Report - git.activated.win/massgrave/Microsoft-Activation-Scripts/archive/master.zip

Report Overview

Visitedpublic

2025-05-13 17:30:07

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP	Fingerprints
git.activated.win	unknown	2024-05-15	2024-10-08	2025-05-07	543 B	470 kB	104.21.24.156

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

File detected

URL

git.activated.win/massgrave/Microsoft-Activation-Scripts/archive/master.zip

IP / ASN

104.21.24.156

#13335 CLOUDFLARENET

File Overview

File TypeZip archive data, at least v1.0 to extract, compression method=store

Size468 kB (467868 bytes)

MD53e4de4f97b03da9f1c570faea8dd1c64

SHA10dea37d364035ed3fa1851b490c0df49fba4f2b1

SHA2568deaac80ca9f194f1005360693d3f4d0ec8abff8a58d0a8b51958013a52e7a2f

Archive (15)

Modified	Filename	Size	MD5	File type
2025-05-06 17:40	LICENSE	35 kB	1ebbd3e34237af26da5dc08a4e440464	ASCII text
2025-05-06 17:40	MAS_AIO.cmd	734 kB	98f65f29751a5dfc3c9c35c42eb708d7	ASCII text, with very long lines (348), with CRLF line terminators
2025-05-06 17:40	HWID_Activation.cmd	78 kB	7f70b19ccdd960165369eeccbbf28070	DOS batch file, ASCII text, with very long lines (376), with CRLF line terminators
2025-05-06 17:40	KMS38_Activation.cmd	80 kB	ed99e305be91ee80c843e76531911c2d	DOS batch file, ASCII text, with very long lines (500), with CRLF line terminators
2025-05-06 17:40	Ohook_Activation_AIO.cmd	160 kB	6e407b8d41b4f26441b7e40cb41cefd3	DOS batch file, ASCII text, with very long lines (452), with CRLF line terminators
2025-05-06 17:40	Online_KMS_Activation.cmd	169 kB	972bdf97a5a1725147e42b778161775b	DOS batch file, ASCII text, with very long lines (452), with CRLF line terminators
2025-05-06 17:40	TSforge_Activation.cmd	321 kB	8840ba9d598b1d41db92835fe58c27d7	DOS batch file, ASCII text, with very long lines (348), with CRLF line terminators
2025-05-06 17:40	_ReadMe.txt	839 B	e699451ed0dfe4ebdd499666dc411c3c	ASCII text, with CRLF line terminators
2025-05-06 17:40	Change_Office_Edition.cmd	50 kB	8d756de50198942bebc327ffaeede659	DOS batch file, ASCII text, with very long lines (453), with CRLF line terminators
2025-05-06 17:40	Change_Windows_Edition.cmd	48 kB	8e748466ecd4050672f5475d01e579b9	DOS batch file, ASCII text, with very long lines (348), with CRLF line terminators
2025-05-06 17:40	Check_Activation_Status.cmd	48 kB	8d85133114beeaf31f14e95f53e77f92	DOS batch file, ASCII text, with very long lines (379), with CRLF line terminators
2025-05-06 17:40	Extract_OEM_Folder.cmd	25 kB	f99c87ced41939998a46262630918eb4	DOS batch file, ASCII text, with very long lines (348), with CRLF line terminators
2025-05-06 17:40	Troubleshoot.cmd	53 kB	c0de640715e5ed1055d29338f8a6c91a	DOS batch file, ASCII text, with very long lines (376), with CRLF line terminators
2025-05-06 17:40	_ReadMe.html	84 B	574e18c1f9b32a47f988ac91588901ba	HTML document, ASCII text, with CRLF line terminators
2025-05-06 17:40	README.md	3.7 kB	4516b2851beda532f4ce4292d527b55b	Unicode text, UTF-8 text

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	Detects suspicious PowerShell code that downloads from web sites
Public Nextron YARA rules	malware	Detects suspicious PowerShell code that downloads from web sites
VirusTotal	suspicious	VirusTotal - Scan result 8/65

JavaScript (0)

HTTP Transactions (1)

URL IP Response Size

GET git.activated.win/massgrave/Microsoft-Activation-Scripts/archive/master.zip

104.21.24.156

200 OK

468 kB

URL User Request GET HTTPS

git.activated.win/massgrave/Microsoft-Activation-Scripts/archive/master.zip

IP / ASN

104.21.24.156

#13335 CLOUDFLARENET

Requested byN/A

Resource Info

File typeZip archive data, at least v1.0 to extract, compression method=store

First Seen2025-05-07

Last Seen2025-05-16

Times Seen4

Size468 kB (467868 bytes)

MD53e4de4f97b03da9f1c570faea8dd1c64

SHA10dea37d364035ed3fa1851b490c0df49fba4f2b1

SHA2568deaac80ca9f194f1005360693d3f4d0ec8abff8a58d0a8b51958013a52e7a2f

Certificate Info

IssuerGoogle Trust Services

Subjectactivated.win

FingerprintD1:0B:1F:1B:ED:70:8D:4D:8C:76:27:B8:42:D1:C2:20:5D:69:72:EA

ValidityThu, 27 Mar 2025 17:51:48 GMT - Wed, 25 Jun 2025 18:50:18 GMT

Detections

Analyzer	Verdict	Alert
VirusTotal	suspicious	VirusTotal - Scan result 8/65

HTTP Headers

GET /massgrave/Microsoft-Activation-Scripts/archive/master.zip HTTP/1.1
Host: git.activated.win
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 13 May 2025 17:29:35 GMT
content-type: application/octet-stream
content-length: 467868
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Accept-Encoding
server: cloudflare
accept-ranges: bytes
access-control-expose-headers: Content-Disposition
cache-control: private, max-age=300
content-disposition: attachment; filename="Microsoft-Activation-Scripts-master.zip"; filename*=UTF-8''Microsoft-Activation-Scripts-master.zip
last-modified: Mon, 12 May 2025 00:01:15 GMT
link: <https://git.activated.win/api/v1/repos/massgrave/Microsoft-Activation-Scripts/archive/2d00dfa704c709b78303191c4b66fe9ae533dced.tar.gz?rev=2d00dfa704c709b78303191c4b66fe9ae533dced>; rel="immutable"
no-gzip-compression: 1
cf-ray: 93f3e0faad58f5dc-AMS
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
cf-cache-status: BYPASS
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PXxmU8%2BPXIzeRiAYS30c%2FK2itMAuZJyaLPsuONDvgFjsytip%2BT%2FayJ0bvng4j7z4K0yL4d997nlBA8zU0x%2F6Ye6KoPL8mJhjYTk7Cyzbev3s3X0rvcUh7DdWnyoSp6RSXAVTLw%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
set-cookie: i_like_gitea=8f3f472992ebda85; HttpOnly; SameSite=Lax; Secure; Path=/
_csrf=oeK5LZc4SiyuUNgLzT7iXWWGzFs6MTc0NzE1NzM3NTE4NzUyODI4Nw; HttpOnly; SameSite=Lax; Secure; Path=/; Max-Age=86400
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=19550&min_rtt=19474&rtt_var=3200&sent=8&recv=11&lost=0&retrans=0&sent_bytes=3226&recv_bytes=1346&delivery_rate=221474&cwnd=254&unsent_bytes=0&cid=79bfaaaee0d38da0&ts=103&x=0"
X-Firefox-Spdy: h2