Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
67s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27/04/2024, 19:08
Static task
static1
Behavioral task
behavioral1
Sample
SCRIPT FREEZE IDM TIME.cmd
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
SCRIPT FREEZE IDM TIME.cmd
Resource
win10v2004-20240419-en
General
-
Target
SCRIPT FREEZE IDM TIME.cmd
-
Size
31KB
-
MD5
cd219449e7472b4e6f35c612824635bd
-
SHA1
f6db923ee2dbb3ae2ade5e0511533506962a689b
-
SHA256
87e810d116c7a4d2f3baae3c98715047c901fd581fef72f3c3b218c03231f944
-
SHA512
fa92d80645c1bc6ff55238322ce69144b4550aa6256efe3c334c0c343a937185a9ce18a1ad4c8e55e5ac42e6d937582738441d443f01f4a0590d64ac1453ec55
-
SSDEEP
384:mNnhCo3piIUTUq5rrfmJbnl7+qK14TEJYab:mNn/ZiBAq5rrfmFl7G4gJYab
Malware Config
Signatures
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2344 sc.exe 4544 sc.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4604 tasklist.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Wow6432Node\CLSID\IAS_TEST reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\WOW6432Node\CLSID\IAS_TEST\ reg.exe Key deleted \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\WOW6432Node\CLSID\IAS_TEST reg.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 4808 reg.exe 3396 reg.exe 1572 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1696 PING.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3736 powershell.exe 3736 powershell.exe 2280 powershell.exe 2280 powershell.exe 4560 powershell.exe 4560 powershell.exe 3172 powershell.exe 3172 powershell.exe 1288 powershell.exe 1288 powershell.exe 3932 powershell.exe 3932 powershell.exe 3932 powershell.exe 3932 powershell.exe 3932 powershell.exe 3932 powershell.exe 4988 powershell.exe 4988 powershell.exe 4184 powershell.exe 4184 powershell.exe 3588 powershell.exe 3588 powershell.exe 3256 powershell.exe 3256 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 3736 powershell.exe Token: SeDebugPrivilege 2280 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 3172 powershell.exe Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 3932 powershell.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeDebugPrivilege 4604 tasklist.exe Token: SeDebugPrivilege 4184 powershell.exe Token: SeDebugPrivilege 3588 powershell.exe Token: SeDebugPrivilege 3256 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1968 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 348 wrote to memory of 2344 348 cmd.exe 84 PID 348 wrote to memory of 2344 348 cmd.exe 84 PID 348 wrote to memory of 1560 348 cmd.exe 85 PID 348 wrote to memory of 1560 348 cmd.exe 85 PID 348 wrote to memory of 1216 348 cmd.exe 86 PID 348 wrote to memory of 1216 348 cmd.exe 86 PID 348 wrote to memory of 3968 348 cmd.exe 87 PID 348 wrote to memory of 3968 348 cmd.exe 87 PID 348 wrote to memory of 2408 348 cmd.exe 88 PID 348 wrote to memory of 2408 348 cmd.exe 88 PID 348 wrote to memory of 4456 348 cmd.exe 89 PID 348 wrote to memory of 4456 348 cmd.exe 89 PID 348 wrote to memory of 3428 348 cmd.exe 90 PID 348 wrote to memory of 3428 348 cmd.exe 90 PID 3428 wrote to memory of 4536 3428 cmd.exe 91 PID 3428 wrote to memory of 4536 3428 cmd.exe 91 PID 3428 wrote to memory of 1812 3428 cmd.exe 92 PID 3428 wrote to memory of 1812 3428 cmd.exe 92 PID 348 wrote to memory of 2040 348 cmd.exe 93 PID 348 wrote to memory of 2040 348 cmd.exe 93 PID 348 wrote to memory of 3824 348 cmd.exe 94 PID 348 wrote to memory of 3824 348 cmd.exe 94 PID 348 wrote to memory of 3736 348 cmd.exe 95 PID 348 wrote to memory of 3736 348 cmd.exe 95 PID 348 wrote to memory of 1580 348 cmd.exe 96 PID 348 wrote to memory of 1580 348 cmd.exe 96 PID 348 wrote to memory of 680 348 cmd.exe 99 PID 348 wrote to memory of 680 348 cmd.exe 99 PID 348 wrote to memory of 1968 348 cmd.exe 100 PID 348 wrote to memory of 1968 348 cmd.exe 100 PID 1968 wrote to memory of 2280 1968 conhost.exe 101 PID 1968 wrote to memory of 2280 1968 conhost.exe 101 PID 2280 wrote to memory of 3316 2280 powershell.exe 103 PID 2280 wrote to memory of 3316 2280 powershell.exe 103 PID 3316 wrote to memory of 4544 3316 cmd.exe 104 PID 3316 wrote to memory of 4544 3316 cmd.exe 104 PID 3316 wrote to memory of 1484 3316 cmd.exe 105 PID 3316 wrote to memory of 1484 3316 cmd.exe 105 PID 3316 wrote to memory of 4308 3316 cmd.exe 106 PID 3316 wrote to memory of 4308 3316 cmd.exe 106 PID 3316 wrote to memory of 1332 3316 cmd.exe 107 PID 3316 wrote to memory of 1332 3316 cmd.exe 107 PID 3316 wrote to memory of 4884 3316 cmd.exe 108 PID 3316 wrote to memory of 4884 3316 cmd.exe 108 PID 3316 wrote to memory of 3876 3316 cmd.exe 109 PID 3316 wrote to memory of 3876 3316 cmd.exe 109 PID 3316 wrote to memory of 4244 3316 cmd.exe 110 PID 3316 wrote to memory of 4244 3316 cmd.exe 110 PID 4244 wrote to memory of 4500 4244 cmd.exe 111 PID 4244 wrote to memory of 4500 4244 cmd.exe 111 PID 4244 wrote to memory of 4656 4244 cmd.exe 112 PID 4244 wrote to memory of 4656 4244 cmd.exe 112 PID 3316 wrote to memory of 4516 3316 cmd.exe 113 PID 3316 wrote to memory of 4516 3316 cmd.exe 113 PID 3316 wrote to memory of 2756 3316 cmd.exe 114 PID 3316 wrote to memory of 2756 3316 cmd.exe 114 PID 3316 wrote to memory of 4560 3316 cmd.exe 115 PID 3316 wrote to memory of 4560 3316 cmd.exe 115 PID 3316 wrote to memory of 2972 3316 cmd.exe 116 PID 3316 wrote to memory of 2972 3316 cmd.exe 116 PID 3316 wrote to memory of 1740 3316 cmd.exe 117 PID 3316 wrote to memory of 1740 3316 cmd.exe 117 PID 3316 wrote to memory of 452 3316 cmd.exe 118 PID 3316 wrote to memory of 452 3316 cmd.exe 118
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\System32\sc.exesc query Null2⤵
- Launches sc.exe
PID:2344
-
-
C:\Windows\System32\find.exefind /i "RUNNING"2⤵PID:1560
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "SCRIPT FREEZE IDM TIME.cmd"2⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵PID:3968
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV22⤵PID:2408
-
-
C:\Windows\System32\find.exefind /i "0x0"2⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd2⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "3⤵PID:4536
-
-
C:\Windows\System32\cmd.execmd3⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd" "2⤵PID:2040
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"2⤵PID:3824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"2⤵PID:1580
-
-
C:\Windows\System32\fltMC.exefltmc2⤵PID:680
-
-
C:\Windows\System32\conhost.execonhost.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd""" -el -qedit'"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '\"C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd\" -el -qedit'"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd" -el -qedit"4⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\System32\sc.exesc query Null5⤵
- Launches sc.exe
PID:4544
-
-
C:\Windows\System32\find.exefind /i "RUNNING"5⤵PID:1484
-
-
C:\Windows\System32\findstr.exefindstr /v "$" "SCRIPT FREEZE IDM TIME.cmd"5⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver5⤵PID:1332
-
-
C:\Windows\System32\reg.exereg query "HKCU\Console" /v ForceV25⤵PID:4884
-
-
C:\Windows\System32\find.exefind /i "0x0"5⤵PID:3876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo prompt $E | cmd5⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "6⤵PID:4500
-
-
C:\Windows\System32\cmd.execmd6⤵PID:4656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd" "5⤵PID:4516
-
-
C:\Windows\System32\find.exefind /i "C:\Users\Admin\AppData\Local\Temp"5⤵PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\System32\find.exefind /i "FullLanguage"5⤵PID:2972
-
-
C:\Windows\System32\fltMC.exefltmc5⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ping -4 -n 1 iasupdatecheck.massgrave.dev5⤵PID:452
-
C:\Windows\System32\PING.EXEping -4 -n 1 iasupdatecheck.massgrave.dev6⤵
- Runs ping.exe
PID:1696
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\System32\find.exefind /i "computersystem"5⤵PID:924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul5⤵PID:3948
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
-
C:\Windows\System32\reg.exereg query HKU\\Software5⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul5⤵PID:3968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software5⤵PID:4520
-
-
C:\Windows\System32\reg.exereg delete HKCU\IAS_TEST /f5⤵
- Modifies registry key
PID:4808
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-877519540-908060166-1852957295-1000\IAS_TEST /f5⤵PID:3632
-
-
C:\Windows\System32\reg.exereg add HKCU\IAS_TEST5⤵
- Modifies registry key
PID:3396
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-877519540-908060166-1852957295-1000\IAS_TEST5⤵PID:4932
-
-
C:\Windows\System32\reg.exereg delete HKCU\IAS_TEST /f5⤵
- Modifies registry key
PID:1572
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-877519540-908060166-1852957295-1000\IAS_TEST /f5⤵PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE5⤵PID:4972
-
C:\Windows\System32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE6⤵PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\DownloadManager" /v ExePath 2>nul5⤵PID:4572
-
C:\Windows\System32\reg.exereg query "HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\DownloadManager" /v ExePath6⤵PID:4836
-
-
-
C:\Windows\System32\reg.exereg add HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST5⤵
- Modifies registry class
PID:2720
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST5⤵PID:1500
-
-
C:\Windows\System32\reg.exereg delete HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f5⤵
- Modifies registry class
PID:5080
-
-
C:\Windows\System32\mode.commode 75, 285⤵PID:5084
-
-
C:\Windows\System32\choice.exechoice /C:123450 /N5⤵PID:5116
-
-
C:\Windows\System32\mode.commode 113, 355⤵PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Windows\System32\tasklist.exetasklist /fi "imagename eq idman.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
C:\Windows\System32\findstr.exefindstr /i "idman.exe"5⤵PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"5⤵PID:2404
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
-
C:\Windows\System32\reg.exereg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240427-190952889.reg"5⤵PID:1696
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "FName"5⤵PID:3292
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "LName"5⤵PID:3584
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "Email"5⤵PID:4956
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "Serial"5⤵PID:1924
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "scansk"5⤵PID:3172
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"5⤵PID:4320
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "radxcnt"5⤵PID:1668
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "LstCheck"5⤵PID:2476
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"5⤵PID:2184
-
-
C:\Windows\System32\reg.exereg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"5⤵PID:4912
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"5⤵PID:4976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$sid = 'S-1-5-21-877519540-908060166-1852957295-1000'; $HKCUsync = 1; $lockKey = $null; $deleteKey = 1; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':regscan\:.*';iex ($f[1])"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f5⤵PID:3044
-
-
C:\Windows\System32\mode.commode 75, 285⤵PID:2444
-
-
C:\Windows\System32\choice.exechoice /C:123450 /N5⤵PID:5108
-
-
C:\Windows\System32\mode.commode 113, 355⤵PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256
-
-
C:\Windows\System32\mode.commode 75, 285⤵PID:4960
-
-
C:\Windows\System32\choice.exechoice /C:123450 /N5⤵PID:4580
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5c20ac38ae3022e305b8752804aadf486
SHA14c144d6cfafb5c37ab4810ff3c1744df81493cdb
SHA25603cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf
SHA512c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0
-
Filesize
1KB
MD57c45b4a4ae4935383aaac5e3f00b0906
SHA1acd563a6b0651d2b0be21b9bf4398216994501df
SHA2562c7beaa50f3cff453eca4d601e09c0ee38bd3f4e1d5b4d608046662d9d79828d
SHA512177389f2406de32d7eef9f827abb4a6e6c926951de47073f16224b7117bbe86c038ed0aa1affbb23d557b984df78a1eb6fc8567dba16f3e6592da64fe19d99d7
-
Filesize
1KB
MD5e89c193840c8fb53fc3de104b1c4b092
SHA18b41b6a392780e48cc33e673cf4412080c42981e
SHA256920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c
SHA512865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2
-
Filesize
1KB
MD583d9b53573ceb7befdd720af28cab520
SHA160baa3f5b7b6329121ea27d727bd249fc22d6d0f
SHA256d25db7242c40ddcffc09f7277be0ea4ec676f53a8058057bfc995c1a1af1b289
SHA51230aed460d420549b39ba9f1b0bf5f13bd7d96a2217ac76de9756f77b0288812e548f2170e4df58ff5ae5f8900df775cc0abca2e02ab039b5121afb43fed838f0
-
Filesize
1KB
MD5d45679c8b58392ba3e7174a4c662d530
SHA1d50d65ddb618a8b4b91bc66772368ef10f3d1156
SHA256abb662fe832ffbdfa41b3da262cf5b5a77a197b54644d598e27a2b2d2d50c0ff
SHA512fa8dc9d48ceedbbec1e5edea6e5986aeac82c44af663fa646596b63843ae9191fb2cb7b20196f6862fd9f25c5671c17050a9a39a165cf1d58b4bdee2c1db74c6
-
Filesize
1KB
MD5cae1fca4772c3bb8bca5cd474c2d4c1a
SHA1d8dd8f4c30d43f899776cc8db969973ceef5f047
SHA2560db954e2532209c30c277400c9c5399c145259b73afe02ba4db67b71cb3d965e
SHA51218182c00b0f0f32c7e5edcf44b6bc549502018802efa30a4e05887dc9d2037926217daf2feaef79c700863f1ffd8a50231ab5c3a9b1a177632e23675715f3a8f
-
Filesize
1KB
MD52a9c3225d7b5e1f983edda0d4c2ca869
SHA10f7627d5489de499fb82d67435a5f63754dc0603
SHA256d74ce17d2f33c85603df92e7a1d368e3bd0e34f42170ddec0ef1d1de194b8207
SHA512e394feb2601f3a7c71dd99aa95bb60478e92a76c4232b3cc689704f46b1ebe4832a53558e54f433f79c5d4e231fbeb43424bf54e9654883dc5affbdd68d91f79
-
Filesize
944B
MD51542328a8546914b4e2f1aef9cb42bea
SHA17a0ac5969dfb20eb974e8a3bd8707243fa68f94f
SHA2567584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737
SHA512b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286
-
Filesize
32KB
MD5e9d06132591c36129e4455d063612beb
SHA1798619665c9915bc2f50bec9f0d9d0707a5a485e
SHA256357e1fb247f831c9b4a0363445a0a7446af42dea4585f5c7357391e5732f4b2c
SHA5126eabef2e10285611260d6ea1503bbb2eafb830c3dc4544f064edfa0e6821f21bbe65a77878cb18f8ebfd80ff520459e9a65f274f9c0eec7e772bec1c41d0476e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82