Malware analysis IDM 6.xx Activator or Resetter v3.3.exe Malicious activity

Add for printing

File name:	IDM 6.xx Activator or Resetter v3.3.exe
Full analysis:	https://app.any.run/tasks/a3dea1a1-0af6-4e33-b4da-22682f904a14
Verdict:	Malicious activity
Analysis date:	October 22, 2024, 09:58:58
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-scr arch-html
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	B2BB695B656DFB91E01967DE3A8BEEE3
SHA1:	30EBAC4EB84AA036BED8F8931B6493348B87108A
SHA256:	7822FA6C35CBD1CFB95C780970DEEF14D8B53C62ADE3A4BCF63C494C3F2E5BBD
SSDEEP:	24576:Kq2RNiQQlO14bmK/v5TX5di5mRU7sPU/R+w01DepD:Kf/iQQlO14bmK/v5TX5di5mRU7sPU/RJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - cmd.exe (PID: 3740)
- Execute application with conhost.exe as parent process
  - powershell.exe (PID: 2312)
- Adds process to the Windows Defender exclusion list
  - cmd.exe (PID: 3740)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 3740)
- Registers / Runs the DLL via REGSVR32.EXE
  - IDM1.tmp (PID: 7460)
  - IDMan.exe (PID: 1244)
  - Uninstall.exe (PID: 3936)
  - IDMan.exe (PID: 8676)
  - IDMan.exe (PID: 7408)
- Starts CMD.EXE for commands execution
  - msedge.exe (PID: 7272)
  - msedge.exe (PID: 9176)
- Starts NET.EXE for service management
  - Uninstall.exe (PID: 3936)
  - net.exe (PID: 7184)
SUSPICIOUS
- Executable content was dropped or overwritten
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 6640)
  - 7za.exe (PID: 1280)
  - 7za.exe (PID: 7872)
  - IDMan.exe (PID: 1244)
  - rundll32.exe (PID: 3952)
  - drvinst.exe (PID: 6832)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 2708)
  - cmd.exe (PID: 3740)
- Drops 7-zip archiver for unpacking
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 6640)
- The executable file from the user directory is run by the CMD process
  - 7za.exe (PID: 1700)
  - 7za.exe (PID: 7872)
  - 7za.exe (PID: 5264)
  - 7za.exe (PID: 6240)
  - 7za.exe (PID: 6340)
  - 7za.exe (PID: 1280)
  - NSudo86x.exe (PID: 4448)
- Executing commands from a ".bat" file
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 6640)
  - cmd.exe (PID: 4224)
  - powershell.exe (PID: 2312)
- Starts CMD.EXE for commands execution
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 6640)
  - cmd.exe (PID: 4224)
  - cmd.exe (PID: 6888)
  - cmd.exe (PID: 5652)
  - powershell.exe (PID: 2312)
  - cmd.exe (PID: 4692)
  - cmd.exe (PID: 6168)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 3740)
  - conhost.exe (PID: 7120)
  - cmd.exe (PID: 5652)
  - cmd.exe (PID: 4692)
  - cmd.exe (PID: 6772)
  - cmd.exe (PID: 6208)
  - cmd.exe (PID: 6300)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 5652)
  - cmd.exe (PID: 4692)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 3740)
- Application launched itself
  - cmd.exe (PID: 5652)
  - cmd.exe (PID: 6888)
  - cmd.exe (PID: 4692)
  - cmd.exe (PID: 6168)
- Starts SC.EXE for service management
  - cmd.exe (PID: 5652)
  - cmd.exe (PID: 4692)
- Possibly malicious use of IEX has been detected
  - cmd.exe (PID: 5652)
  - cmd.exe (PID: 4692)
- Probably obfuscated PowerShell command line is found
  - cmd.exe (PID: 5652)
  - cmd.exe (PID: 4692)
  - cmd.exe (PID: 6300)
- Script adds exclusion process to Windows Defender
  - cmd.exe (PID: 3740)
- Hides command output
  - cmd.exe (PID: 6772)
  - cmd.exe (PID: 7432)
  - cmd.exe (PID: 3396)
  - cmd.exe (PID: 7056)
  - cmd.exe (PID: 6300)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 4692)
  - cmd.exe (PID: 7432)
  - cmd.exe (PID: 7056)
- Request a resource from the Internet using PowerShell's cmdlet
  - cmd.exe (PID: 3740)
- Drops a system driver (possible attempt to evade defenses)
  - 7za.exe (PID: 7872)
  - drvinst.exe (PID: 6832)
  - rundll32.exe (PID: 3952)
- Process drops legitimate windows executable
  - 7za.exe (PID: 7872)
- Starts application with an unusual extension
  - idman642build23.exe (PID: 8008)
- Uses RUNDLL32.EXE to load library
  - Uninstall.exe (PID: 3936)
- Get information on the list of running processes
  - cmd.exe (PID: 4692)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 4692)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 4692)
INFO
- Checks operating system version
  - cmd.exe (PID: 5652)
  - cmd.exe (PID: 4692)
- Starts MODE.COM to configure console settings
  - mode.com (PID: 7532)
  - mode.com (PID: 8116)
  - mode.com (PID: 4144)
- Manual execution by a user
  - msedge.exe (PID: 7272)
  - firefox.exe (PID: 920)
- Application launched itself
  - msedge.exe (PID: 7272)
  - msedge.exe (PID: 8108)
  - firefox.exe (PID: 920)
  - firefox.exe (PID: 3940)
  - msedge.exe (PID: 9176)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 7272)
  - msedge.exe (PID: 7592)
  - msedge.exe (PID: 7276)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2010:06:27 07:06:38+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	70656
InitializedDataSize:	110080
UninitializedDataSize:	-
EntryPoint:	0x11def
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	3.3.0.0
ProductVersionNumber:	3.3.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	IDM 6.xx Activator or Resetter - CrackingCity.com
CompanyName:	CrackingCity.com
FileDescription:	IDM 6.xx Activator or Resetter
FileVersion:	3.3.0.0
InternalName:	IDM 6.xx Activator or Resetter.exe
LegalCopyright:	CrackingCity.com, Copyright © 2020 - 2024
OriginalFileName:	IDM 6.xx Activator or Resetter.exe
ProductName:	IDM 6.xx Activator or Resetter
ProductVersion:	3.3.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

459

Monitored processes

321

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
624	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6440 --field-trial-handle=2296,i,17299708489808076142,10584318277501273297,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
632	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5212 --field-trial-handle=2296,i,17299708489808076142,10584318277501273297,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
632	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5548 --field-trial-handle=2296,i,17299708489808076142,10584318277501273297,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
824	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3200 --field-trial-handle=2296,i,17299708489808076142,10584318277501273297,262144 --variations-seed-version /prefetch:8	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
864	\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1	C:\Windows\System32\conhost.exe	—	net.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
884	/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"	C:\Windows\System32\regsvr32.exe	—	regsvr32.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
916	/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"	C:\Windows\System32\regsvr32.exe	—	regsvr32.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
920	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html --attempting-deelevation	C:\Program Files\Mozilla Firefox\firefox.exe	—	explorer.exe
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 123.0
1028	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4536 --field-trial-handle=2296,i,17299708489808076142,10584318277501273297,262144 --variations-seed-version /prefetch:2	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	—	msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59
1236	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20240213221259 -prefsHandle 2268 -prefMapHandle 2256 -prefsLen 30705 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c57f0c9-f11a-42c0-9bff-bdba74b631c5} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" 2db21782110 socket	C:\Program Files\Mozilla Firefox\firefox.exe	—	firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 123.0

Add for printing

Total events

7 101

Read events

7 100

Write events

Delete events

Modification events


(PID) Process:	(6640) IDM 6.xx Activator or Resetter v3.3.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000

Add for printing

Executable files

Suspicious files

807

Text files

334

Unknown types

Dropped files

PID	Process	Filename		Type
6640	IDM 6.xx Activator or Resetter v3.3.exe	C:\Users\admin\AppData\Local\Temp\ytmp\main.bat		text
		MD5:3ED6946C40DA68E805C93AA96C79B246	SHA256:1A59A3037D6DA10A939C6A54BFBDE37EC9C8727FF5B546F36F4ACE1258462ABB
6340	7za.exe	C:\Users\admin\AppData\Local\Temp\ytmp\IDM.bat		text
		MD5:8B019A913C58322BACBF082DE4E81B80	SHA256:D7509B810F2543DAF3E7D1EAC4EFC381DFA445952A8822CEC5B84587A18BDEB0
3740	cmd.exe	C:\Users\admin\AppData\Local\Temp\ytmp\UpdateTask.xml		xml
		MD5:3559BFEB9B0613491190B913F6411A08	SHA256:CFF98D829C8D2177BE7F31DD76A0DD5D68627C01FCE7C85666AB621FB6DE10FF
1280	7za.exe	C:\Users\admin\AppData\Local\Temp\ytmp\NSudo86x.exe		executable
		MD5:6F69CF85748B3447BFD80A22A4F74564	SHA256:37268F71B2B84F8E67985C51215607C08F09B71C86F7412E7FF0F1480EDA3F65
2464	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qnuwkwvm.scd.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2464	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_10yh21ru.ilo.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6344	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vmg2jb4j.hbg.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6344	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f5uyguze.ztq.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2464	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jl25ypkm.n2b.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6344	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:4C03BEDA45E5E26A6911E4025B28B74D	SHA256:829027290251858E3DB42A39D21A813371653AA84899F1C55F7A1814FE3C0EDD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

193

DNS requests

231

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	973 b	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	US	binary	312 b	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	US	binary	471 b	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	DE	binary	408 b	whitelisted
—	—	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	US	text	90 b	whitelisted
—	—	POST	200	142.250.185.131:80	http://o.pki.goog/wr2	US	binary	472 b	whitelisted
—	—	POST	200	95.101.54.114:80	http://r10.o.lencr.org/	DE	binary	504 b	whitelisted
—	—	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	US	text	8 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	104.126.37.163:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	23.213.166.81:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	172.217.16.142	whitelisted
www.bing.com	104.126.37.163 104.126.37.176 104.126.37.178 104.126.37.168 104.126.37.171 104.126.37.169 104.126.37.170 104.126.37.186 104.126.37.179 104.126.37.162 104.126.37.153 104.126.37.160 104.126.37.155 104.126.37.161 104.126.37.184 104.126.37.177	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.32.68 20.190.160.17 40.126.32.134 20.190.160.22 40.126.32.138 40.126.32.140 40.126.32.133 40.126.32.74	whitelisted
go.microsoft.com	23.213.166.81 184.28.89.167	whitelisted
th.bing.com	104.126.37.179 104.126.37.171 104.126.37.130 104.126.37.186 104.126.37.176 104.126.37.128 104.126.37.178 104.126.37.170 104.126.37.123	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
www.crackingcity.com	188.114.96.3 188.114.97.3	unknown

Threats

PID	Process	Class	Message
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)

Add for printing

No debug info

General Info

IDM 6.xx Activator or Resetter v3.3.exe

B2BB695B656DFB91E01967DE3A8BEEE3

30EBAC4EB84AA036BED8F8931B6493348B87108A

7822FA6C35CBD1CFB95C780970DEEF14D8B53C62ADE3A4BCF63C494C3F2E5BBD

24576:Kq2RNiQQlO14bmK/v5TX5di5mRU7sPU/R+w01DepD:Kf/iQQlO14bmK/v5TX5di5mRU7sPU/RJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Execute application with conhost.exe as parent process

Adds process to the Windows Defender exclusion list

Uses Task Scheduler to run other applications

Registers / Runs the DLL via REGSVR32.EXE

Starts CMD.EXE for commands execution

Starts NET.EXE for service management

SUSPICIOUS

Executable content was dropped or overwritten

Uses ATTRIB.EXE to modify file attributes

Drops 7-zip archiver for unpacking

The executable file from the user directory is run by the CMD process

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Using 'findstr.exe' to search for text patterns in files and output

Script adds exclusion path to Windows Defender

Application launched itself

Starts SC.EXE for service management

Possibly malicious use of IEX has been detected

Probably obfuscated PowerShell command line is found

Script adds exclusion process to Windows Defender

Hides command output

Uses REG/REGEDIT.EXE to modify registry

Request a resource from the Internet using PowerShell's cmdlet

Drops a system driver (possible attempt to evade defenses)

Process drops legitimate windows executable

Starts application with an unusual extension

Uses RUNDLL32.EXE to load library

Get information on the list of running processes

Uses TASKKILL.EXE to kill process

Uses TIMEOUT.EXE to delay execution

INFO

Checks operating system version

Starts MODE.COM to configure console settings

Manual execution by a user

Application launched itself

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings