Malware analysis activate-idm.ps1 Malicious activity | ANY.RUN

Add for printing

File name:	activate-idm.ps1
Full analysis:	https://app.any.run/tasks/af09a08a-2575-44a0-b069-2f6316abda7d
Verdict:	Malicious activity
Analysis date:	July 27, 2025, 16:30:26
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	github arch-exec arch-doc
Indicators:
MIME:	text/plain
File info:	Unicode text, UTF-8 text, with CRLF line terminators
MD5:	6096F67803669F0471E191E01E1873FF
SHA1:	8DFDD5D195E7C6034321142AFC4AE610430CEA7E
SHA256:	258FAD9D13AA4335575F4E47D44001931F606ADB9A69A94E28ACF6A068FFF4F0
SSDEEP:	12:9v9AdRRAVxXt4isgAjmRAVWu22gZV1QUcOFFRAVEMxvU:QwVxXuXDVqzDc/VJxvU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Bypass execution policy to execute commands
  - powershell.exe (PID: 2716)
- Script downloads file (POWERSHELL)
  - powershell.exe (PID: 2716)
SUSPICIOUS
- Gets file extension (POWERSHELL)
  - powershell.exe (PID: 2716)
- Uses sleep to delay execution (POWERSHELL)
  - powershell.exe (PID: 2716)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 2716)
- Starts CMD.EXE for commands execution
  - powershell.exe (PID: 2716)
  - wscript.exe (PID: 6636)
  - cmd.exe (PID: 3964)
- Executing commands from ".cmd" file
  - powershell.exe (PID: 2716)
  - wscript.exe (PID: 6636)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 4880)
  - cmd.exe (PID: 3964)
- The process executes VB scripts
  - cmd.exe (PID: 4880)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 6636)
- Starts application with an unusual extension
  - cmd.exe (PID: 3964)
- Application launched itself
  - cmd.exe (PID: 3964)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 5372)
INFO
- Disables trace logs
  - powershell.exe (PID: 2716)
- Checks whether the specified file exists (POWERSHELL)
  - powershell.exe (PID: 2716)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 2716)
- Checks proxy server information
  - powershell.exe (PID: 2716)
- The sample compiled with english language support
  - powershell.exe (PID: 2716)
- Starts MODE.COM to configure console settings
  - mode.com (PID: 1740)
  - mode.com (PID: 1056)
- Checks supported languages
  - mode.com (PID: 1740)
  - mode.com (PID: 1056)
  - chcp.com (PID: 6240)
  - curl.exe (PID: 3620)
- Execution of CURL command
  - cmd.exe (PID: 3964)
- Reads the computer name
  - curl.exe (PID: 3620)
- Create files in a temporary directory
  - curl.exe (PID: 3620)
- Changes the display of characters in the console
  - cmd.exe (PID: 3964)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

152

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1056

mode con: cols=120 lines=40

C:\Windows\System32\mode.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

DOS Device MODE Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\ureg.dll
c:\windows\system32\ulib.dll

1488

"C:\WINDOWS\system32\cacls.exe" "C:\WINDOWS\system32\config\system"

C:\Windows\System32\cacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Control ACLs Program

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\ucrtbase.dll

1740

mode con: cols=120 lines=40

C:\Windows\System32\mode.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

DOS Device MODE Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2192

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2716

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\activate-idm.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3620

curl -s "https://api.github.com/repos/coporton/IDM-Activation-Script/releases/latest" -o "C:\Users\admin\AppData\Local\Temp\latest_release.json"

C:\Windows\System32\curl.exe

cmd.exe

User:

admin

Company:

curl, https://curl.se/

Integrity Level:

HIGH

Description:

The curl executable

Exit code:

Version:

8.4.0

Modules

Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll

3624

ping -n 1 google.com

C:\Windows\System32\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

TCP/IP Ping Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll

3964

"C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\AppData\Local\Temp\RE0GA1~1\IDM-AC~1\IASL.cmd"

C:\Windows\System32\cmd.exe

wscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll

4100

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4788

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

12 270

Read events

12 267

Write events

Delete events

Modification events


(PID) Process:	(4880) cmd.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:	write	Name:	VBSFile
Value:
(PID) Process:	(6636) wscript.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value: Windows Command Processor
(PID) Process:	(6636) wscript.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value: Microsoft Corporation

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2716	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF18cbb7.TMP		binary
		MD5:00A03B286E6E0EBFF8D9C492365D5EC2	SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
2716	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:5BB7E599ED14B2594516FA77AF028B77	SHA256:D5466429E26C18737A9C58D39A96783551DDFA41946A147300FF050C5315A972
2716	powershell.exe	C:\Users\admin\AppData\Local\Temp\RE0GA1NA-3MD1-AO3L-N3WO-5DT4EN5RE5TN5I\IDM-Activation-Script-main\src\extensions.bin		text
		MD5:D75CEB6BEC202AC2E4157FA5CCF2EA40	SHA256:DF89AA1FF1712E82FE4C87348A745D5856D52A683C019509F7FFD02BAE7BEE0F
2716	powershell.exe	C:\Users\admin\AppData\Local\Temp\RE0GA1NA-3MD1-AO3L-N3WO-5DT4EN5RE5TN5I\IDM-Activation-Script-main\src\dataHlp.bin		executable
		MD5:3F3303AF5B33D751BB1152110A807C7F	SHA256:DB273CC8CF91A1DF241B7511DB392524CBAB6C40F8DF7D8535ACE4B51FED9FFB
2716	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_evccbzpu.zoc.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2716	powershell.exe	C:\Users\admin\AppData\Local\Temp\RE0GA1NA-3MD1-AO3L-N3WO-5DT4EN5RE5TN5I\IDM-Activation-Script-main.zip		compressed
		MD5:D13B27B649C1B810EB5508BC190C8AA3	SHA256:53B20C5309487AEBB7BBEAE25415AEFCB0ADCEAA3D10C30B35F2B1A06243972A
2716	powershell.exe	C:\Users\admin\AppData\Local\Temp\RE0GA1NA-3MD1-AO3L-N3WO-5DT4EN5RE5TN5I\IDM-Activation-Script-main\IASL.cmd		text
		MD5:6F859F26BE3669D260D528F9D55EE8D7	SHA256:ECA26504D031FA05CDF97029952843C7471567C76C2794F739F361EAFE5E6950
2716	powershell.exe	C:\Users\admin\AppData\Local\Temp\RE0GA1NA-3MD1-AO3L-N3WO-5DT4EN5RE5TN5I\IDM-Activation-Script-main\src\banner_art.txt		text
		MD5:13BFEF56E214DC91015E3341ACDA17E9	SHA256:86EA90A9D22AA5CF5DD15C14C869DA34FEA66E427EE4863A9DA68BAC8740B8EE
2716	powershell.exe	C:\Users\admin\AppData\Local\Temp\RE0GA1NA-3MD1-AO3L-N3WO-5DT4EN5RE5TN5I\IDM-Activation-Script-main\README.md		text
		MD5:10105C46B39D1AC8C9F28A9C35B24833	SHA256:195F7A8D703B5047DB12BD00FB62B98754D5F22C9B1ACDCECBB9F251A1438FD2
2716	powershell.exe	C:\Users\admin\AppData\Local\Temp\RE0GA1NA-3MD1-AO3L-N3WO-5DT4EN5RE5TN5I\IDM-Activation-Script-main\LICENSE		text
		MD5:354960CCC2E02AD40C438827EC105D18	SHA256:B800A52C77C8AC924A16BBD34136FE2877F477EFAC1EAA1AF7AF0C36703D8966

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5084	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.36:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4228	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4228	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
764	lsass.exe	GET	200	172.64.149.23:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D	unknown	—	—	whitelisted
764	lsass.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd	unknown	—	—	whitelisted
764	lsass.exe	GET	200	104.18.38.233:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CECoW9cIBGAf3CpJj3Tw5qfI%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1636	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2716	powershell.exe	103.118.78.250:443	coporton.com	Vision Technologies Ltd.	BD	unknown
2716	powershell.exe	140.82.121.3:443	github.com	GITHUB	US	whitelisted
2716	powershell.exe	185.199.111.133:443	release-assets.githubusercontent.com	FASTLY	US	unknown
2716	powershell.exe	169.61.27.133:443	www.internetdownloadmanager.com	SOFTLAYER	US	whitelisted
5084	svchost.exe	20.190.159.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
coporton.com	103.118.78.250	unknown
github.com	140.82.121.3	whitelisted
release-assets.githubusercontent.com	185.199.111.133 185.199.109.133 185.199.110.133 185.199.108.133	unknown
www.internetdownloadmanager.com	169.61.27.133	whitelisted
login.live.com	20.190.159.73 40.126.31.67 40.126.31.130 20.190.159.75 40.126.31.69 20.190.159.0 40.126.31.73 40.126.31.129	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
crl.microsoft.com	23.216.77.36 23.216.77.7 23.216.77.5 23.216.77.25 23.216.77.22 23.216.77.15 23.216.77.28 23.216.77.39 23.216.77.21	whitelisted
www.microsoft.com	69.192.161.161	whitelisted

Threats

PID	Process	Class	Message
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
2200	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access release user assets on GitHub
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

No debug info

General Info

activate-idm.ps1

6096F67803669F0471E191E01E1873FF

8DFDD5D195E7C6034321142AFC4AE610430CEA7E

258FAD9D13AA4335575F4E47D44001931F606ADB9A69A94E28ACF6A068FFF4F0

12:9v9AdRRAVxXt4isgAjmRAVWu22gZV1QUcOFFRAVEMxvU:QwVxXuXDVqzDc/VJxvU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Script downloads file (POWERSHELL)

SUSPICIOUS

Gets file extension (POWERSHELL)

Uses sleep to delay execution (POWERSHELL)

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Executing commands from ".cmd" file

Uses ICACLS.EXE to modify access control lists

The process executes VB scripts

Runs shell command (SCRIPT)

Starts application with an unusual extension

Application launched itself

Using 'findstr.exe' to search for text patterns in files and output

INFO

Disables trace logs

Checks whether the specified file exists (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Checks proxy server information

The sample compiled with english language support

Starts MODE.COM to configure console settings

Checks supported languages

Execution of CURL command

Reads the computer name

Create files in a temporary directory

Changes the display of characters in the console

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings