87e810d116c7a4d2f3baae3c98715047c901fd581fef72f3c3b218c03231f944

Analysis

max time kernel
67s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCRIPT FREEZE IDM TIME.cmd
Size

31KB
MD5

cd219449e7472b4e6f35c612824635bd
SHA1

f6db923ee2dbb3ae2ade5e0511533506962a689b
SHA256

87e810d116c7a4d2f3baae3c98715047c901fd581fef72f3c3b218c03231f944
SHA512

fa92d80645c1bc6ff55238322ce69144b4550aa6256efe3c334c0c343a937185a9ce18a1ad4c8e55e5ac42e6d937582738441d443f01f4a0590d64ac1453ec55
SSDEEP

384:mNnhCo3piIUTUq5rrfmJbnl7+qK14TEJYab:mNn/ZiBAq5rrfmFl7G4gJYab

Score

4^/10

Malware Config

Signatures

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2344	sc.exe
4544	sc.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4604	tasklist.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Wow6432Node\CLSID\IAS_TEST	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\WOW6432Node\CLSID\IAS_TEST\	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\WOW6432Node\CLSID\IAS_TEST	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4808	reg.exe
3396	reg.exe
1572	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1696	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3736	powershell.exe
3736	powershell.exe
2280	powershell.exe
2280	powershell.exe
4560	powershell.exe
4560	powershell.exe
3172	powershell.exe
3172	powershell.exe
1288	powershell.exe
1288	powershell.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
4988	powershell.exe
4988	powershell.exe
4184	powershell.exe
4184	powershell.exe
3588	powershell.exe
3588	powershell.exe
3256	powershell.exe
3256	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	4604	tasklist.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1968	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 2344	348	cmd.exe	84
PID 348 wrote to memory of 2344	348	cmd.exe	84
PID 348 wrote to memory of 1560	348	cmd.exe	85
PID 348 wrote to memory of 1560	348	cmd.exe	85
PID 348 wrote to memory of 1216	348	cmd.exe	86
PID 348 wrote to memory of 1216	348	cmd.exe	86
PID 348 wrote to memory of 3968	348	cmd.exe	87
PID 348 wrote to memory of 3968	348	cmd.exe	87
PID 348 wrote to memory of 2408	348	cmd.exe	88
PID 348 wrote to memory of 2408	348	cmd.exe	88
PID 348 wrote to memory of 4456	348	cmd.exe	89
PID 348 wrote to memory of 4456	348	cmd.exe	89
PID 348 wrote to memory of 3428	348	cmd.exe	90
PID 348 wrote to memory of 3428	348	cmd.exe	90
PID 3428 wrote to memory of 4536	3428	cmd.exe	91
PID 3428 wrote to memory of 4536	3428	cmd.exe	91
PID 3428 wrote to memory of 1812	3428	cmd.exe	92
PID 3428 wrote to memory of 1812	3428	cmd.exe	92
PID 348 wrote to memory of 2040	348	cmd.exe	93
PID 348 wrote to memory of 2040	348	cmd.exe	93
PID 348 wrote to memory of 3824	348	cmd.exe	94
PID 348 wrote to memory of 3824	348	cmd.exe	94
PID 348 wrote to memory of 3736	348	cmd.exe	95
PID 348 wrote to memory of 3736	348	cmd.exe	95
PID 348 wrote to memory of 1580	348	cmd.exe	96
PID 348 wrote to memory of 1580	348	cmd.exe	96
PID 348 wrote to memory of 680	348	cmd.exe	99
PID 348 wrote to memory of 680	348	cmd.exe	99
PID 348 wrote to memory of 1968	348	cmd.exe	100
PID 348 wrote to memory of 1968	348	cmd.exe	100
PID 1968 wrote to memory of 2280	1968	conhost.exe	101
PID 1968 wrote to memory of 2280	1968	conhost.exe	101
PID 2280 wrote to memory of 3316	2280	powershell.exe	103
PID 2280 wrote to memory of 3316	2280	powershell.exe	103
PID 3316 wrote to memory of 4544	3316	cmd.exe	104
PID 3316 wrote to memory of 4544	3316	cmd.exe	104
PID 3316 wrote to memory of 1484	3316	cmd.exe	105
PID 3316 wrote to memory of 1484	3316	cmd.exe	105
PID 3316 wrote to memory of 4308	3316	cmd.exe	106
PID 3316 wrote to memory of 4308	3316	cmd.exe	106
PID 3316 wrote to memory of 1332	3316	cmd.exe	107
PID 3316 wrote to memory of 1332	3316	cmd.exe	107
PID 3316 wrote to memory of 4884	3316	cmd.exe	108
PID 3316 wrote to memory of 4884	3316	cmd.exe	108
PID 3316 wrote to memory of 3876	3316	cmd.exe	109
PID 3316 wrote to memory of 3876	3316	cmd.exe	109
PID 3316 wrote to memory of 4244	3316	cmd.exe	110
PID 3316 wrote to memory of 4244	3316	cmd.exe	110
PID 4244 wrote to memory of 4500	4244	cmd.exe	111
PID 4244 wrote to memory of 4500	4244	cmd.exe	111
PID 4244 wrote to memory of 4656	4244	cmd.exe	112
PID 4244 wrote to memory of 4656	4244	cmd.exe	112
PID 3316 wrote to memory of 4516	3316	cmd.exe	113
PID 3316 wrote to memory of 4516	3316	cmd.exe	113
PID 3316 wrote to memory of 2756	3316	cmd.exe	114
PID 3316 wrote to memory of 2756	3316	cmd.exe	114
PID 3316 wrote to memory of 4560	3316	cmd.exe	115
PID 3316 wrote to memory of 4560	3316	cmd.exe	115
PID 3316 wrote to memory of 2972	3316	cmd.exe	116
PID 3316 wrote to memory of 2972	3316	cmd.exe	116
PID 3316 wrote to memory of 1740	3316	cmd.exe	117
PID 3316 wrote to memory of 1740	3316	cmd.exe	117
PID 3316 wrote to memory of 452	3316	cmd.exe	118
PID 3316 wrote to memory of 452	3316	cmd.exe	118

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:2344
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:1560
- C:\Windows\System32\findstr.exe
  findstr /v "$" "SCRIPT FREEZE IDM TIME.cmd"
  2⤵
  PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:3968
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:2408
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:4536
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd" "
  2⤵
  PID:2040
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:3824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\System32\find.exe
  find /i "FullLanguage"
  2⤵
  PID:1580
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:680
- C:\Windows\System32\conhost.exe
  conhost.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd""" -el -qedit'"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '\"C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd\" -el -qedit'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd" -el -qedit"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3316
    - - C:\Windows\System32\sc.exe
        
        sc query Null
        5⤵
        Launches sc.exe
        
        PID:4544
    - - C:\Windows\System32\find.exe
        
        find /i "RUNNING"
        5⤵
        
        PID:1484
    - - C:\Windows\System32\findstr.exe
        
        findstr /v "$" "SCRIPT FREEZE IDM TIME.cmd"
        5⤵
        
        PID:4308
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        5⤵
        
        PID:1332
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Console" /v ForceV2
        5⤵
        
        PID:4884
    - - C:\Windows\System32\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:3876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4244
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        6⤵
        
        PID:4500
      - C:\Windows\System32\cmd.exe
        
        cmd
        6⤵
        
        PID:4656
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd" "
        5⤵
        
        PID:4516
    - - C:\Windows\System32\find.exe
        
        find /i "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
    - - C:\Windows\System32\find.exe
        
        find /i "FullLanguage"
        5⤵
        
        PID:2972
    - - C:\Windows\System32\fltMC.exe
        
        fltmc
        5⤵
        
        PID:1740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -4 -n 1 iasupdatecheck.massgrave.dev
        5⤵
        
        PID:452
      - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 iasupdatecheck.massgrave.dev
        6⤵
        Runs ping.exe
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
    - - C:\Windows\System32\find.exe
        
        find /i "computersystem"
        5⤵
        
        PID:924
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul
        5⤵
        
        PID:3948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\\Software
        5⤵
        
        PID:1216
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul
        5⤵
        
        PID:3968
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software
        5⤵
        
        PID:4520
    - - C:\Windows\System32\reg.exe
        
        reg delete HKCU\IAS_TEST /f
        5⤵
        Modifies registry key
        
        PID:4808
    - - C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-877519540-908060166-1852957295-1000\IAS_TEST /f
        5⤵
        
        PID:3632
    - - C:\Windows\System32\reg.exe
        
        reg add HKCU\IAS_TEST
        5⤵
        Modifies registry key
        
        PID:3396
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-877519540-908060166-1852957295-1000\IAS_TEST
        5⤵
        
        PID:4932
    - - C:\Windows\System32\reg.exe
        
        reg delete HKCU\IAS_TEST /f
        5⤵
        Modifies registry key
        
        PID:1572
    - - C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-877519540-908060166-1852957295-1000\IAS_TEST /f
        5⤵
        
        PID:4356
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:4972
      - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        6⤵
        
        PID:1620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\DownloadManager" /v ExePath 2>nul
        5⤵
        
        PID:4572
      - C:\Windows\System32\reg.exe
        
        reg query "HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\DownloadManager" /v ExePath
        6⤵
        
        PID:4836
    - - C:\Windows\System32\reg.exe
        
        reg add HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
        5⤵
        Modifies registry class
        
        PID:2720
    - - C:\Windows\System32\reg.exe
        
        reg query HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
        5⤵
        
        PID:1500
    - - C:\Windows\System32\reg.exe
        
        reg delete HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f
        5⤵
        Modifies registry class
        
        PID:5080
    - - C:\Windows\System32\mode.com
        
        mode 75, 28
        5⤵
        
        PID:5084
    - - C:\Windows\System32\choice.exe
        
        choice /C:123450 /N
        5⤵
        
        PID:5116
    - - C:\Windows\System32\mode.com
        
        mode 113, 35
        5⤵
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
    - - C:\Windows\System32\tasklist.exe
        
        tasklist /fi "imagename eq idman.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
    - - C:\Windows\System32\findstr.exe
        
        findstr /i "idman.exe"
        5⤵
        
        PID:2440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"
        5⤵
        
        PID:2404
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
    - - C:\Windows\System32\reg.exe
        
        reg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240427-190952889.reg"
        5⤵
        
        PID:1696
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\DownloadManager" "/v" "FName"
        5⤵
        
        PID:3292
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\DownloadManager" "/v" "LName"
        5⤵
        
        PID:3584
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\DownloadManager" "/v" "Email"
        5⤵
        
        PID:4956
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\DownloadManager" "/v" "Serial"
        5⤵
        
        PID:1924
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\DownloadManager" "/v" "scansk"
        5⤵
        
        PID:3172
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"
        5⤵
        
        PID:4320
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"
        5⤵
        
        PID:1668
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"
        5⤵
        
        PID:2476
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"
        5⤵
        
        PID:2184
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"
        5⤵
        
        PID:4912
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"
        5⤵
        
        PID:4976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$sid = 'S-1-5-21-877519540-908060166-1852957295-1000'; $HKCUsync = 1; $lockKey = $null; $deleteKey = 1; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':regscan\:.*';iex ($f[1])"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
    - - C:\Windows\System32\reg.exe
        
        reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:3044
    - - C:\Windows\System32\mode.com
        
        mode 75, 28
        5⤵
        
        PID:2444
    - - C:\Windows\System32\choice.exe
        
        choice /C:123450 /N
        5⤵
        
        PID:5108
    - - C:\Windows\System32\mode.com
        
        mode 113, 35
        5⤵
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
    - - C:\Windows\System32\mode.com
        
        mode 75, 28
        5⤵
        
        PID:4960
    - - C:\Windows\System32\choice.exe
        
        choice /C:123450 /N
        5⤵
        
        PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c45b4a4ae4935383aaac5e3f00b0906

SHA1
acd563a6b0651d2b0be21b9bf4398216994501df

SHA256
2c7beaa50f3cff453eca4d601e09c0ee38bd3f4e1d5b4d608046662d9d79828d

SHA512
177389f2406de32d7eef9f827abb4a6e6c926951de47073f16224b7117bbe86c038ed0aa1affbb23d557b984df78a1eb6fc8567dba16f3e6592da64fe19d99d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e89c193840c8fb53fc3de104b1c4b092

SHA1
8b41b6a392780e48cc33e673cf4412080c42981e

SHA256
920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

SHA512
865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d9b53573ceb7befdd720af28cab520

SHA1
60baa3f5b7b6329121ea27d727bd249fc22d6d0f

SHA256
d25db7242c40ddcffc09f7277be0ea4ec676f53a8058057bfc995c1a1af1b289

SHA512
30aed460d420549b39ba9f1b0bf5f13bd7d96a2217ac76de9756f77b0288812e548f2170e4df58ff5ae5f8900df775cc0abca2e02ab039b5121afb43fed838f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d45679c8b58392ba3e7174a4c662d530

SHA1
d50d65ddb618a8b4b91bc66772368ef10f3d1156

SHA256
abb662fe832ffbdfa41b3da262cf5b5a77a197b54644d598e27a2b2d2d50c0ff

SHA512
fa8dc9d48ceedbbec1e5edea6e5986aeac82c44af663fa646596b63843ae9191fb2cb7b20196f6862fd9f25c5671c17050a9a39a165cf1d58b4bdee2c1db74c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cae1fca4772c3bb8bca5cd474c2d4c1a

SHA1
d8dd8f4c30d43f899776cc8db969973ceef5f047

SHA256
0db954e2532209c30c277400c9c5399c145259b73afe02ba4db67b71cb3d965e

SHA512
18182c00b0f0f32c7e5edcf44b6bc549502018802efa30a4e05887dc9d2037926217daf2feaef79c700863f1ffd8a50231ab5c3a9b1a177632e23675715f3a8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2a9c3225d7b5e1f983edda0d4c2ca869

SHA1
0f7627d5489de499fb82d67435a5f63754dc0603

SHA256
d74ce17d2f33c85603df92e7a1d368e3bd0e34f42170ddec0ef1d1de194b8207

SHA512
e394feb2601f3a7c71dd99aa95bb60478e92a76c4232b3cc689704f46b1ebe4832a53558e54f433f79c5d4e231fbeb43424bf54e9654883dc5affbdd68d91f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1542328a8546914b4e2f1aef9cb42bea

SHA1
7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

SHA256
7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

SHA512
b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGE510.tmp

Filesize
32KB

MD5
e9d06132591c36129e4455d063612beb

SHA1
798619665c9915bc2f50bec9f0d9d0707a5a485e

SHA256
357e1fb247f831c9b4a0363445a0a7446af42dea4585f5c7357391e5732f4b2c

SHA512
6eabef2e10285611260d6ea1503bbb2eafb830c3dc4544f064edfa0e6821f21bbe65a77878cb18f8ebfd80ff520459e9a65f274f9c0eec7e772bec1c41d0476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2foxoih0.eap.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3736-12-0x0000015C4FD60000-0x0000015C4FF7C000-memory.dmp

Filesize
2.1MB

Download
memory/3736-9-0x0000015C4DC40000-0x0000015C4DC62000-memory.dmp

Filesize
136KB

Download