File name:

InternetDownloadManager6.38Build1.exe

Full analysis: https://app.any.run/tasks/165a06d1-7d4d-4327-adea-7d9798abf35d
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 31, 2024, 21:03:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

82C126CC4CC385CA71AABC640E63D7A7

SHA1:

DC2D6D5B798B15545B0A343A0924FC1567352504

SHA256:

055512C413A2F815EB167BB56E03E814DE75438FFE61C8953B9037372BBEBA1A

SSDEEP:

98304:yRqzshoAyfrKD0mUiNxZsEbgauOfLoUcsYI1cpR6WKzaYBseox/1HucrjQETGco1:Z2v6rb1bKp0TSomDYYj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • InternetDownloadManager6.38Build1.exe (PID: 6412)

    • Registers / Runs the DLL via REGSVR32.EXE

      • IDM1.tmp (PID: 6932)

    • Actions looks like stealing of personal data

      • Kur.exe (PID: 6884)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • InternetDownloadManager6.38Build1.exe (PID: 6412)
      • IDM1.tmp (PID: 6932)
      • Kur.exe (PID: 6884)

    • Reads the date of Windows installation

      • InternetDownloadManager6.38Build1.exe (PID: 6412)
      • IDM1.tmp (PID: 6932)

    • Executable content was dropped or overwritten

      • InternetDownloadManager6.38Build1.exe (PID: 6412)

    • Starts application with an unusual extension

      • Kur.exe (PID: 6884)

    • The process creates files with name similar to system file names

      • IDM1.tmp (PID: 6932)

    • Creates a software uninstall entry

      • IDM1.tmp (PID: 6932)

    • Creates/Modifies COM task schedule object

      • IDM1.tmp (PID: 6932)
      • regsvr32.exe (PID: 6324)
      • regsvr32.exe (PID: 6352)
      • regsvr32.exe (PID: 6320)

  • INFO

    • Checks supported languages

      • InternetDownloadManager6.38Build1.exe (PID: 6412)
      • Kur.exe (PID: 6884)
      • IDM1.tmp (PID: 6932)
      • idmBroker.exe (PID: 6208)
      • IDMan.exe (PID: 6284)

    • Reads mouse settings

      • Kur.exe (PID: 6884)

    • Reads the computer name

      • InternetDownloadManager6.38Build1.exe (PID: 6412)
      • IDM1.tmp (PID: 6932)
      • idmBroker.exe (PID: 6208)
      • Kur.exe (PID: 6884)

    • Process checks computer location settings

      • InternetDownloadManager6.38Build1.exe (PID: 6412)
      • IDM1.tmp (PID: 6932)

    • Checks Windows language

      • Kur.exe (PID: 6884)

    • Create files in a temporary directory

      • IDM1.tmp (PID: 6932)

    • Creates files in the program directory

      • IDM1.tmp (PID: 6932)
      • Kur.exe (PID: 6884)

    • Creates files or folders in the user directory

      • IDM1.tmp (PID: 6932)
      • Kur.exe (PID: 6884)

    • Reads Environment values

      • Kur.exe (PID: 6884)

    • UPX packer has been detected

      • InternetDownloadManager6.38Build1.exe (PID: 6412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 65536
InitializedDataSize: 20480
UninitializedDataSize: 110592
EntryPoint: 0x2aa50
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.38.1.1
ProductVersionNumber: 6.38.1.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: Programindir.Cafe
FileDescription: Programindir.Cafe Katilimsiz Program
LegalCopyright: © 2020 By KiNGHaZe
LegalTrademarks: -
InternalName: -
ProductName: Internet Download Manager
OriginalFileName: -
FileVersion: 6.38.1.1
ProductVersion: 6.38.1.1
Comments: Programindir.Cafe Katilimsiz Program
PrivateBuild: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT internetdownloadmanager6.38build1.exe kur.exe no specs kur.exe idm1.tmp no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs idmbroker.exe no specs idman.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6188"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"C:\Windows\SysWOW64\regsvr32.exeIDM1.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6208"C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServerC:\Program Files (x86)\Internet Download Manager\idmBroker.exeIDM1.tmp
User:
admin
Company:
Internet Download Manager, Tonec Inc.
Integrity Level:
HIGH
Description:
Broker for reading of IDM settings
Exit code:
0
Version:
6, 35, 9, 1
Modules
Images
c:\program files (x86)\internet download manager\idmbroker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6284"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr /onsilentsetupC:\Program Files (x86)\Internet Download Manager\IDMan.exeIDM1.tmp
User:
admin
Company:
Tonec Inc.
Integrity Level:
HIGH
Description:
Internet Download Manager (IDM)
Exit code:
0
Version:
6, 38, 1, 2
Modules
Images
c:\program files (x86)\internet download manager\idman.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6320 /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6324 /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6352 /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6412"C:\Users\admin\Desktop\InternetDownloadManager6.38Build1.exe" C:\Users\admin\Desktop\InternetDownloadManager6.38Build1.exe
explorer.exe
User:
admin
Company:
Programindir.Cafe
Integrity Level:
MEDIUM
Description:
Programindir.Cafe Katilimsiz Program
Exit code:
0
Version:
6.38.1.1
Modules
Images
c:\users\admin\desktop\internetdownloadmanager6.38build1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6828"C:\kinghaze\Kur.exe" C:\kinghaze\Kur.exeInternetDownloadManager6.38Build1.exe
User:
admin
Company:
Programindir.Cafe TEAM
Integrity Level:
MEDIUM
Description:
Programindir.Cafe Unattended Installer
Exit code:
3221226540
Version:
6.38.1.1
Modules
Images
c:\kinghaze\kur.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6884"C:\kinghaze\Kur.exe" C:\kinghaze\Kur.exe
InternetDownloadManager6.38Build1.exe
User:
admin
Company:
Programindir.Cafe TEAM
Integrity Level:
HIGH
Description:
Programindir.Cafe Unattended Installer
Exit code:
0
Version:
6.38.1.1
Modules
Images
c:\kinghaze\kur.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6932C:\kinghaze\kur\IDM1.tmp -d "C:\kinghaze\kur\" -skdlgsC:\kinghaze\Kur\IDM1.tmpKur.exe
User:
admin
Company:
Tonec Inc.
Integrity Level:
HIGH
Description:
Internet Download Manager installer
Exit code:
0
Version:
6, 37, 15, 1
Modules
Images
c:\kinghaze\kur\idm1.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
Total events
6 134
Read events
6 023
Write events
105
Delete events
6

Modification events

(PID) Process:(6412) InternetDownloadManager6.38Build1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6412) InternetDownloadManager6.38Build1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6412) InternetDownloadManager6.38Build1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6412) InternetDownloadManager6.38Build1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6884) Kur.exeKey:HKEY_CURRENT_USER\SOFTWARE\DownloadManager
Operation:writeName:bShLc2
Value:
1
(PID) Process:(6932) IDM1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
(PID) Process:(6932) IDM1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager
Operation:writeName:DisplayName
Value:
Internet Download Manager
(PID) Process:(6932) IDM1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager
Operation:writeName:DisplayVersion
Value:
6.38.1
(PID) Process:(6932) IDM1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
(PID) Process:(6932) IDM1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager
Operation:writeName:Publisher
Value:
Tonec Inc.
Executable files
40
Suspicious files
43
Text files
280
Unknown types
6

Dropped files

PID
Process
Filename
Type
6412InternetDownloadManager6.38Build1.exeC:\kinghaze\Kur\IDM100.tmpexecutable
MD5:09959EE223C5D34C82F1EFB8BC8233CB
SHA256:1FDB0D5B31E080084C82E0B773DAFC7860FA860938B8BAEF6A4D7F5BDE659F73
6412InternetDownloadManager6.38Build1.exeC:\kinghaze\Kur\IDM0.tmphtml
MD5:17FF1BA7D7836E09D0A7EEDAD54BD9C6
SHA256:D765B55728822BE1C227F908DC9CB8462B7DCF65EA1BA9FCF24EB029BFD229C8
6412InternetDownloadManager6.38Build1.exeC:\kinghaze\Kur\IDM103.tmptext
MD5:16E2DAB5D2473C59DEA2B2BD316517E8
SHA256:07C8896550FBAA6E8FEC792E15D240DED0BCFFA258A928C1EFD8542FF0385511
6412InternetDownloadManager6.38Build1.exeC:\kinghaze\Kur\IDM110.tmpexecutable
MD5:3114BB1630E44CFBD48B09E0D6057C8F
SHA256:1621FD14DD72DCCE8BBA2E7F46D656744D2975F8AD94B36D2ADE01415F48022A
6412InternetDownloadManager6.38Build1.exeC:\kinghaze\Kur\IDM106.tmpexecutable
MD5:FD58845EA4E13C2064BD9147F618DE44
SHA256:EA1BE49A738FCC42764C74AB4D849ABC8ADE4A25799A14DA76FA57D4CB971CD5
6412InternetDownloadManager6.38Build1.exeC:\kinghaze\Kur\IDM105.tmptext
MD5:748C5590939571E92A7C16AC702A74CA
SHA256:9145CFE47D32CF3E45840CE0344DA1D29810EF9D756ECDDAEBB803C59869E945
6412InternetDownloadManager6.38Build1.exeC:\kinghaze\Kur\IDM112.tmpexecutable
MD5:C9BF7AEC9F78380341F3B9A97A609CB3
SHA256:C101DD60F8C1DE229D108EBBE9FCA711FDDBF90669FA2879FFEA7915349802C8
6412InternetDownloadManager6.38Build1.exeC:\kinghaze\Kur\IDM11.tmptext
MD5:6B73FE1D838EB6E22A7B15A9E070D897
SHA256:0022D8BFB155B04E030B680BFCDCCB119236DD6680F64843B77E53AA072E652B
6412InternetDownloadManager6.38Build1.exeC:\kinghaze\Kur\IDM115.tmptext
MD5:5A23C19A88C035283CA65506F213D1EC
SHA256:0FCDC63880B2ECA559D7840874B1FA06F614BC29950AC0698B9E5B0ABDA150FA
6412InternetDownloadManager6.38Build1.exeC:\kinghaze\Kur\IDM114.tmpcompressed
MD5:10D9220EA4E455276734E884E830A0D2
SHA256:E691EBADD8C6E7A07D9C8C931F4760F9AADD2B151019E4F17A76A1665057C9CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
15
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
204
104.126.37.185:443
https://www.bing.com/threshold/xls.aspx
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4576
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
1984
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5336
SearchApp.exe
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.177
  • 104.126.37.128
  • 104.126.37.154
  • 104.126.37.184
  • 104.126.37.153
  • 104.126.37.163
  • 104.126.37.152
  • 104.126.37.185
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
InternetDownloadManager6.38Build1.exe