File name:

IDM_6.4x_v19.7_IDMCRACKDL.rar

Full analysis: https://app.any.run/tasks/c3615082-9520-4035-8aab-9f8bedb4a088
Verdict: Malicious activity
Analysis date: July 14, 2024, 18:00:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

E6CC62A826B0F78E45D4902339453CA5

SHA1:

B7E666DF90757DD8C42802B077F32B9E94F9976F

SHA256:

2A1FC528F72C1AAF624B673E74AD866CB49386B7F5DFE03B273CB963ABB0394F

SSDEEP:

1536:9mrqxTDSZMgwlrftmNkWSM79NJ57IrQ2o3PvYUZM4:9mmxTDZr2kyZXFIrQjnYMD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 2256)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 2256)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 2256)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 2256)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 2256)

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • IDM_6.4x_Crack_v19.7.exe (PID: 2840)
      • cmd.exe (PID: 3696)
      • cmd.exe (PID: 2120)

    • Executing commands from a ".bat" file

      • IDM_6.4x_Crack_v19.7.exe (PID: 2840)
      • cmd.exe (PID: 3696)

    • Starts CMD.EXE for commands execution

      • IDM_6.4x_Crack_v19.7.exe (PID: 2840)
      • cmd.exe (PID: 3696)

    • Application launched itself

      • cmd.exe (PID: 3696)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3696)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 3696)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3988)
      • cmd.exe (PID: 3696)
      • cmd.exe (PID: 2328)

    • Hides command output

      • cmd.exe (PID: 3988)
      • cmd.exe (PID: 2120)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3696)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 2256)

    • The process executes VB scripts

      • IDM_6.4x_Crack_v19.7.exe (PID: 2840)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 2256)

  • INFO

    • Checks supported languages

      • IDM_6.4x_Crack_v19.7.exe (PID: 2840)
      • chcp.com (PID: 3800)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3344)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3344)

    • Reads the computer name

      • IDM_6.4x_Crack_v19.7.exe (PID: 2840)

    • Manual execution by a user

      • IDM_6.4x_Crack_v19.7.exe (PID: 2956)
      • IDM_6.4x_Crack_v19.7.exe (PID: 2840)

    • Create files in a temporary directory

      • IDM_6.4x_Crack_v19.7.exe (PID: 2840)
      • reg.exe (PID: 2064)

    • Checks operating system version

      • cmd.exe (PID: 3696)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 3684)
      • powershell.exe (PID: 2856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
95
Monitored processes
52
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe idm_6.4x_crack_v19.7.exe no specs idm_6.4x_crack_v19.7.exe reg.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs find.exe no specs powershell.exe no specs find.exe no specs reg.exe no specs powershell.exe no specs find.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
240reg query HKU\S-1-5-21-1302019708-1500728564-335382590-1000\Software C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
324reg delete HKCU\IAS_TEST /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
744reg query "HKCU\Software\DownloadManager" "/v" "Serial" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
952reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1020powershell.exe write-host -back '"DarkGreen"' -fore '"white"' '"The IDM reset process has been completed."'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1144reg delete HKU\S-1-5-21-1302019708-1500728564-335382590-1000\IAS_TEST /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1608reg query HKU\S-1-5-21-1302019708-1500728564-335382590-1000\Software C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1788powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2000reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTUREC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2016reg query "HKCU\Software\DownloadManager" "/v" "Email" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
22 620
Read events
22 543
Write events
62
Delete events
15

Modification events

(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3344) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\IDM_6.4x_v19.7_IDMCRACKDL.rar
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
13
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
2064reg.exeC:\Windows\Temp\_Backup_HKCU_CLSID_20240714-190136441.regtext
MD5:F58D4E5F0B6A7E69AA96964ABCDEF744
SHA256:253D606D5060BB62CFA2411477004C8ED2ECA7925A2B0770691D485678AABF73
2840IDM_6.4x_Crack_v19.7.exeC:\Users\admin\AppData\Local\Temp\BATCLEN.battext
MD5:9FE22C4AD624881F8F0977CC7614346F
SHA256:12B47C1949CC555C2F68F9FD4677ED5266F25C4DA4630BEC36E303629B133225
3684powershell.exeC:\Users\admin\AppData\Local\Temp\kdqvf3r2.wnw.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2840IDM_6.4x_Crack_v19.7.exeC:\Users\admin\AppData\Local\Temp\IDMRegClean.regtext
MD5:73C023B1480CC88BE4D7761EF11A7703
SHA256:9C7F6CE7CE6FA4093A20CFA3C1A6D2CDD7D5307AFF7405830C898A21F154ED68
3684powershell.exeC:\Users\admin\AppData\Local\Temp\mcbu3psd.ll4.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1788powershell.exeC:\Users\admin\AppData\Local\Temp\gad5dxxa.c3h.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3084powershell.exeC:\Users\admin\AppData\Local\Temp\rsx4qfd4.5gd.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2064reg.exeC:\Users\admin\AppData\Local\Temp\REG844A.tmptext
MD5:F58D4E5F0B6A7E69AA96964ABCDEF744
SHA256:253D606D5060BB62CFA2411477004C8ED2ECA7925A2B0770691D485678AABF73
2856powershell.exeC:\Users\admin\AppData\Local\Temp\ynmvr23l.afx.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
4004powershell.exeC:\Users\admin\AppData\Local\Temp\3rhacbpy.ruy.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.50.131.213:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1372
svchost.exe
23.50.131.213:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.213
  • 23.50.131.196
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
idm.0dy.ir
  • 188.114.96.3
  • 188.114.97.3
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
IDM_6.4x_v19.7_IDMCRACKDL.rar