~dp0Files\#.rw"
) || (
%ELine%
echo 'Files' Folder in current directory is write protected.
echo Copy the Activator's package to a writable directory.
goto D" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin
"Y" goto Elev_Err
set "args="%~f0" %*" & call set "args=%%args:"=\"%%"
echo Initializing...
powershell -c "start cmd -ArgumentList '/c set ElevError=Y& call %args%' -verb runas" && exit /b
:Elev_Err
%ELine%
echo Right click on this file and select 'Run as administrator'
goto Done
:GotPrivileges
::========================================================================================================================================
If defined Task call :_Start_>>"%windir%\Online_KMS_Activation_Script\Logs.txt" & exit
:_Start_
If defined Task call :Activation_Start & echo Exiting... & echo. & exit /b
::========================================================================================================================================
: ======================================================
: Set buffer height independently of window height
: https://stackoverflow.com/a/13351373
: Written by @dbenham (stackoverflow)
: ======================================================
mo" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin, "ion_Task]
if defined DateTime (
echo ========================================================================================================
echo ----------------------------
Echo %T_Name%
echo ----------------------------
echo ----------------------------------------------
echo Date : %date% Time : %time%
echo ----------------------------------------------
)
set /a loop=1
set /a max_loop=1
if defined Renewal_Task set /a max_loop=3
if defined Run_Once set /a max_loop=5
:repeat
powershell -nologo "If([Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]'{DCB00C01-570F-4A9B-8D69-199FDBA5723B}')).IsConnectedToInternet){Exit 0}Else{Exit 1}"
if %errorlevel%==0 (goto IntConnected)
(
if %loop%== %max_loop% (
%ELine%
echo Internet is not connected.
echo. &exit /b 1
)
echo Checking: Internet is not connected.
echo Waiting 30 s
timeout /t 30 >nul
set /a loop=%loop%+1
goto repeat
)
:IntConnected
set n=1&for %%a in (%servers%) do (set server[!n!]=%%a&set /A n+=1)&set /a ma" (Indicator: "connect") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin, "x_servers=!n!-1
set server_num=1
set /a online_server_count=0
echo.
:server
if %online_server_count%==2 (
%EchoRed% Error: Activation was not successful.
echo Restart the system and try again.
echo Read the troubleshoot guide in ReadMe.txt
echo.
echo ------------------------------------------------------------------
echo.
exit /b 1
)
set /a activation_ok=1
if %server_num% gtr !max_servers! (
echo ------------------------------------------------------------------
echo.
%EchoRed% Error: Internet is not connected.
echo.
echo ------------------------------------------------------------------
echo.
exit /b 1
)
set KMS_IP=!server[%server_num%]!
if %WinBuild% GEQ 9600 powershell -nologo -command test-netconnection %KMS_IP% -port 1688 -InformationLevel Quiet | findstr /i true %_Nul3%
if %WinBuild% LSS 9600 powershell New-Object System.Net.Sockets.TCPClient -ArgumentList %KMS_IP%
1688 | findstr /irC:"connected.*true" %_Nul3%
if %errorlevel% NEQ 0 (
set /a server_num+=1
goto :server
)" (Indicator: "connect") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin, "rgs=%%args:"=\"%%"
echo Initializing...
powershell -c "start cmd -ArgumentList '/c set ElevError=Y& call %args%' -verb runas" && exit /b
:Elev_Err
%ELine%
echo Right click on this file and select 'Run as administrator'
goto Done
:GotPrivileges
::========================================================================================================================================
mode con: cols=98 lines=30
cd /d "%~dp0"
pushd "%~dp0"
cd ..
cd ..
if not exist "Online_KMS_Activation.cmd" (
%ELine%
echo File [Online KMS\Online_KMS_Activation.cmd] does not exist.
echo It's required for the Task Creation.
goto Done
)
::========================================================================================================================================
:continue
Reg delete "HKCR\DesktopBackground\shell\Activate Windows - Office" /f %nul%
if exist "%ProgramData%\Online_KMS_Activation.cmd" del /f /q "%ProgramData%\Online_KMS_Activation.cmd" %nul%
reg query "HKCR\DesktopBa" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin, ".
echo Project is supported only for Windows 7/8/8.1/10 and their Server equivalent.
goto Done
)
::========================================================================================================================================
: ================================================
: Self-elevate passing args and preventing loop
: Written by @AveYo aka @BAU
: ================================================
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul && goto GotPrivileges
If "%ElevError%"=="Y" goto Elev_Err
set "args="%~f0" %*" & call set "args=%%args:"=\"%%"
echo Initializing...
powershell -c "start cmd -ArgumentList '/c set ElevError=Y& call %args%' -verb runas" && exit /b
:Elev_Err
%ELine%
echo Right click on this file and select 'Run as administrator'
goto Done
:GotPrivileges
::========================================================================================================================================
mode con cols=98 lines=30
if %Unattended% EQU 1 goto" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin, "===============================
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul && goto GotPrivileges
If "%ElevError%"=="Y" goto Elev_Err
set "args="%~f0" %*" & call set "args=%%args:"=\"%%"
echo Initializing...
powershell -c "start cmd -ArgumentList '/c set ElevError=Y& call %args%' -verb runas" && exit /b
:Elev_Err
%ELine%
echo Right click on this file and select 'Run as administrator'
goto Done
:GotPrivileges
::========================================================================================================================================
mode con cols=98 lines=30
if %Unattended% EQU 1 goto continue
echo. &call :Color 4F "===== Important Info =====" &echo:&echo.
echo Some Anti-virus programs may interfere the process of Activation renewal
echo via Task Scheduler. (Though it's clean from Windows Defender.)
echo.
echo It's not because of KMS activation but because they find running long script
echo in background task, suspicious.
echo.
call :Color 0A "Please make sure" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin, "inbuild% LSS 7600 (
%ELine%
echo Unsupported OS version Detected.
echo Project is supported only for Windows 7/8/8.1/10 and their Server equivalent.
goto Done
)
::========================================================================================================================================
: ================================================
: Self-elevate passing args and preventing loop
: Written by @AveYo aka @BAU
: ================================================
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul && goto GotPrivileges
If "%ElevError%"=="Y" goto Elev_Err
set "args="%~f0" %*" & call set "args=%%args:"=\"%%"
echo Initializing...
powershell -c "start cmd -ArgumentList '/c set ElevError=Y& call %args%' -verb runas" && exit /b
:Elev_Err
%ELine%
echo Right click on this file and select 'Run as administrator'
goto Done
:GotPrivileges
::==================================================================================================================================" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin, "============================================
: Self-elevate passing args and preventing loop
: Written by @AveYo aka @BAU
: ================================================
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul && goto GotPrivileges
If "%ElevError%"=="Y" goto Elev_Err
set "args="%~f0" %*" & call set "args=%%args:"=\"%%"
echo Initializing...
powershell -c "start cmd -ArgumentList '/c set ElevError=Y& call %args%' -verb runas" && exit /b
:Elev_Err
%ELine%
echo Right click on this file and select 'Run as administrator'
goto Done
:GotPrivileges
::========================================================================================================================================
mode con: cols=98 lines=30
FOR /F "TOKENS=2 DELIMS==" %%A IN ('"WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE"') DO IF NOT ERRORLEVEL 1 SET "osedition=%%A"
if not defined osedition (FOR /F "TOKENS=3 DELIMS=: " %%A IN ('DISM /En" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin, "zing...
powershell -c "start cmd -ArgumentList '/c set ElevError=Y& call %args%' -verb runas" && exit /b
:Elev_Err
%ELine%
echo Right click on this file and select 'Run as administrator'
goto Done
:GotPrivileges
::========================================================================================================================================
: ======================================================
: Set buffer height independently of window height
: https://stackoverflow.com/a/13351373
: Written by @dbenham (stackoverflow)
: ======================================================
mode con: cols=98 lines=30
powershell -command "&{$H=get-host;$W=$H.ui.rawui;$B=$W.buffersize;$B.width=98;$B.height=36;$W.buffersize=$B;}"
::========================================================================================================================================
FOR /F "TOKENS=2 DELIMS==" %%A IN ('"WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%%' AND PartialProductK" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin
"ng args and preventing loop
: Written by @AveYo aka @BAU
: ================================================
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul && goto GotPrivileges
If "%ElevError%"=="Y" goto Elev_Err
set "args="%~f0" %*" & call set "args=%%args:"=\"%%"
echo Initializing...
powershell -c "start cmd -ArgumentList '/c set ElevError=Y& call %args%' -verb runas" && exit /b
:Elev_Err
%ELine%
echo Right click on this file and select 'Run as administrator'
goto Done
:GotPrivileges
::========================================================================================================================================
mode con: cols=98 lines=30
wmic path SoftwareLicensingProduct where (Description like '%%KMSCLIENT%%' and PartialProductKey is not NULL) get Name 2>nul | findstr /i Windows 1>nul && (set gvlk=1) || (set gvlk=0)
if %gvlk% EQU 0 (
%ELine%
echo System is not activated with KMS38. ^(KMS Key is not installed^) Aborting...
goto Done
)
for /f "tokens=2 delims==" %%A in" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin
"==============================================================
if %winbuild% LSS 10586 (
%ELine%
echo Unsupported OS version Detected.
echo Project is supported only for Windows 10 1511 [10586] and later builds.
goto Done
)
::========================================================================================================================================
: ================================================
: Self-elevate passing args and preventing loop
: Written by @AveYo aka @BAU
: ================================================
reg query HKEY_USERS\S-1-5-20 1>nul 2>nul && goto GotPrivileges
If "%ElevError%"=="Y" goto Elev_Err
set "args="%~f0" %*" & call set "args=%%args:"=\"%%"
echo Initializing...
powershell -c "start cmd -ArgumentList '/c set ElevError=Y& call %args%' -verb runas" && exit /b
:Elev_Err
%ELine%
echo Right click on this file and select 'Run as administrator'
goto Done
:GotPrivileges
::================================================================" (Indicator: "select") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin - source
- File/Memory
- relevance
- 1/10
-
Process launched with changed environment
- details
-
Process "cmd.exe" (Show Process) was launched with new environment variables: "ErrLine="echo. &call :Color 0C "==== ERROR ====" &echo:&echo.", winbuild="7601""
Process "cmd.exe" (Show Process) was launched with new environment variables: "DEL=" ", param="%WINDIR%\0Activator.cmd""
Process "reg.exe" (Show Process) was launched with missing environment variables: "param" - source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
-
"/c ver" on 2022-6-8.17:32:04.984
"/c "prompt #$H#$E# & echo on & for %b in (1) do rem"" on 2022-6-8.17:32:07.531
"cmd /v:on /c echo(^!param^!" on 2022-6-8.17:32:09.750 - source
- Monitored Target
- relevance
- 5/10
- ATT&CK ID
- T1059.003 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/c ver" (Show Process)
Spawned process "cmd.exe" with commandline "/c "prompt #$H#$E# & echo on & for %b in (1) do rem"" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /v:on /c echo(^!param^!" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; '
|]*^"" (Show Process)
Spawned process "reg.exe" with commandline "reg query HKEY_USERS\S-1-5-20" (Show Process)
Spawned process "mode.com" with commandline "mode con cols=98 lines=30" (Show Process)
Spawned process "choice.exe" with commandline "choice /C:ABCDEFG /N /M ". Enter Your Choice ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "cmd.exe" with commandline "/c ver" (Show Process)
Spawned process "cmd.exe" with commandline "/c "prompt #$H#$E# & echo on & for %b in (1) do rem"" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /v:on /c echo(^!param^!" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; '
|]*^"" (Show Process)
Spawned process "reg.exe" with commandline "reg query HKEY_USERS\S-1-5-20" (Show Process)
Spawned process "mode.com" with commandline "mode con cols=98 lines=30" (Show Process)
Spawned process "choice.exe" with commandline "choice /C:ABCDEFG /N /M ". Enter Your Choice ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Drops files marked as clean
-
Installation/Persistence
-
Touches files in the Windows directory
- details
- "cmd.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
- source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://www.nsaneforums.com/topic/316668--/"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://forums.mydigitallife.net/posts/1150042"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://superuser.com/a/1413170"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Heuristic match: "\Add_Desktop_Context_Menu.cmd
ffd1160c024b2cab82ba9fcb13636ffccbe76b0d *Digital_License_Activation.cmd
9454496980b7dbd030978919ef16453263100319 *Files.cmd
2593d5f25b35a6a90837402c04adf7c185a97be7 *-Online_KMS_Activation.cmd
a8336ca3c094d6690b45716f2146"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://forums.mydigitallife.net/threads/74197/"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://forums.mydigitallife.net/posts/1221231/"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "www.nsaneforums.com/topic/312871--/"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://stackoverflow.com/a/33626625"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://github.com/AveYo/Compressed2TXT"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "www.microsoft.com"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://stackoverflow.com/a/5344911"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://www.nsaneforums.com/topic/312871--/"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "http://forum.ru-board.com/topic.cgi?forum=2&topic=5734#1"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://stackoverflow.com/"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://forums.mydigitallife.net/posts/838808"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://stackoverflow.com/a/13351373"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "https://forums.mydigitallife.net/posts/1511883"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "http://schemas.microsoft.com/windows/2004/02/mit/task"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Heuristic match: "t _O365asO2019=0
set _Debug=0
set SysPath=%Windir%\System32
if exist %Windir%\Sysnative\reg.exe (set SysPath=%Windir%\Sysnative)
set Path=%SysPath%;%Windir%;%SysPath%\Wbem;%SysPath%\WindowsPowerShell\v1.0\
fsutil dirty query %systemdrive% "- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin]
Pattern match: "pastebin.com/XTPt0JSC"- [Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin] - source
- File/Memory
- relevance
- 10/10
-
Possibly tries to communicate over SSL connection (HTTPS)
- details
-
"@echo off
: =================================================================
: This script is a part of 'Microsoft Activation Scripts'
: Maintained by @WindowsAddict
: Homepage - https://www.nsaneforums.com/topic/316668--/
: =================================================================
::========================================================================================================================================
cls
title Microsoft Activation Scripts 1.0
for /f "tokens=6 delims=[]. " %%G in ('ver') do set winbuild=%%G
set "ErrLine=echo. &call :Color 0C "==== ERROR ====" &echo:&echo."
setlocal EnableDelayedExpansion
call :Color_Pre
::========================================================================================================================================
: ===========================================================
: Check if the file path name contains special characters
: https://stackoverflow.com/a/33626625
: Written by @jeb (stac" (Indicator: "https://") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin
"These Retail2Volume Scripts are written by @abbodi1406,
echo https://forums.mydigitallife.net/posts/1150042
echo I added it here for convenience to use as an AIO script.
echo -----------------------------------------------------------
echo.
echo _____________________________________________________
echo ^| ^|
echo ^| ^|
echo ^| _______ Convert C2R-Retail Office To VL _______ ^|
echo ^| ^|
echo ^| [A] O2013, ^|
echo ^| ^|
echo ^| [B] O2016, O2019, O365 ^|
echo" (Indicator: "https://") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin
"______________________^|
echo.
choice /C:ABCDEF /N /M ". Enter Your Choice [A
B
C
D
E
F] : "
if errorlevel 6 goto:MainMenu
if errorlevel 5 goto:$OEM$KMS38_KMS
if errorlevel 4 goto:$OEM$DIGI_KMS
if errorlevel 3 goto:$OEM$KMS
if errorlevel 2 goto:$OEM$KMS38
if errorlevel 1 goto:$OEM$DIGI
:======================================================================================================================================================
:$OEM$Related
cls
set "CheckExit=if defined $OEM$Exist Goto MainMenu"
: ==============================================
: Get correct Desktop Location with powershell
: Written by @dcshoecomp (superuser.com)
: https://superuser.com/a/1413170
: ==============================================
for /f "delims=" %%a in ('powershell.exe -command "& {write-host $([Environment]::GetFolderPath('Desktop'))}"') do Set "desktop=%%a"
cd /d "%desktop%"
set "Dir=%desktop%\$OEM$\$$\Setup\Scripts"
if exist $OEM$ goto Exist
if not exist $" (Indicator: "https://") in Source: 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc.cmd.bin - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1573 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Uses REG.EXE to query registry keys
- details
- Process "reg.exe" with commandline "reg query HKEY_USERS\S-1-5-20" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Uses REG.EXE to query registry keys
File Details
Windows10Activator.cmd
- Filename
- Windows10Activator.cmd
- Size
- 3.1MiB (3200214 bytes)
- Type
- script cmd
- Description
- DOS batch file, ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 4c8b5d4bced48b0aa19759681193e10ccce2ce1ed3035524cebc18f9eb3e1fdc
- MD5
- eb81af4795cd07b86a5074c221f27eda
- SHA1
- a8b25c130b47ca05440785d125f9b1b8e457c84c
- ssdeep
- 49152:RrjaOHtyzzaqjgpFEDlgucRN5NikVg8sqWhvxnAHItDatbEANPpxuW:9CnjcFE2ucPPWhv6oEZ
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 8 processes in total (System Resource Monitor).
-
cmd.exe
/c ""%WINDIR%\0Activator.cmd" "
(PID: 2380)
- cmd.exe /c ver (PID: 3592)
- cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem" (PID: 2396)
- cmd.exe cmd /v:on /c echo(^!param^! (PID: 3372)
- findstr.exe findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^" (PID: 2928)
- reg.exe reg query HKEY_USERS\S-1-5-20 (PID: 2356)
- mode.com mode con cols=98 lines=30 (PID: 3772)
- choice.exe choice /C:ABCDEFG /N /M ". Enter Your Choice in the Keyboard [A,B,C,D,E,F,G] : " (PID: 2952)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Clean 1
-
-
MODE.COM.62A0DD1C.bin
- Size
- 25KiB (25088 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- cmd.exe (PID: 2380)
- MD5
- f015208f1f8473ba2e4bc229e0d38efd
- SHA1
- 1b959d6c227e41ab4eb2b381ea69358a2e04febb
- SHA256
- efc11f8fcdd0a8649ebee758b105db10536e895ea6d586a07b61f68b1e5dbd20
-
Notifications
-
Runtime
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "registry-25" are available in the report
- Not all sources for indicator ID "string-101" are available in the report
- Not all sources for indicator ID "string-43" are available in the report
- Not all sources for indicator ID "string-98" are available in the report