File name:

Internet Download Manager 6.42 Build 19.rar

Full analysis: https://app.any.run/tasks/20bcca2b-9298-45e0-8f41-647825867fc7
Verdict: Malicious activity
Analysis date: August 13, 2024, 16:52:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

8D38A6F851BE90311A7DE520F023C197

SHA1:

6811FFFDE1E692DEC6FA8938011599F5A531B654

SHA256:

8B45D354CE43E173BAC841E4A0A05FB641D1D17519BFEC657E1FEF6558B3DB27

SSDEEP:

98304:p6foyATjd9P6QHiFJs4iYBfp3uNPw5y5zi9GpKHuo4FdyXLS7lnoBBwFhgFnE2us:7xlOcIhpvjpUJquFrsb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • IDM1.tmp (PID: 300)
      • IDMan.exe (PID: 6676)
      • Uninstall.exe (PID: 6720)
      • IDMan.exe (PID: 8496)

    • Starts NET.EXE for service management

      • net.exe (PID: 7400)
      • Uninstall.exe (PID: 6720)

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • IDM Crack.exe (PID: 5068)
      • cmd.exe (PID: 2092)
      • cmd.exe (PID: 5052)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5052)
      • IDM Crack.exe (PID: 5068)
      • cmd.exe (PID: 5588)
      • cmd.exe (PID: 8856)
      • cmd.exe (PID: 8980)

    • Executing commands from a ".bat" file

      • IDM Crack.exe (PID: 5068)
      • cmd.exe (PID: 5052)
      • cmd.exe (PID: 8856)

    • Application launched itself

      • cmd.exe (PID: 5588)
      • cmd.exe (PID: 5052)
      • cmd.exe (PID: 8856)
      • cmd.exe (PID: 8980)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 5052)
      • cmd.exe (PID: 8856)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5052)
      • cmd.exe (PID: 6620)
      • cmd.exe (PID: 1608)
      • cmd.exe (PID: 8856)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 5052)
      • cmd.exe (PID: 8856)

    • Starts application with an unusual extension

      • idman642build19.exe (PID: 4088)
      • cmd.exe (PID: 5052)

    • Hides command output

      • cmd.exe (PID: 6620)
      • cmd.exe (PID: 2092)

    • Creates a software uninstall entry

      • IDM1.tmp (PID: 300)

    • The process creates files with name similar to system file names

      • IDM1.tmp (PID: 300)

    • Creates/Modifies COM task schedule object

      • IDM1.tmp (PID: 300)
      • regsvr32.exe (PID: 6236)
      • regsvr32.exe (PID: 1108)
      • IDMan.exe (PID: 6676)
      • regsvr32.exe (PID: 300)
      • regsvr32.exe (PID: 1184)
      • regsvr32.exe (PID: 6260)
      • regsvr32.exe (PID: 7056)
      • regsvr32.exe (PID: 4168)

    • Reads security settings of Internet Explorer

      • IDM1.tmp (PID: 300)
      • IDMan.exe (PID: 6676)
      • Uninstall.exe (PID: 6720)

    • Reads the date of Windows installation

      • IDM1.tmp (PID: 300)
      • IDMan.exe (PID: 6676)
      • Uninstall.exe (PID: 6720)

    • Executable content was dropped or overwritten

      • IDMan.exe (PID: 6676)
      • rundll32.exe (PID: 6448)
      • drvinst.exe (PID: 7272)
      • IDM Crack.exe (PID: 5068)

    • Drops the executable file immediately after the start

      • IDMan.exe (PID: 6676)
      • drvinst.exe (PID: 7272)
      • IDM Crack.exe (PID: 5068)

    • Checks Windows Trust Settings

      • IDMan.exe (PID: 6676)

    • Uses RUNDLL32.EXE to load library

      • Uninstall.exe (PID: 6720)

    • Drops a system driver (possible attempt to evade defenses)

      • rundll32.exe (PID: 6448)
      • drvinst.exe (PID: 7272)

    • Creates files in the driver directory

      • drvinst.exe (PID: 7272)

  • INFO

    • Checks supported languages

      • TextInputHost.exe (PID: 6452)
      • IDM Crack.exe (PID: 5068)
      • idman642build19.exe (PID: 4088)
      • IDM1.tmp (PID: 300)
      • IDMan.exe (PID: 6676)
      • idmBroker.exe (PID: 6736)
      • chcp.com (PID: 4080)
      • Uninstall.exe (PID: 6720)
      • drvinst.exe (PID: 7272)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6492)

    • Manual execution by a user

      • IDM Crack.exe (PID: 4604)
      • IDM Crack.exe (PID: 5068)
      • idman642build19.exe (PID: 4088)
      • idman642build19.exe (PID: 4132)
      • firefox.exe (PID: 6788)

    • Reads the computer name

      • IDM Crack.exe (PID: 5068)
      • TextInputHost.exe (PID: 6452)
      • idman642build19.exe (PID: 4088)
      • IDM1.tmp (PID: 300)
      • idmBroker.exe (PID: 6736)
      • IDMan.exe (PID: 6676)
      • Uninstall.exe (PID: 6720)

    • Create files in a temporary directory

      • IDM Crack.exe (PID: 5068)
      • idman642build19.exe (PID: 4088)
      • IDM1.tmp (PID: 300)
      • reg.exe (PID: 6716)
      • IDMan.exe (PID: 6676)
      • rundll32.exe (PID: 6448)

    • Checks operating system version

      • cmd.exe (PID: 5052)
      • cmd.exe (PID: 8856)

    • Creates files in the program directory

      • IDM1.tmp (PID: 300)
      • IDMan.exe (PID: 6676)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4920)
      • powershell.exe (PID: 6448)

    • Creates files or folders in the user directory

      • IDM1.tmp (PID: 300)
      • IDMan.exe (PID: 6676)

    • Process checks computer location settings

      • IDM1.tmp (PID: 300)
      • IDMan.exe (PID: 6676)
      • Uninstall.exe (PID: 6720)

    • Changes the display of characters in the console

      • chcp.com (PID: 4080)

    • Reads the machine GUID from the registry

      • IDMan.exe (PID: 6676)

    • Checks proxy server information

      • IDMan.exe (PID: 6676)

    • Reads the software policy settings

      • IDMan.exe (PID: 6676)

    • Disables trace logs

      • IDMan.exe (PID: 6676)

    • Reads Microsoft Office registry keys

      • IDMan.exe (PID: 6676)

    • Application launched itself

      • firefox.exe (PID: 6788)
      • firefox.exe (PID: 4232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
269
Monitored processes
132
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe textinputhost.exe no specs rundll32.exe no specs idm crack.exe no specs idm crack.exe reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs find.exe no specs idman642build19.exe no specs idman642build19.exe idm1.tmp no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs idmbroker.exe no specs idman.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs uninstall.exe no specs rundll32.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs drvinst.exe firefox.exe no specs firefox.exe no specs drvinst.exe no specs firefox.exe no specs runonce.exe no specs firefox.exe no specs grpconv.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs regsvr32.exe no specs firefox.exe no specs regsvr32.exe no specs mediumilstart.exe no specs idman.exe no specs regsvr32.exe no specs regsvr32.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs find.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Users\admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\admin\AppData\Local\Temp\IDM_Setup_Temp\"C:\Users\admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmpidman642build19.exe
User:
admin
Company:
Tonec Inc.
Integrity Level:
HIGH
Description:
Internet Download Manager installer
Exit code:
0
Version:
6, 42, 7, 1
Modules
Images
c:\users\admin\appdata\local\temp\idm_setup_temp\idm1.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
300 /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
532reg query "HKCU\Console" /v ForceV2 C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
644cmdC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
1108 /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1132"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"C:\Windows\SysWOW64\regsvr32.exeIDM1.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1184reg delete HKU\S-1-5-21-1693682860-607145093-2874071422-1001\IAS_TEST /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1184 /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1608C:\WINDOWS\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2092C:\WINDOWS\system32\cmd.exe /c reg query "HKU\S-1-5-21-1693682860-607145093-2874071422-1001\Software\DownloadManager" /v ExePath 2>nulC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
46 040
Read events
45 622
Write events
291
Delete events
127

Modification events

(PID) Process:(6492) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6492) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6492) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6492) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Internet Download Manager 6.42 Build 19.rar
(PID) Process:(6492) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6492) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6492) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6492) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6492) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6492) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D00000037000000FD03000020020000
Executable files
17
Suspicious files
62
Text files
39
Unknown types
37

Dropped files

PID
Process
Filename
Type
6492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6492.28582\Internet Download Manager 6.42 Build 19\MORE DOWNLOAD.urlurl
MD5:63C65B6A41E742752A7E38E12477307E
SHA256:E9A1102EF465ADC321DD44D72A85EAECF01CBCEC9846B382D0C22377FC1F26CA
6492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6492.28582\Internet Download Manager 6.42 Build 19\idman642build19.exeexecutable
MD5:192103BACEF3A33B70CECB80A1460ACF
SHA256:25095F71F564F688BBBCEDAD14A192A7AD47CC4D8B14B3734423C0A955B5E8D7
6492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6492.28582\Internet Download Manager 6.42 Build 19\CRACK\IDM Crack.exeexecutable
MD5:27016937B5781C4F84B6B3432170F4D0
SHA256:FC1A02B509B8F351AC45BD45EFD4E7296B365545A48FFD6A14E8E07BC7189155
6492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6492.28582\Internet Download Manager 6.42 Build 19\CRACK\Changelog.txttext
MD5:C7CDF298B248180D987227FD063C65A6
SHA256:69E6385F6ED7D9028E1574A67D76B0B077CC28E6AA833DA7E4ADA043FA4F34A4
4920powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:62E4122AC5FC4A0D8F22DC50747637A1
SHA256:2F601EA34C8476F8188B7683CF9AF2F2EBFC1B6B87BA2EAD7BF29211CCD83BA6
4920powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_d4q55iyg.vqt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4920powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fho3fcoo.ogr.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5068IDM Crack.exeC:\Users\admin\AppData\Local\Temp\BATCLEN.battext
MD5:9FE22C4AD624881F8F0977CC7614346F
SHA256:12B47C1949CC555C2F68F9FD4677ED5266F25C4DA4630BEC36E303629B133225
5068IDM Crack.exeC:\Users\admin\AppData\Local\Temp\IDMRegClean.regtext
MD5:73C023B1480CC88BE4D7761EF11A7703
SHA256:9C7F6CE7CE6FA4093A20CFA3C1A6D2CDD7D5307AFF7405830C898A21F154ED68
5600powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ztyjpyjx.m2q.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
51
DNS requests
88
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
184.24.77.54:80
http://r11.o.lencr.org/
unknown
unknown
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1948
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1948
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6864
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6900
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
POST
200
142.250.186.67:80
http://o.pki.goog/wr2
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4760
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2680
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
5336
SearchApp.exe
184.86.251.21:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1948
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1948
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
www.bing.com
  • 184.86.251.21
  • 184.86.251.9
  • 184.86.251.25
  • 184.86.251.10
  • 184.86.251.20
  • 184.86.251.14
  • 184.86.251.7
  • 184.86.251.11
  • 184.86.251.30
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.64
  • 20.190.159.68
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.4
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
th.bing.com
  • 184.86.251.14
  • 184.86.251.30
  • 184.86.251.10
  • 184.86.251.20
  • 184.86.251.7
  • 184.86.251.25
  • 184.86.251.9
  • 184.86.251.21
  • 184.86.251.11
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted
r.bing.com
  • 184.86.251.11
  • 184.86.251.20
  • 184.86.251.29
  • 184.86.251.30
  • 184.86.251.14
  • 184.86.251.28
  • 184.86.251.21
  • 184.86.251.25
  • 184.86.251.10
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Internet Download Manager 6.42 Build 19.rar