File name:

IDM v6.41.15 By IDMLover.com.rar

Full analysis: https://app.any.run/tasks/06968c17-1546-406e-bcfe-e40dbf0cfdde
Verdict: Malicious activity
Analysis date: July 19, 2023, 00:33:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

EDD22F17F18B9CD1B62B798C74AD2EC3

SHA1:

8CDB0AF7B0F5C57C8E6BDACC06594D990B879994

SHA256:

3F20D1E8B0A481D11617060B08A9FD850083DE25C8BBB16D58110474F648B45D

SSDEEP:

196608:koKSBUib1GLp8jVTdjZxu5+khccBJ9or+fV1XDPNveeOPuvhIeu:kscmd1I5+WJ9orUDhhvy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • idman641build15.exe (PID: 2180)
      • idman641build15.exe (PID: 1632)
      • IDM_6.4x_Crack_v18.1.exe (PID: 3932)
      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)
      • UnSigner.exe (PID: 3924)
      • IDMan.exe (PID: 3704)
      • IDMan.exe (PID: 2828)

    • Unusual connection from system programs

      • wscript.exe (PID: 4036)

    • Starts NET.EXE for service management

      • Uninstall.exe (PID: 1348)
      • net.exe (PID: 3448)

    • Creates a writable file the system directory

      • rundll32.exe (PID: 3528)

    • Actions looks like stealing of personal data

      • IDMan.exe (PID: 2828)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • idman641build15.exe (PID: 1632)

    • The process creates files with name similar to system file names

      • IDM1.tmp (PID: 2468)

    • Reads the Internet Settings

      • IDM1.tmp (PID: 2468)
      • IDMan.exe (PID: 1184)
      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)
      • wscript.exe (PID: 4036)
      • IDMan.exe (PID: 3704)
      • IDMan.exe (PID: 2828)
      • Uninstall.exe (PID: 1348)
      • runonce.exe (PID: 3876)

    • Reads security settings of Internet Explorer

      • IDMan.exe (PID: 1184)
      • IDMan.exe (PID: 3704)
      • IDMan.exe (PID: 2828)

    • Reads settings of System Certificates

      • IDMan.exe (PID: 1184)
      • IDMan.exe (PID: 3704)
      • IDMan.exe (PID: 2828)

    • Creates/Modifies COM task schedule object

      • IDMan.exe (PID: 1184)
      • Uninstall.exe (PID: 1348)

    • Application launched itself

      • WinRAR.exe (PID: 3624)
      • cmd.exe (PID: 3128)

    • Executable content was dropped or overwritten

      • dllhost.exe (PID: 1760)
      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)
      • wscript.exe (PID: 3416)
      • UnSigner.exe (PID: 3924)
      • IDMan.exe (PID: 2828)
      • rundll32.exe (PID: 3528)

    • Checks Windows Trust Settings

      • IDMan.exe (PID: 1184)
      • IDMan.exe (PID: 3704)
      • IDMan.exe (PID: 2828)

    • Searches for installed software

      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)

    • The process executes VB scripts

      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)

    • Uses REG/REGEDIT.EXE to modify registry

      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)
      • cmd.exe (PID: 3128)

    • Uses TASKKILL.EXE to kill process

      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)

    • Starts CMD.EXE for commands execution

      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)
      • cmd.exe (PID: 3128)

    • Executing commands from a ".bat" file

      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)

    • Identifying current user with WHOAMI command

      • cmd.exe (PID: 2804)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3128)

    • Uses RUNDLL32.EXE to load library

      • Uninstall.exe (PID: 1348)

    • Drops a system driver (possible attempt to evade defenses)

      • rundll32.exe (PID: 3528)

    • Creates or modifies Windows services

      • Uninstall.exe (PID: 1348)

    • Adds/modifies Windows certificates

      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3624)
      • WinRAR.exe (PID: 2528)

    • Checks supported languages

      • idman641build15.exe (PID: 1632)
      • IDMan.exe (PID: 1184)
      • IDM1.tmp (PID: 2468)
      • idmBroker.exe (PID: 3484)
      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)
      • UnSigner.exe (PID: 3924)
      • IDMan.exe (PID: 3704)
      • IDMan.exe (PID: 2828)
      • Uninstall.exe (PID: 1348)
      • IEMonitor.exe (PID: 1664)

    • Create files in a temporary directory

      • IDM1.tmp (PID: 2468)
      • idman641build15.exe (PID: 1632)
      • IDMan.exe (PID: 1184)
      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)
      • IDMan.exe (PID: 3704)
      • IDMan.exe (PID: 2828)

    • Creates files or folders in the user directory

      • IDM1.tmp (PID: 2468)
      • IDMan.exe (PID: 1184)
      • IDMan.exe (PID: 2828)

    • Reads the machine GUID from the registry

      • IDM1.tmp (PID: 2468)
      • IDMan.exe (PID: 1184)
      • IDMan.exe (PID: 3704)
      • IDMan.exe (PID: 2828)

    • The process checks LSA protection

      • IDM1.tmp (PID: 2468)
      • IDMan.exe (PID: 1184)
      • dllhost.exe (PID: 1760)
      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)
      • taskkill.exe (PID: 3832)
      • IDMan.exe (PID: 3704)
      • IDMan.exe (PID: 2828)
      • Uninstall.exe (PID: 1348)
      • runonce.exe (PID: 3876)

    • Creates files in the program directory

      • IDM1.tmp (PID: 2468)
      • IDMan.exe (PID: 1184)
      • wscript.exe (PID: 3416)

    • Reads the computer name

      • IDM1.tmp (PID: 2468)
      • IDMan.exe (PID: 1184)
      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)
      • IDMan.exe (PID: 3704)
      • IDMan.exe (PID: 2828)
      • Uninstall.exe (PID: 1348)
      • IEMonitor.exe (PID: 1664)

    • Manual execution by a user

      • IDM_6.4x_Crack_v18.1.exe (PID: 3932)
      • IDM_6.4x_Crack_v18.1.exe (PID: 3020)
      • IDMan.exe (PID: 3704)
      • IDMan.exe (PID: 2828)
      • chrome.exe (PID: 3632)

    • Checks proxy server information

      • wscript.exe (PID: 4036)
      • IDMan.exe (PID: 2828)

    • Reads the time zone

      • runonce.exe (PID: 3876)

    • Creates files in the driver directory

      • rundll32.exe (PID: 3528)

    • Application launched itself

      • chrome.exe (PID: 3632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
356
Monitored processes
282
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start winrar.exe idman641build15.exe no specs idman641build15.exe idm1.tmp no specs idmbroker.exe no specs idman.exe winrar.exe Copy/Move/Rename/Delete/Link Object idm_6.4x_crack_v18.1.exe no specs idm_6.4x_crack_v18.1.exe wscript.exe taskkill.exe no specs reg.exe no specs unsigner.exe cmd.exe no specs cmd.exe no specs whoami.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs wscript.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs idman.exe idman.exe uninstall.exe no specs uninstall.exe rundll32.exe runonce.exe no specs grpconv.exe no specs net.exe no specs net1.exe no specs iemonitor.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
240REG DELETE "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\reg.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
268REG DELETE "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
268reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
272"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1008,7983023398584137582,7380707213871232107,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\chrome.exe
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
276reg query "HKLM\Software\Internet Download Manager" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
280REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
304REG ADD "HKLM\Software\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
308reg query "HKLM\Software\Wow6432Node\Download Manager" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
308"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1008,7983023398584137582,7380707213871232107,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2536 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\chrome.exe
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
Total events
41 501
Read events
40 981
Write events
391
Delete events
129

Modification events

(PID) Process:(3624) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3624) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
18
Suspicious files
152
Text files
141
Unknown types
0

Dropped files

PID
Process
Filename
Type
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3624.32376\IDM v6.41.15 By IDMLover.com\idman641build15.exeexecutable
MD5:868E7C026169D53150BDB41C70B57536
SHA256:C70D80FE3C94371FB693572697CD8627452519D1855D23B1C680DC21B50B2059
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3624.32376\IDM v6.41.15 By IDMLover.com\IDM_6.4x_Crack_v18.1.rarcompressed
MD5:85A9726C8A9D3EA5FE5BADC944645337
SHA256:80D3D5AADE8B4215E51F429492DE91F42E757205868005DD4A8EFA413DF383C3
2468IDM1.tmpC:\Users\admin\AppData\Local\Temp\IDM_Setup_Temp\IDMSetup2.logbinary
MD5:1C92BCB479B9EE7BBC5F5E6754B125B2
SHA256:95EFFBCC2269DB3E96C984D8249D14DBCDD8D4CF6A43143CBA0D7D20F96DF991
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3624.32376\IDM v6.41.15 By IDMLover.com\Read Me First.txttext
MD5:ADCD7C3BC537B9211754E8C24E939680
SHA256:3EE34D99A071D09BD8AD8F62BEF42E2998E6F33B40AB5D0FB57AC1E878241A49
2468IDM1.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\TUTORIALS.lnkbinary
MD5:616B5528374F8A953AAEB52E12B7B957
SHA256:F10ABB2CE2EEAB61BFE0D669DA3AED5813F459D8407E12AC6F16AF88B932F8B5
2468IDM1.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Internet Download Manager.lnkbinary
MD5:BE41FCBC8EF0BF0D381B4752583B9593
SHA256:CFE9D0755DEF1AF8FDF50287A38CD864D3BAB6CF2B4C12229E8EE53715912FCF
2468IDM1.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Grabber Help.lnkbinary
MD5:6A0D6DF41CC99878D54BD4201D1A4A87
SHA256:111D00A2DF87CBD5C3920A97C71257FE179C5DD67FB5EF0CCDC1FEF885661F03
2468IDM1.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\IDM Help.lnkbinary
MD5:F242B0CEE9021ED1E58E057B9A179A1A
SHA256:C3521F35490BDDF54C06DB353945813798CF82164294A5F3CF86CBA705C8FDC4
2468IDM1.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Internet Download Manager.lnkbinary
MD5:E8670724DABB12B118E265CB2B2F77B3
SHA256:959621870C0A8DA996EFA6043D92D7F9B8BB1640BF569B9F72D754DAD7482FEF
2468IDM1.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\IDM Help.lnkbinary
MD5:E11C2329096E5BB8821B5CAEB4988AC6
SHA256:3AC65160929AF3BB8D835D280D678048E7EEB0991F5FBB7B01A3301B56643E50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
74
DNS requests
48
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
864
svchost.exe
HEAD
403
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/fessmlfzcgvxcvvlvzjb5y3pia_9.46.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.46.0_all_j3wc2ia5cvmxcar5vj37bzshkm.crx3
US
whitelisted
864
svchost.exe
HEAD
200
142.250.179.206:80
http://dl.google.com/release2/chrome_component/fessmlfzcgvxcvvlvzjb5y3pia_9.46.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.46.0_all_j3wc2ia5cvmxcar5vj37bzshkm.crx3
US
whitelisted
864
svchost.exe
GET
142.250.179.206:80
http://dl.google.com/release2/chrome_component/fessmlfzcgvxcvvlvzjb5y3pia_9.46.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.46.0_all_j3wc2ia5cvmxcar5vj37bzshkm.crx3
US
whitelisted
1184
IDMan.exe
GET
8.238.178.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f0df1028874abfc6
US
whitelisted
HEAD
200
142.250.179.206:80
http://dl.google.com/release2/chrome_component/fessmlfzcgvxcvvlvzjb5y3pia_9.46.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.46.0_all_j3wc2ia5cvmxcar5vj37bzshkm.crx3
US
whitelisted
3704
IDMan.exe
GET
200
8.238.178.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?edf2e3240990ea1b
US
compressed
62.3 Kb
whitelisted
GET
302
142.251.36.46:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
555 b
whitelisted
GET
403
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
text
37 b
whitelisted
GET
200
172.64.111.33:80
http://9anime.to/favicon.ico
US
compressed
2.01 Kb
unknown
GET
200
74.125.100.106:80
http://r5---sn-5hnekn7z.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=192.42.116.16&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1689726743&mv=m&mvi=5&pl=22&shardbypass=sd&smhost=r5---sn-5hneknes.gvt1.com
US
binary
242 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2640
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1068
svchost.exe
224.0.0.252:5355
unknown
1184
IDMan.exe
8.238.178.126:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
4036
wscript.exe
172.67.164.61:443
idm.ckk.ir
CLOUDFLARENET
US
unknown
4036
wscript.exe
8.238.178.126:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
4036
wscript.exe
142.251.36.3:80
ocsp.pki.goog
GOOGLE
US
whitelisted
3704
IDMan.exe
8.238.178.126:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
3632
chrome.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 8.238.178.126
whitelisted
idm.ckk.ir
  • 172.67.164.61
unknown
test.internetdownloadmanager.com
  • 185.80.221.18
whitelisted
secure.internetdownloadmanager.com
  • 169.61.27.133
whitelisted
www.internetdownloadmanager.com
  • 169.61.27.133
whitelisted
mirror3.internetdownloadmanager.com
  • 174.127.113.77
whitelisted
mirror5.internetdownloadmanager.com
  • 185.80.221.19
whitelisted
registeridm.com
  • 169.61.27.133
suspicious
ocsp.pki.goog
  • 142.251.36.3
whitelisted
clientservices.googleapis.com
  • 142.250.179.163
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .to TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
IDM v6.41.15 By IDMLover.com.rar