File name:

IDM 6.xx Activator or Resetter v3.3.exe

Full analysis: https://app.any.run/tasks/749cd8a7-3fa7-4f9d-ab1e-786c47306c53
Verdict: Malicious activity
Analysis date: June 30, 2024, 01:48:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B2BB695B656DFB91E01967DE3A8BEEE3

SHA1:

30EBAC4EB84AA036BED8F8931B6493348B87108A

SHA256:

7822FA6C35CBD1CFB95C780970DEEF14D8B53C62ADE3A4BCF63C494C3F2E5BBD

SSDEEP:

24576:Kq2RNiQQlO14bmK/v5TX5di5mRU7sPU/R+w01DepD:Kf/iQQlO14bmK/v5TX5di5mRU7sPU/RJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3532)
      • 7za.exe (PID: 1096)
      • 7za.exe (PID: 3932)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 2728)

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 2728)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 2728)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3532)
      • 7za.exe (PID: 1096)
      • 7za.exe (PID: 3932)

    • Drops 7-zip archiver for unpacking

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3532)

    • Reads security settings of Internet Explorer

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3532)

    • Reads the date of Windows installation

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3532)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 5876)
      • cmd.exe (PID: 2728)

    • Starts CMD.EXE for commands execution

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3532)
      • cmd.exe (PID: 1332)
      • cmd.exe (PID: 4356)
      • cmd.exe (PID: 4628)
      • cmd.exe (PID: 3324)
      • cmd.exe (PID: 3896)
      • powershell.exe (PID: 2536)

    • Executing commands from a ".bat" file

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3532)
      • cmd.exe (PID: 1332)
      • powershell.exe (PID: 2536)

    • The executable file from the user directory is run by the CMD process

      • 7za.exe (PID: 5608)
      • 7za.exe (PID: 4840)
      • 7za.exe (PID: 1088)
      • 7za.exe (PID: 3596)
      • 7za.exe (PID: 1096)
      • NSudo86x.exe (PID: 6684)
      • 7za.exe (PID: 3932)

    • Application launched itself

      • cmd.exe (PID: 4628)
      • cmd.exe (PID: 4356)
      • cmd.exe (PID: 3324)
      • cmd.exe (PID: 3896)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2728)
      • cmd.exe (PID: 3324)
      • cmd.exe (PID: 4628)
      • conhost.exe (PID: 736)
      • cmd.exe (PID: 5444)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 2728)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4628)
      • cmd.exe (PID: 3324)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4628)
      • cmd.exe (PID: 3324)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 3324)
      • cmd.exe (PID: 4628)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3324)
      • cmd.exe (PID: 4628)

    • Hides command output

      • cmd.exe (PID: 5444)
      • cmd.exe (PID: 2292)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3324)
      • cmd.exe (PID: 2292)

    • Request a resource from the Internet using PowerShell's cmdlet

      • cmd.exe (PID: 2728)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 2728)

    • Process drops legitimate windows executable

      • 7za.exe (PID: 3932)

    • Drops a system driver (possible attempt to evade defenses)

      • 7za.exe (PID: 3932)

    • The process creates files with name similar to system file names

      • 7za.exe (PID: 3932)

  • INFO

    • Create files in a temporary directory

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3532)
      • 7za.exe (PID: 5608)
      • 7za.exe (PID: 4840)
      • 7za.exe (PID: 1096)

    • Checks supported languages

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3532)
      • 7za.exe (PID: 5608)
      • 7za.exe (PID: 4840)
      • 7za.exe (PID: 1088)
      • 7za.exe (PID: 3596)
      • 7za.exe (PID: 1096)
      • mode.com (PID: 5908)
      • mode.com (PID: 6568)
      • NSudo86x.exe (PID: 6684)
      • 7za.exe (PID: 3932)
      • identity_helper.exe (PID: 6764)

    • Reads the computer name

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3532)
      • 7za.exe (PID: 5608)
      • 7za.exe (PID: 4840)
      • 7za.exe (PID: 1096)
      • 7za.exe (PID: 1088)
      • 7za.exe (PID: 3596)
      • 7za.exe (PID: 3932)
      • NSudo86x.exe (PID: 6684)
      • identity_helper.exe (PID: 6764)

    • Process checks computer location settings

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3532)

    • Checks operating system version

      • cmd.exe (PID: 4628)
      • cmd.exe (PID: 3324)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 5816)
      • powershell.exe (PID: 2392)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 5816)
      • powershell.exe (PID: 2392)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 5816)
      • powershell.exe (PID: 2392)

    • Manual execution by a user

      • WINWORD.EXE (PID: 2856)
      • msedge.exe (PID: 6968)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4220)
      • powershell.exe (PID: 5420)
      • powershell.exe (PID: 4196)
      • powershell.exe (PID: 4904)

    • Disables trace logs

      • powershell.exe (PID: 1632)

    • Creates files or folders in the user directory

      • 7za.exe (PID: 3932)

    • Application launched itself

      • msedge.exe (PID: 6732)
      • msedge.exe (PID: 6968)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6732)
      • msedge.exe (PID: 6968)

    • Checks proxy server information

      • powershell.exe (PID: 1632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:06:27 07:06:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 70656
InitializedDataSize: 110080
UninitializedDataSize: -
EntryPoint: 0x11def
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.3.0.0
ProductVersionNumber: 3.3.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: IDM 6.xx Activator or Resetter - CrackingCity.com
CompanyName: CrackingCity.com
FileDescription: IDM 6.xx Activator or Resetter
FileVersion: 3.3.0.0
InternalName: IDM 6.xx Activator or Resetter.exe
LegalCopyright: CrackingCity.com, Copyright © 2020 - 2024
OriginalFileName: IDM 6.xx Activator or Resetter.exe
ProductName: IDM 6.xx Activator or Resetter
ProductVersion: 3.3.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
269
Monitored processes
128
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start idm 6.xx activator or resetter v3.3.exe cmd.exe no specs conhost.exe no specs attrib.exe no specs 7za.exe no specs 7za.exe no specs 7za.exe 7za.exe no specs 7za.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs powershell.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs find.exe no specs fltmc.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs fltmc.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs winword.exe cmd.exe no specs powershell.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs ai.exe no specs mode.com no specs choice.exe no specs powershell.exe 7za.exe schtasks.exe no specs mode.com no specs powershell.exe no specs nsudo86x.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs idm 6.xx activator or resetter v3.3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
476fltmc C:\Windows\System32\fltMC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Filter Manager Control Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fltmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
692reg query HKU\S-1-5-21-1693682860-607145093-2874071422-1001\Software C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
736conhost.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\admin\AppData\Local\Temp\ytmp\IDM.bat""" -el r1 -qedit'" C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
10887za e files.tmp -ptmp@tmp420 -aoa AB2EF.exeC:\Users\admin\AppData\Local\Temp\ytmp\7za.execmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
16.04
Modules
Images
c:\users\admin\appdata\local\temp\ytmp\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
10967za e files.tmp -ptmp@tmp420 -aoa NSudo86x.exeC:\Users\admin\AppData\Local\Temp\ytmp\7za.exe
cmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
16.04
Modules
Images
c:\users\admin\appdata\local\temp\ytmp\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1304reg delete HKU\S-1-5-21-1693682860-607145093-2874071422-1001\IAS_TEST /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1324"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5336 --field-trial-handle=2428,i,15165866104222853417,6651883741250826631,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1332C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\ytmp\IDM.bat" "C:\Windows\SysWOW64\cmd.exeIDM 6.xx Activator or Resetter v3.3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1496"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6020 --field-trial-handle=2428,i,15165866104222853417,6651883741250826631,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1588reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTUREC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
Total events
84 483
Read events
83 999
Write events
448
Delete events
36

Modification events

(PID) Process:(3532) IDM 6.xx Activator or Resetter v3.3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3532) IDM 6.xx Activator or Resetter v3.3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3532) IDM 6.xx Activator or Resetter v3.3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3532) IDM 6.xx Activator or Resetter v3.3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3532) IDM 6.xx Activator or Resetter v3.3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4904) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4904) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4904) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4904) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4220) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
28
Suspicious files
179
Text files
113
Unknown types
1

Dropped files

PID
Process
Filename
Type
3532IDM 6.xx Activator or Resetter v3.3.exeC:\Users\admin\AppData\Local\Temp\ytmp\files.tmpcompressed
MD5:86EFB592316773110C1B67B8569EA5D8
SHA256:DC664BB88EDC327F890B9A052281718066BCB220C7F6541426AD475EAE66FD7C
5816powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rni5dcc5.2sa.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4904powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dumsekkh.v4a.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5816powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2wpuddkz.ztv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5816powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5AC31E5F94D9A21152215464997F54BD
SHA256:373E9EC9925ACF983A94ED16B6A097B9D297AB2E87127B6AB57E7786385B9A39
4904powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_00ftblc1.i3a.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_d2pms4lm.lss.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4904powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fqkvjviu.bbm.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2392powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h4vug21u.30s.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4904powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3sa0taem.wty.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
106
DNS requests
185
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4524
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4524
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
2856
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
6492
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
6492
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
2020
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
unknown
4524
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2784
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3748
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4656
SearchApp.exe
104.126.37.145:443
Akamai International B.V.
DE
unknown
4524
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4524
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
2856
WINWORD.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
2856
WINWORD.EXE
23.48.23.18:443
omex.cdn.office.net
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
omex.cdn.office.net
  • 23.48.23.18
  • 23.48.23.30
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
self.events.data.microsoft.com
  • 20.42.73.28
whitelisted
messaging.lifecycle.office.com
  • 52.111.243.12
whitelisted
www.crackingcity.com
  • 188.114.96.3
  • 188.114.97.3
unknown
www.bing.com
  • 104.126.37.131
  • 104.126.37.139
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IDM 6.xx Activator or Resetter v3.3.exe