File name:

IDM_6.4x_Crack_v20.1.zip

Full analysis: https://app.any.run/tasks/8200d949-07ca-4c47-b543-5266606de4cc
Verdict: Malicious activity
Analysis date: May 11, 2025, 15:14:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
MD5:

8E7190EB68709824DC359E17E6DE8F87

SHA1:

352306102F50627B6698FAB0A1FECCCFD400F431

SHA256:

43DD5EC7D883DD796FE42D096B0A5C4551D034743491D1E3F350AEAD895D69C2

SSDEEP:

1536:fUK1pCti6TME5RSQcU2oDP1toGbV4/d6qUOnqQD:fVpIi6F9ce9tPbVKdHJV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 8016)
    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 8016)
    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 8016)
    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 8016)
  • SUSPICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7304)
    • The process executes VB scripts

      • IDM_6.4x_Crack_v20.1.exe (PID: 7988)
    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 8016)
    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 8016)
    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 8016)
    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 8016)
  • INFO

    • Manual execution by a user

      • IDM_6.4x_Crack_v20.1.exe (PID: 7988)
      • IDM_6.4x_Crack_v20.1.exe (PID: 7940)
    • Reads the computer name

      • IDM_6.4x_Crack_v20.1.exe (PID: 7988)
    • Checks supported languages

      • IDM_6.4x_Crack_v20.1.exe (PID: 7988)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7304)
    • Creates files or folders in the user directory

      • IDM_6.4x_Crack_v20.1.exe (PID: 7988)
    • Create files in a temporary directory

      • IDM_6.4x_Crack_v20.1.exe (PID: 7988)
    • Checks proxy server information

      • wscript.exe (PID: 8016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2025:04:21 01:45:48
ZipCRC: 0x4964c2ce
ZipCompressedSize: 59028
ZipUncompressedSize: 62976
ZipFileName: IDM_6.4x_Crack_v20.1.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe no specs idm_6.4x_crack_v20.1.exe no specs idm_6.4x_crack_v20.1.exe wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
7304"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\IDM_6.4x_Crack_v20.1.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7444C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7476"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
7940"C:\Users\admin\Desktop\IDM_6.4x_Crack_v20.1.exe" C:\Users\admin\Desktop\IDM_6.4x_Crack_v20.1.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\idm_6.4x_crack_v20.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7988"C:\Users\admin\Desktop\IDM_6.4x_Crack_v20.1.exe" C:\Users\admin\Desktop\IDM_6.4x_Crack_v20.1.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\idm_6.4x_crack_v20.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
8016wscript.exe "C:\Users\admin\AppData\Local\Temp\\CRK_UPDT.vbs" "https://idm.0dy.ir/" "Version" "Download_URL" "20.1" "Crack" "C:\Program Files\Google\Chrome\Application\chrome.exe" silentC:\Windows\SysWOW64\wscript.exe
IDM_6.4x_Crack_v20.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
2 503
Read events
2 478
Write events
25
Delete events
0

Modification events

(PID) Process:(7304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\IDM_6.4x_Crack_v20.1.zip
(PID) Process:(7304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7304) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(7988) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
Executable files
1
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7988IDM_6.4x_Crack_v20.1.exeC:\Users\admin\AppData\Local\Temp\CRK_UPDT.vbstext
MD5:B91C1157D6F1E605CC965D092551B307
SHA256:92FE72CCEB630C7EFF3B2D3BED9C6969F53E5B9DFF1F481888754E59B3C76AB7
7988IDM_6.4x_Crack_v20.1.exeC:\Users\admin\AppData\Local\Temp\IDM_UPDT.vbstext
MD5:B91C1157D6F1E605CC965D092551B307
SHA256:92FE72CCEB630C7EFF3B2D3BED9C6969F53E5B9DFF1F481888754E59B3C76AB7
7988IDM_6.4x_Crack_v20.1.exeC:\Users\admin\AppData\Roaming\WinRAR\rarreg.keytext
MD5:CC72935D4E4BD54DB0ED6BF4701FDC9E
SHA256:2ABE74BB821BA46762AFDB23EAC95454EC7155D5379E3CD56385D900C34CB1BF
7304WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb7304.29137\IDM_6.4x_Crack_v20.1.exeexecutable
MD5:832EAC4526E3E0C9A96EA29D90A5B521
SHA256:C1BD821751C7F0ECD0741103EEF6888025F4509229E0C11F1CD436BF334AA240
8016wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1B4B95A2238D1B6076E3C5ACBB9AEEAE
SHA256:3706C5CA808E1C6E2DCAD23DFAF797772518541E69280951B5541A5830CC3AD7
8016wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\TNQ587WI.xmltext
MD5:21A5285AE43EDD57EB010DBAA5E01AD1
SHA256:E2346FA47B5BE1883B01FA3764F618C2DCA0AC1765BAA75506433A7532C764A5
8016wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4A90329071AE30B759D279CCA342B0A6
SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
8016wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:1B203F61903882FB069B53779DFFFA7F
SHA256:A96FD65709B8BC198C8B929E37CB8BA3DA460C514428847E0A6588F01C9659FF
8016wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
20
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.181:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8016
wscript.exe
GET
200
216.58.206.35:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
8016
wscript.exe
GET
200
216.58.206.35:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
2852
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2852
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.181:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
8016
wscript.exe
188.114.96.3:443
idm.0dy.ir
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.181
  • 23.48.23.169
  • 23.48.23.175
  • 23.48.23.180
  • 23.48.23.165
  • 23.48.23.171
  • 23.48.23.168
  • 23.48.23.166
  • 23.48.23.174
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.4
  • 20.190.160.64
  • 20.190.160.17
  • 20.190.160.66
  • 20.190.160.128
  • 20.190.160.14
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
idm.0dy.ir
  • 188.114.96.3
  • 188.114.97.3
unknown
c.pki.goog
  • 216.58.206.35
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

No threats detected
No debug info