Malware analysis temp.7z Malicious activity | ANY.RUN

Add for printing

File name:	temp.7z
Full analysis:	https://app.any.run/tasks/67aeb66e-b800-40be-a46f-51f1dde5c2c8
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 18, 2025, 16:18:20
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec idm tool stealer
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	AF489A7D0EE58A9AFA1388658D3CEFFB
SHA1:	6FCC1A8636D1C15CA726860DD57051939337861C
SHA256:	8AC56E90F27D3F62EA566257AD1E48022FF4CE5CD2A54D9DA3DE6246B435C54A
SSDEEP:	98304:4t9ZRligm7JREIxBfQ6BmSfrK8u5K/8WJ9emmwuiuXlIUhBb+rQbbRfM3Lsip6A3:VVeD7wnvgjFo7gxr1HJlg3vKPWxd7b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 7452)
- Registers / Runs the DLL via REGSVR32.EXE
  - IDMan.exe (PID: 3676)
  - Uninstall.exe (PID: 3768)
  - IDM1.tmp (PID: 7764)
  - IDMan.exe (PID: 5132)
- Changes the autorun value in the registry
  - rundll32.exe (PID: 5512)
  - IDMan.exe (PID: 3676)
- Starts NET.EXE for service management
  - Uninstall.exe (PID: 3768)
  - net.exe (PID: 6988)
- Actions looks like stealing of personal data
  - IDMan.exe (PID: 2796)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 7452)
  - IDM1.tmp (PID: 7764)
  - IDMan.exe (PID: 3676)
  - Uninstall.exe (PID: 3768)
  - IDMan.exe (PID: 5132)
  - IDMan.exe (PID: 2796)
- Starts application with an unusual extension
  - idman642build32.exe (PID: 7732)
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 7388)
- The process creates files with name similar to system file names
  - IDM1.tmp (PID: 7764)
- Creates a software uninstall entry
  - IDM1.tmp (PID: 7764)
- Creates/Modifies COM task schedule object
  - IDM1.tmp (PID: 7764)
  - regsvr32.exe (PID: 7316)
  - regsvr32.exe (PID: 7328)
  - regsvr32.exe (PID: 7300)
  - IDMan.exe (PID: 3676)
  - regsvr32.exe (PID: 4988)
  - regsvr32.exe (PID: 6724)
  - regsvr32.exe (PID: 5988)
  - regsvr32.exe (PID: 5056)
  - regsvr32.exe (PID: 4608)
- Executable content was dropped or overwritten
  - IDMan.exe (PID: 3676)
  - rundll32.exe (PID: 5512)
  - drvinst.exe (PID: 8008)
  - IDM_6.4x_Crack_v19.7.exe (PID: 8028)
- Uses RUNDLL32.EXE to load library
  - Uninstall.exe (PID: 3768)
- Drops a system driver (possible attempt to evade defenses)
  - rundll32.exe (PID: 5512)
  - drvinst.exe (PID: 8008)
- Creates files in the driver directory
  - drvinst.exe (PID: 8008)
- Creates or modifies Windows services
  - drvinst.exe (PID: 4812)
  - Uninstall.exe (PID: 3768)
- Executing commands from a ".bat" file
  - IDM_6.4x_Crack_v19.7.exe (PID: 8028)
  - cmd.exe (PID: 1240)
  - IDM_6.4x_Crack_v19.7.exe (PID: 1812)
  - cmd.exe (PID: 7388)
- Starts CMD.EXE for commands execution
  - IDM_6.4x_Crack_v19.7.exe (PID: 8028)
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 6108)
  - IDM_6.4x_Crack_v19.7.exe (PID: 1812)
  - cmd.exe (PID: 1228)
  - cmd.exe (PID: 7388)
- Application launched itself
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 6108)
  - cmd.exe (PID: 7388)
  - cmd.exe (PID: 1228)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 4008)
  - IDM_6.4x_Crack_v19.7.exe (PID: 1812)
  - cmd.exe (PID: 7388)
  - cmd.exe (PID: 8028)
  - IDM_6.4x_Crack_v19.7.exe (PID: 8028)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 1088)
  - cmd.exe (PID: 3240)
  - cmd.exe (PID: 7388)
  - cmd.exe (PID: 6644)
  - cmd.exe (PID: 6584)
- Hides command output
  - cmd.exe (PID: 1088)
  - cmd.exe (PID: 4008)
  - cmd.exe (PID: 6644)
  - cmd.exe (PID: 8028)
- Possibly malicious use of IEX has been detected
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 7388)
- Probably obfuscated PowerShell command line is found
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 7388)
- There is functionality for taking screenshot (YARA)
  - IDMIntegrator64.exe (PID: 5624)
INFO
- The sample compiled with english language support
  - WinRAR.exe (PID: 7452)
  - IDMan.exe (PID: 3676)
  - rundll32.exe (PID: 5512)
  - drvinst.exe (PID: 8008)
  - IDM_6.4x_Crack_v19.7.exe (PID: 8028)
- Reads the computer name
  - idman642build32.exe (PID: 7732)
  - IDM1.tmp (PID: 7764)
  - idmBroker.exe (PID: 7340)
  - IDMan.exe (PID: 3676)
  - Uninstall.exe (PID: 3768)
  - drvinst.exe (PID: 8008)
  - drvinst.exe (PID: 4812)
  - IDMan.exe (PID: 5132)
  - IDM_6.4x_Crack_v19.7.exe (PID: 8028)
  - MediumILStart.exe (PID: 1228)
  - IDM_6.4x_Crack_v19.7.exe (PID: 1812)
  - IDMIntegrator64.exe (PID: 5624)
  - IDMan.exe (PID: 2796)
- Checks supported languages
  - idman642build32.exe (PID: 7732)
  - IDM1.tmp (PID: 7764)
  - IDMan.exe (PID: 3676)
  - Uninstall.exe (PID: 3768)
  - drvinst.exe (PID: 8008)
  - drvinst.exe (PID: 4812)
  - idmBroker.exe (PID: 7340)
  - MediumILStart.exe (PID: 1228)
  - IDM_6.4x_Crack_v19.7.exe (PID: 8028)
  - chcp.com (PID: 8104)
  - IDM_6.4x_Crack_v19.7.exe (PID: 1812)
  - IDMan.exe (PID: 5132)
  - IDMan.exe (PID: 2796)
  - IDMIntegrator64.exe (PID: 5624)
  - chcp.com (PID: 6976)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7452)
- Create files in a temporary directory
  - idman642build32.exe (PID: 7732)
  - IDM1.tmp (PID: 7764)
  - IDMan.exe (PID: 3676)
  - rundll32.exe (PID: 5512)
  - IDMan.exe (PID: 5132)
  - IDM_6.4x_Crack_v19.7.exe (PID: 8028)
  - reg.exe (PID: 6252)
  - IDM_6.4x_Crack_v19.7.exe (PID: 1812)
  - reg.exe (PID: 7812)
  - IDMan.exe (PID: 2796)
- INTERNETDOWNLOADMANAGER mutex has been found
  - IDM1.tmp (PID: 7764)
  - IDMan.exe (PID: 3676)
  - IDMan.exe (PID: 5132)
  - IDMan.exe (PID: 2796)
  - IDMIntegrator64.exe (PID: 5624)
- Process checks computer location settings
  - IDM1.tmp (PID: 7764)
  - IDMan.exe (PID: 3676)
  - Uninstall.exe (PID: 3768)
  - IDMan.exe (PID: 5132)
  - IDMan.exe (PID: 2796)
- Reads the machine GUID from the registry
  - IDMan.exe (PID: 3676)
  - drvinst.exe (PID: 8008)
  - IDMan.exe (PID: 5132)
  - IDMan.exe (PID: 2796)
- Disables trace logs
  - IDMan.exe (PID: 3676)
  - IDMan.exe (PID: 5132)
  - IDMan.exe (PID: 2796)
- Reads the software policy settings
  - IDMan.exe (PID: 3676)
  - drvinst.exe (PID: 8008)
  - IDMan.exe (PID: 5132)
  - slui.exe (PID: 7628)
  - slui.exe (PID: 6080)
  - IDMan.exe (PID: 2796)
- Creates files in the program directory
  - IDMan.exe (PID: 3676)
  - IDM1.tmp (PID: 7764)
  - IDM_6.4x_Crack_v19.7.exe (PID: 8028)
- Creates files or folders in the user directory
  - IDMan.exe (PID: 3676)
  - IDM1.tmp (PID: 7764)
  - IDMan.exe (PID: 2796)
- Application launched itself
  - firefox.exe (PID: 5972)
  - firefox.exe (PID: 4120)
- Manual execution by a user
  - firefox.exe (PID: 5972)
  - IDM_6.4x_Crack_v19.7.exe (PID: 3784)
  - IDM_6.4x_Crack_v19.7.exe (PID: 8028)
  - IDM_6.4x_Crack_v19.7.exe (PID: 1188)
  - IDM_6.4x_Crack_v19.7.exe (PID: 1812)
  - IDMan.exe (PID: 2796)
- Reads the time zone
  - runonce.exe (PID: 7320)
- Reads security settings of Internet Explorer
  - runonce.exe (PID: 7320)
- Checks proxy server information
  - IDMan.exe (PID: 3676)
  - slui.exe (PID: 6080)
  - IDMan.exe (PID: 5132)
  - IDMan.exe (PID: 2796)
- Checks operating system version
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 7388)
- Checks whether the specified file exists (POWERSHELL)
  - powershell.exe (PID: 4268)
  - powershell.exe (PID: 7284)
  - powershell.exe (PID: 2980)
  - powershell.exe (PID: 7744)
- Changes the display of characters in the console
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 7388)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion:	7z v0.04
ModifyDate:	2025:04:10 22:06:09+00:00
ArchivedFileName:	IDM_6.4x_Crack_v20.0.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

296

Monitored processes

156

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

632

C:\WINDOWS\system32\cmd.exe /S /D /c" echo prompt $E "

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

660

REG ADD "HKLM\Software\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f

C:\Windows\System32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

896

C:\WINDOWS\system32\cmd.exe /S /D /c" echo "C:\Users\admin\AppData\Local\Temp\BATCLEN.bat" "

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

904

reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"

C:\Windows\System32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

904

find /i "computersystem"

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1088

C:\WINDOWS\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1184

powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1188

"C:\Users\admin\Desktop\IDM_6.4x_Crack_v19.7.exe"

C:\Users\admin\Desktop\IDM_6.4x_Crack_v19.7.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\desktop\idm_6.4x_crack_v19.7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

1196

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

—

IDM1.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

Add for printing

Total events

78 891

Read events

78 084

Write events

617

Delete events

190

Modification events


(PID) Process:	(7452) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7452) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7452) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7452) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\temp.7z
(PID) Process:	(7452) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7452) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7452) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7452) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7764) IDM1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager
Operation:	write	Name:	DisplayVersion
Value: 6.42.32
(PID) Process:	(7764) IDM1.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files (x86)\Internet Download Manager\IDMan.exe

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7764	IDM1.tmp	C:\Users\admin\AppData\Local\Temp\IDM_Setup_Temp\IDMSetup2.log		binary
		MD5:5A032ACD38AB177AE8FBD17D52335C22	SHA256:10F2E057D9A43BC3E7C1D26CA19BC84E43BEB32D79A02EE6744468A2A0FDD808
7764	IDM1.tmp	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Internet Download Manager.lnk		binary
		MD5:2798816383D36ECB8BA344291E048D57	SHA256:A2F7140B684F7C9AB3256B117D970A0DBD91A6721D7C12CB8D599CC0D2848097
7764	IDM1.tmp	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnk		binary
		MD5:0A4D63BF57A10CE7EE905AE3ED1EF289	SHA256:6454A64365559AB535CDA06519C66205097DBE881FD6AEFD1EBCE9DECD999FB4
7764	IDM1.tmp	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnk		binary
		MD5:FFAE4703850FF1B80910853FF8A41B82	SHA256:ED5650B14919592C2F50D1D846F032D65297099CB5E89982EF97D9371E11A7C0
7764	IDM1.tmp	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Internet Download Manager.lnk		binary
		MD5:BB53B03CF61AC6FA301D4B7DF129F689	SHA256:A6F619C307F80756C3153655B670C335E063EFA3FBCCEF431D2AE0564E631CC2
7764	IDM1.tmp	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\TUTORIALS.lnk		binary
		MD5:B6342BD8A159C4A080D86B5D31A81F61	SHA256:D4A91DF201EE552B698093F5FBE03A5057D16A28A2996A9B0831F089B61E5B91
7764	IDM1.tmp	C:\Users\admin\AppData\Local\Temp\~DFCD91A79D34B6DE79.TMP		binary
		MD5:8B1254898C7A921F87D48826A492908B	SHA256:E5A013E0726D2F774B62D0D5D4AB61CF50783D5E4A0F45FC6E77C2A8F6E55FB0
7764	IDM1.tmp	C:\Program Files (x86)\Internet Download Manager\IDMSetup2.log		binary
		MD5:E571B9F7F8462CF2E232B8C018E53F28	SHA256:9C1E2874D7135A2C7BACC46FFA1D967AAC23FE766498486DFCE0DFC39C4B3BD3
7764	IDM1.tmp	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Uninstall IDM.lnk		binary
		MD5:C16CB3779854EEBC5F6C2E26A171B74E	SHA256:9212DD4D61E2784E25038EEC5E1D28478AC0365C5BB379FE57D89B218C180B5A
7452	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7452.42097\IDM_6.4x_Crack_v19.7.exe		executable
		MD5:27016937B5781C4F84B6B3432170F4D0	SHA256:FC1A02B509B8F351AC45BD45EFD4E7296B365545A48FFD6A14E8E07BC7189155

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4120	firefox.exe	POST	200	184.24.77.81:80	http://r11.o.lencr.org/	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4120	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4120	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
4120	firefox.exe	POST	200	184.24.77.81:80	http://r11.o.lencr.org/	unknown	—	—	whitelisted
4120	firefox.exe	POST	200	18.173.205.57:80	http://ocsps.ssl.com/	unknown	—	—	whitelisted
7896	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4120	firefox.exe	POST	200	172.217.16.131:80	http://o.pki.goog/we2	unknown	—	—	whitelisted
4120	firefox.exe	POST	200	184.24.77.79:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.5:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
2112	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
crl.microsoft.com	23.216.77.25 23.216.77.30 23.216.77.18 23.216.77.31 23.216.77.29 23.216.77.19 23.216.77.20 23.216.77.15 23.216.77.13	whitelisted
google.com	142.250.184.206	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	20.190.160.5 40.126.32.76 40.126.32.138 20.190.160.132 40.126.32.68 20.190.160.3 40.126.32.134 40.126.32.140 20.190.160.22 20.190.160.2 20.190.160.67 20.190.160.65 40.126.32.72 40.126.32.133 20.190.160.64 20.190.160.14	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
www.internetdownloadmanager.com	169.61.27.133	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
example.org	96.7.128.192 23.215.0.132 23.215.0.133 96.7.128.186	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

temp.7z

AF489A7D0EE58A9AFA1388658D3CEFFB

6FCC1A8636D1C15CA726860DD57051939337861C

8AC56E90F27D3F62EA566257AD1E48022FF4CE5CD2A54D9DA3DE6246B435C54A

98304:4t9ZRligm7JREIxBfQ6BmSfrK8u5K/8WJ9emmwuiuXlIUhBb+rQbbRfM3Lsip6A3:VVeD7wnvgjFo7gxr1HJlg3vKPWxd7b

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Registers / Runs the DLL via REGSVR32.EXE

Changes the autorun value in the registry

Starts NET.EXE for service management

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Starts application with an unusual extension

The process creates files with name similar to system file names

Creates a software uninstall entry

Creates/Modifies COM task schedule object

Executable content was dropped or overwritten

Uses RUNDLL32.EXE to load library

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

Creates or modifies Windows services

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Application launched itself

Uses REG/REGEDIT.EXE to modify registry

Starts POWERSHELL.EXE for commands execution

Hides command output

Possibly malicious use of IEX has been detected

Probably obfuscated PowerShell command line is found

There is functionality for taking screenshot (YARA)

INFO

The sample compiled with english language support

Reads the computer name

Checks supported languages

Executable content was dropped or overwritten

Create files in a temporary directory

INTERNETDOWNLOADMANAGER mutex has been found

Process checks computer location settings

Reads the machine GUID from the registry

Disables trace logs

Reads the software policy settings

Creates files in the program directory

Creates files or folders in the user directory

Application launched itself

Manual execution by a user

Reads the time zone

Reads security settings of Internet Explorer

Checks proxy server information

Checks operating system version

Checks whether the specified file exists (POWERSHELL)

Changes the display of characters in the console

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules