Malware analysis https://vipmolik.net/internet/1000-internet-download-manager-606-build-8-final-zakachka-faylov-iz-interneta.html Malicious activity

Add for printing

URL:	https://vipmolik.net/internet/1000-internet-download-manager-606-build-8-final-zakachka-faylov-iz-interneta.html
Full analysis:	https://app.any.run/tasks/92726468-9f53-48ad-87bb-d765464bc189
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 21:49:20
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer arch-doc arch-html bittorrent loader arch-exec opera tool crypto-regex idm golang auto generic
Indicators:
MD5:	BA3BC081A44C4D596A8142163375C366
SHA1:	1A3EE5A965B770AFF252F0B505B2F7E649DAFB51
SHA256:	AE905D733B2959A119FDA47D9BBB27A6CE72CA58240DFE0B121FBCA6EE3BDCE3
SSDEEP:	3:N8aISgaC5EmIDXuNnNnVcD1J1MfI6J:2Ogt5GDXuNNaDkI6J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - mediaget.exe (PID: 7460)
  - setup.exe (PID: 6808)
  - opera_crashreporter.exe (PID: 8408)
  - opera_crashreporter.exe (PID: 8416)
  - opera_crashreporter.exe (PID: 8672)
  - opera.exe (PID: 8276)
  - browser_assistant.exe (PID: 8200)
  - opera.exe (PID: 8228)
  - opera.exe (PID: 8424)
  - opera_autoupdate.exe (PID: 8636)
  - opera_autoupdate.exe (PID: 5500)
  - IDMan.exe (PID: 9652)
  - 360TS_Setup.exe (PID: 10476)
  - opera_autoupdate.exe (PID: 6868)
  - opera_autoupdate.exe (PID: 1336)
- Changes the autorun value in the registry
  - mediaget.exe (PID: 7460)
  - inf_inst.tmp (PID: 7728)
  - assistant_installer.exe (PID: 7784)
  - opera.exe (PID: 8276)
  - opera.exe (PID: 8228)
  - rundll32.exe (PID: 9564)
- BITTORRENT has been detected (SURICATA)
  - mediaget.exe (PID: 7460)
- Steals credentials from Web Browsers
  - setup.exe (PID: 6808)
  - setup.exe (PID: 4080)
  - setup.exe (PID: 8100)
  - setup.exe (PID: 7576)
  - assistant_installer.exe (PID: 5876)
  - assistant_installer.exe (PID: 7984)
  - installer.exe (PID: 6656)
  - installer.exe (PID: 7920)
  - assistant_installer.exe (PID: 6768)
  - assistant_installer.exe (PID: 7784)
  - assistant_installer.exe (PID: 4768)
  - assistant_installer.exe (PID: 5768)
  - opera_crashreporter.exe (PID: 8408)
  - opera_crashreporter.exe (PID: 8416)
  - opera.exe (PID: 8244)
  - opera.exe (PID: 8592)
  - opera.exe (PID: 8276)
  - opera_crashreporter.exe (PID: 8672)
  - opera_crashreporter.exe (PID: 8968)
  - opera.exe (PID: 8928)
  - browser_assistant.exe (PID: 8520)
  - opera_crashreporter.exe (PID: 9072)
  - opera.exe (PID: 9032)
  - browser_assistant.exe (PID: 8200)
  - opera_crashreporter.exe (PID: 9184)
  - opera_crashreporter.exe (PID: 5008)
  - opera.exe (PID: 9176)
  - opera_crashreporter.exe (PID: 8336)
  - opera.exe (PID: 9064)
  - opera.exe (PID: 8228)
  - opera.exe (PID: 8424)
  - installer.exe (PID: 7956)
  - installer.exe (PID: 9096)
  - opera_autoupdate.exe (PID: 8636)
  - opera_autoupdate.exe (PID: 5500)
  - opera_autoupdate.exe (PID: 9116)
  - opera_autoupdate.exe (PID: 6340)
  - opera_autoupdate.exe (PID: 1336)
  - opera_autoupdate.exe (PID: 6868)
- Registers / Runs the DLL via REGSVR32.EXE
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
  - Uninstall.exe (PID: 9592)
  - IDMan.exe (PID: 2972)
  - IDMan.exe (PID: 9652)
- GENERIC has been found (auto)
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
  - rundll32.exe (PID: 9564)
  - drvinst.exe (PID: 9524)
- Starts NET.EXE for service management
  - Uninstall.exe (PID: 9592)
  - net.exe (PID: 9900)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - setup.exe (PID: 6808)
  - mediaget.exe (PID: 7460)
  - antivirus360.exe (PID: 2160)
  - installer.exe (PID: 6656)
  - browser_assistant.exe (PID: 8200)
  - Uninstall.exe (PID: 9592)
  - IDMan.exe (PID: 2972)
  - IDMan.exe (PID: 9652)
  - 360TS_Setup.exe (PID: 10476)
- Reads Microsoft Outlook installation path
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
- Executable content was dropped or overwritten
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - inf_inst.tmp (PID: 7728)
  - inf_inst.exe (PID: 7784)
  - opera_binst.exe (PID: 7084)
  - setup.exe (PID: 6808)
  - setup.exe (PID: 4080)
  - setup.exe (PID: 8100)
  - setup.exe (PID: 3652)
  - setup.exe (PID: 7576)
  - antivirus360.exe (PID: 2160)
  - installer.exe (PID: 6656)
  - installer.exe (PID: 7920)
  - mediaget.exe (PID: 7460)
  - assistant_installer.exe (PID: 7784)
  - Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 6612)
  - installer.exe (PID: 9096)
  - installer.exe (PID: 7956)
  - installer.exe (PID: 10200)
  - Internet Download Manager 6.42.41.exe (PID: 9072)
  - opera_autoupdate.exe (PID: 9116)
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
  - rundll32.exe (PID: 9564)
  - drvinst.exe (PID: 9524)
  - IDMan.exe (PID: 2972)
  - opera.exe (PID: 10172)
  - 360TS_Setup.exe (PID: 10476)
  - 360TS_Setup.exe (PID: 10360)
- Reads Internet Explorer settings
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
- Process drops legitimate windows executable
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - assistant_installer.exe (PID: 7784)
  - mediaget.exe (PID: 7460)
  - Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 6612)
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
  - 360TS_Setup.exe (PID: 10476)
- The process drops C-runtime libraries
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - mediaget.exe (PID: 7460)
- Creates a software uninstall entry
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - installer.exe (PID: 6656)
- Reads the Windows owner or organization settings
  - inf_inst.tmp (PID: 7728)
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
- Potential Corporate Privacy Violation
  - mediaget.exe (PID: 7460)
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - antivirus360.exe (PID: 2160)
- Adds/modifies Windows certificates
  - QtWebEngineProcess.exe (PID: 8048)
- Application launched itself
  - setup.exe (PID: 6808)
  - setup.exe (PID: 8100)
  - assistant_installer.exe (PID: 5876)
  - installer.exe (PID: 6656)
  - assistant_installer.exe (PID: 7784)
  - assistant_installer.exe (PID: 5768)
  - browser_assistant.exe (PID: 8200)
  - opera.exe (PID: 8276)
  - opera.exe (PID: 8228)
  - installer.exe (PID: 9096)
  - opera_autoupdate.exe (PID: 8636)
  - opera_autoupdate.exe (PID: 9116)
  - opera_autoupdate.exe (PID: 1336)
- Starts itself from another location
  - setup.exe (PID: 6808)
  - 360TS_Setup.exe (PID: 10360)
- Uses TASKKILL.EXE to kill process
  - mediaget.exe (PID: 7460)
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
- Connects to unusual port
  - mediaget.exe (PID: 7460)
- Process requests binary or script from the Internet
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - antivirus360.exe (PID: 2160)
- Found regular expressions for crypto-addresses (YARA)
  - mediaget.exe (PID: 7460)
  - opera.exe (PID: 9064)
- There is functionality for taking screenshot (YARA)
  - QtWebEngineProcess.exe (PID: 7296)
  - QtWebEngineProcess.exe (PID: 7188)
  - QtWebEngineProcess.exe (PID: 5116)
- Searches for installed software
  - installer.exe (PID: 6656)
  - browser_assistant.exe (PID: 8200)
- Reads the date of Windows installation
  - installer.exe (PID: 6656)
  - opera.exe (PID: 8228)
- Process drops python dynamic module
  - mediaget.exe (PID: 7460)
- Reads Mozilla Firefox installation path
  - opera.exe (PID: 8228)
- The process executes via Task Scheduler
  - opera_autoupdate.exe (PID: 9116)
- The process checks if it is being run in the virtual environment
  - opera.exe (PID: 8228)
- Drops a system driver (possible attempt to evade defenses)
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
  - rundll32.exe (PID: 9564)
  - drvinst.exe (PID: 9524)
  - 360TS_Setup.exe (PID: 10476)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 7516)
  - regsvr32.exe (PID: 8976)
  - regsvr32.exe (PID: 8540)
  - regsvr32.exe (PID: 5500)
  - regsvr32.exe (PID: 9292)
  - regsvr32.exe (PID: 9468)
  - regsvr32.exe (PID: 9528)
  - regsvr32.exe (PID: 9432)
  - IDMan.exe (PID: 2972)
  - regsvr32.exe (PID: 2292)
  - regsvr32.exe (PID: 2232)
  - regsvr32.exe (PID: 9220)
  - regsvr32.exe (PID: 8576)
  - regsvr32.exe (PID: 7748)
  - IDMan.exe (PID: 9652)
  - regsvr32.exe (PID: 9608)
  - regsvr32.exe (PID: 8560)
  - regsvr32.exe (PID: 8804)
  - regsvr32.exe (PID: 8060)
  - regsvr32.exe (PID: 9712)
- Executing commands from a ".bat" file
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
- Uses RUNDLL32.EXE to load library
  - Uninstall.exe (PID: 9592)
- Creates files in the driver directory
  - drvinst.exe (PID: 9524)
- Starts CMD.EXE for commands execution
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 9640)
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
- Creates or modifies Windows services
  - drvinst.exe (PID: 5248)
  - Uninstall.exe (PID: 9592)
- Creates file in the systems drive root
  - 360TS_Setup.exe (PID: 10476)
- The process verifies whether the antivirus software is installed
  - 360TS_Setup.exe (PID: 10476)
- Drops 7-zip archiver for unpacking
  - 360TS_Setup.exe (PID: 10476)
INFO
- Reads Environment values
  - identity_helper.exe (PID: 7408)
- Application launched itself
  - msedge.exe (PID: 6672)
  - firefox.exe (PID: 4808)
  - firefox.exe (PID: 7772)
- The sample compiled with english language support
  - msedge.exe (PID: 1984)
  - msedge.exe (PID: 6672)
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - opera_binst.exe (PID: 7084)
  - setup.exe (PID: 6808)
  - setup.exe (PID: 4080)
  - setup.exe (PID: 3652)
  - setup.exe (PID: 8100)
  - setup.exe (PID: 7576)
  - Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 6612)
  - antivirus360.exe (PID: 2160)
  - installer.exe (PID: 7920)
  - installer.exe (PID: 6656)
  - mediaget.exe (PID: 7460)
  - assistant_installer.exe (PID: 7784)
  - installer.exe (PID: 9096)
  - installer.exe (PID: 7956)
  - installer.exe (PID: 10200)
  - opera_autoupdate.exe (PID: 9116)
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
  - rundll32.exe (PID: 9564)
  - drvinst.exe (PID: 9524)
  - IDMan.exe (PID: 2972)
  - opera.exe (PID: 10172)
  - firefox.exe (PID: 7772)
  - 360TS_Setup.exe (PID: 10476)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 1984)
  - msedge.exe (PID: 6672)
  - WinRAR.exe (PID: 10072)
  - firefox.exe (PID: 7772)
- Checks supported languages
  - identity_helper.exe (PID: 7408)
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - mediaget_crashpad_handler.exe (PID: 7444)
  - mediaget.exe (PID: 7460)
  - QtWebEngineProcess.exe (PID: 8048)
  - QtWebEngineProcess.exe (PID: 7296)
  - inf_inst.exe (PID: 7784)
  - QtWebEngineProcess.exe (PID: 7188)
  - inf_inst.tmp (PID: 7728)
  - QtWebEngineProcess.exe (PID: 5116)
  - opera_binst.exe (PID: 7084)
  - setup.exe (PID: 6808)
  - setup.exe (PID: 4080)
  - infatica-service-app.exe (PID: 6756)
  - setup.exe (PID: 3652)
  - setup.exe (PID: 8100)
  - setup.exe (PID: 7576)
  - infatica-service-app.exe (PID: 3688)
  - Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 6612)
  - assistant_installer.exe (PID: 5876)
  - assistant_installer.exe (PID: 7984)
  - antivirus360.exe (PID: 2160)
  - installer.exe (PID: 6656)
  - installer.exe (PID: 7920)
  - assistant_installer.exe (PID: 6768)
  - assistant_installer.exe (PID: 7784)
  - assistant_installer.exe (PID: 5768)
  - assistant_installer.exe (PID: 4768)
  - browser_assistant.exe (PID: 8200)
  - opera.exe (PID: 8244)
  - opera.exe (PID: 8276)
  - opera_crashreporter.exe (PID: 8416)
  - opera_crashreporter.exe (PID: 8408)
  - browser_assistant.exe (PID: 8520)
  - opera.exe (PID: 8592)
  - opera_crashreporter.exe (PID: 8672)
  - opera.exe (PID: 8688)
  - opera.exe (PID: 8680)
  - opera.exe (PID: 8928)
  - opera_crashreporter.exe (PID: 8968)
  - opera.exe (PID: 8756)
  - opera.exe (PID: 9032)
  - opera_crashreporter.exe (PID: 9072)
  - opera.exe (PID: 9064)
  - opera_crashreporter.exe (PID: 5008)
  - opera_crashreporter.exe (PID: 8336)
  - opera.exe (PID: 9176)
  - opera_crashreporter.exe (PID: 9184)
  - opera.exe (PID: 8448)
  - opera.exe (PID: 8228)
  - opera.exe (PID: 8424)
  - opera.exe (PID: 8420)
  - opera.exe (PID: 8720)
  - opera.exe (PID: 8352)
  - opera.exe (PID: 4944)
  - opera.exe (PID: 8708)
  - opera.exe (PID: 8592)
  - opera.exe (PID: 5252)
  - opera.exe (PID: 7532)
  - opera.exe (PID: 4120)
  - opera.exe (PID: 8368)
  - opera.exe (PID: 8076)
  - opera_gx_splash.exe (PID: 8636)
  - opera.exe (PID: 2348)
  - opera.exe (PID: 3000)
  - opera.exe (PID: 6676)
  - opera.exe (PID: 9200)
  - opera.exe (PID: 9212)
  - opera.exe (PID: 9196)
  - opera.exe (PID: 3644)
  - opera.exe (PID: 1056)
  - opera.exe (PID: 9064)
  - opera.exe (PID: 6704)
  - opera.exe (PID: 7696)
  - opera.exe (PID: 4960)
  - opera.exe (PID: 5768)
  - opera.exe (PID: 6876)
  - opera.exe (PID: 5628)
  - opera.exe (PID: 5928)
  - opera.exe (PID: 7672)
  - opera.exe (PID: 3704)
  - opera.exe (PID: 7968)
  - opera.exe (PID: 6340)
  - opera.exe (PID: 7132)
  - opera.exe (PID: 8396)
  - opera.exe (PID: 7908)
  - opera.exe (PID: 8916)
  - opera.exe (PID: 5896)
  - opera.exe (PID: 5928)
  - installer.exe (PID: 7956)
  - opera.exe (PID: 6836)
  - opera.exe (PID: 8708)
  - installer.exe (PID: 9096)
  - opera_autoupdate.exe (PID: 8636)
  - opera_autoupdate.exe (PID: 9116)
  - opera_autoupdate.exe (PID: 5500)
  - opera_autoupdate.exe (PID: 6340)
  - opera.exe (PID: 9124)
  - opera.exe (PID: 2292)
  - opera.exe (PID: 9020)
  - opera.exe (PID: 8484)
  - opera.exe (PID: 8712)
  - opera.exe (PID: 5992)
  - opera.exe (PID: 9040)
  - opera.exe (PID: 9252)
  - opera.exe (PID: 9296)
  - opera.exe (PID: 9376)
  - opera.exe (PID: 9424)
  - opera.exe (PID: 9432)
  - opera.exe (PID: 9512)
  - opera.exe (PID: 9924)
  - opera.exe (PID: 9584)
  - opera.exe (PID: 9612)
  - opera.exe (PID: 9748)
  - opera.exe (PID: 9880)
  - opera.exe (PID: 9824)
  - opera.exe (PID: 10000)
  - opera.exe (PID: 9524)
  - opera.exe (PID: 9532)
  - installer.exe (PID: 10200)
  - Internet Download Manager 6.42.41.exe (PID: 9072)
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
  - Uninstall.exe (PID: 9592)
  - drvinst.exe (PID: 9524)
  - drvinst.exe (PID: 5248)
  - idmBroker.exe (PID: 9932)
  - IDMan.exe (PID: 2972)
  - MediumILStart.exe (PID: 9492)
  - opera.exe (PID: 10172)
  - IDMan.exe (PID: 9652)
  - 360TS_Setup.exe (PID: 10360)
  - 360TS_Setup.exe (PID: 10476)
  - opera.exe (PID: 10956)
  - opera.exe (PID: 10916)
  - opera_autoupdate.exe (PID: 6868)
  - opera.exe (PID: 11196)
  - opera_autoupdate.exe (PID: 1336)
- Reads the computer name
  - identity_helper.exe (PID: 7408)
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - mediaget.exe (PID: 7460)
  - QtWebEngineProcess.exe (PID: 8048)
  - QtWebEngineProcess.exe (PID: 7296)
  - QtWebEngineProcess.exe (PID: 7188)
  - inf_inst.tmp (PID: 7728)
  - QtWebEngineProcess.exe (PID: 5116)
  - setup.exe (PID: 6808)
  - setup.exe (PID: 8100)
  - antivirus360.exe (PID: 2160)
  - installer.exe (PID: 6656)
  - assistant_installer.exe (PID: 7784)
  - assistant_installer.exe (PID: 5768)
  - opera.exe (PID: 8276)
  - browser_assistant.exe (PID: 8200)
  - opera.exe (PID: 8244)
  - assistant_installer.exe (PID: 5876)
  - opera.exe (PID: 8592)
  - opera.exe (PID: 8680)
  - opera.exe (PID: 8928)
  - opera.exe (PID: 9032)
  - opera.exe (PID: 8688)
  - opera.exe (PID: 9176)
  - opera.exe (PID: 8228)
  - opera.exe (PID: 9064)
  - opera.exe (PID: 8448)
  - opera_gx_splash.exe (PID: 8636)
  - opera.exe (PID: 8424)
  - opera.exe (PID: 8396)
  - installer.exe (PID: 9096)
  - opera_autoupdate.exe (PID: 8636)
  - opera_autoupdate.exe (PID: 9116)
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
  - Uninstall.exe (PID: 9592)
  - drvinst.exe (PID: 9524)
  - drvinst.exe (PID: 5248)
  - idmBroker.exe (PID: 9932)
  - IDMan.exe (PID: 2972)
  - MediumILStart.exe (PID: 9492)
  - IDMan.exe (PID: 9652)
  - 360TS_Setup.exe (PID: 10360)
  - 360TS_Setup.exe (PID: 10476)
  - opera.exe (PID: 10956)
  - opera_autoupdate.exe (PID: 1336)
- Launching a file from the Downloads directory
  - msedge.exe (PID: 6672)
- Manual execution by a user
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 4576)
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - assistant_installer.exe (PID: 5768)
  - opera.exe (PID: 8228)
  - WinRAR.exe (PID: 9052)
  - notepad.exe (PID: 10160)
  - WinRAR.exe (PID: 10072)
  - cmd.exe (PID: 9304)
  - firefox.exe (PID: 4808)
- Create files in a temporary directory
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - inf_inst.exe (PID: 7784)
  - inf_inst.tmp (PID: 7728)
  - opera_binst.exe (PID: 7084)
  - setup.exe (PID: 6808)
  - setup.exe (PID: 4080)
  - setup.exe (PID: 3652)
  - setup.exe (PID: 8100)
  - setup.exe (PID: 7576)
  - Assistant_118.0.5461.41_Setup.exe_sfx.exe (PID: 6612)
  - antivirus360.exe (PID: 2160)
  - installer.exe (PID: 7920)
  - installer.exe (PID: 6656)
  - opera.exe (PID: 8228)
  - installer.exe (PID: 9096)
  - installer.exe (PID: 7956)
  - mediaget.exe (PID: 7460)
  - installer.exe (PID: 10200)
  - Internet Download Manager 6.42.41.exe (PID: 9072)
  - opera_autoupdate.exe (PID: 9116)
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
  - rundll32.exe (PID: 9564)
  - IDMan.exe (PID: 2972)
  - IDMan.exe (PID: 9652)
  - 360TS_Setup.exe (PID: 10360)
  - 360TS_Setup.exe (PID: 10476)
- Checks proxy server information
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - mediaget.exe (PID: 7460)
  - QtWebEngineProcess.exe (PID: 8048)
  - setup.exe (PID: 6808)
  - antivirus360.exe (PID: 2160)
  - slui.exe (PID: 8092)
  - opera.exe (PID: 8276)
  - opera.exe (PID: 8228)
  - browser_assistant.exe (PID: 8200)
  - opera_autoupdate.exe (PID: 8636)
  - opera_autoupdate.exe (PID: 9116)
  - IDMan.exe (PID: 2972)
  - IDMan.exe (PID: 9652)
  - opera_autoupdate.exe (PID: 1336)
  - 360TS_Setup.exe (PID: 10476)
- Creates files or folders in the user directory
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - mediaget.exe (PID: 7460)
  - QtWebEngineProcess.exe (PID: 8048)
  - inf_inst.tmp (PID: 7728)
  - setup.exe (PID: 6808)
  - setup.exe (PID: 4080)
  - setup.exe (PID: 8100)
  - installer.exe (PID: 6656)
  - antivirus360.exe (PID: 2160)
  - assistant_installer.exe (PID: 7784)
  - opera.exe (PID: 8276)
  - browser_assistant.exe (PID: 8200)
  - opera.exe (PID: 8228)
  - opera.exe (PID: 8424)
  - opera_autoupdate.exe (PID: 5500)
  - opera_autoupdate.exe (PID: 8636)
  - opera_autoupdate.exe (PID: 9116)
  - IDMan.exe (PID: 2972)
  - 360TS_Setup.exe (PID: 10476)
  - IDMan.exe (PID: 9652)
  - opera.exe (PID: 10956)
- Process checks computer location settings
  - idm-6-42-41-keys_id557943ids1s.exe (PID: 5008)
  - QtWebEngineProcess.exe (PID: 7296)
  - QtWebEngineProcess.exe (PID: 7188)
  - QtWebEngineProcess.exe (PID: 5116)
  - mediaget.exe (PID: 7460)
  - opera.exe (PID: 8276)
  - opera.exe (PID: 8228)
  - opera.exe (PID: 8592)
  - opera.exe (PID: 7532)
  - opera.exe (PID: 2348)
  - opera.exe (PID: 3000)
  - opera.exe (PID: 6676)
  - opera.exe (PID: 5252)
  - opera.exe (PID: 9200)
  - opera.exe (PID: 9064)
  - opera.exe (PID: 7132)
  - opera.exe (PID: 5896)
  - opera.exe (PID: 6836)
  - opera.exe (PID: 9296)
  - opera.exe (PID: 9124)
  - opera.exe (PID: 9748)
  - opera.exe (PID: 10000)
  - opera.exe (PID: 9924)
  - opera.exe (PID: 9512)
  - Uninstall.exe (PID: 9592)
  - IDMan.exe (PID: 2972)
  - antivirus360.exe (PID: 2160)
  - IDMan.exe (PID: 9652)
  - 360TS_Setup.exe (PID: 10476)
  - opera.exe (PID: 11196)
- Reads the machine GUID from the registry
  - mediaget.exe (PID: 7460)
  - QtWebEngineProcess.exe (PID: 8048)
  - setup.exe (PID: 6808)
  - antivirus360.exe (PID: 2160)
  - installer.exe (PID: 6656)
  - opera.exe (PID: 8276)
  - opera.exe (PID: 8228)
  - browser_assistant.exe (PID: 8200)
  - opera_autoupdate.exe (PID: 9116)
  - opera_autoupdate.exe (PID: 5500)
  - opera_autoupdate.exe (PID: 8636)
  - opera_autoupdate.exe (PID: 6340)
  - drvinst.exe (PID: 9524)
  - 360TS_Setup.exe (PID: 10476)
  - opera.exe (PID: 10956)
  - opera_autoupdate.exe (PID: 6868)
  - opera_autoupdate.exe (PID: 1336)
- Launching a file from a Registry key
  - mediaget.exe (PID: 7460)
  - inf_inst.tmp (PID: 7728)
  - assistant_installer.exe (PID: 7784)
  - opera.exe (PID: 8276)
  - opera.exe (PID: 8228)
  - rundll32.exe (PID: 9564)
- Reads the software policy settings
  - QtWebEngineProcess.exe (PID: 8048)
  - setup.exe (PID: 6808)
  - installer.exe (PID: 6656)
  - slui.exe (PID: 8092)
  - browser_assistant.exe (PID: 8200)
  - drvinst.exe (PID: 9524)
  - 360TS_Setup.exe (PID: 10476)
- Disables trace logs
  - antivirus360.exe (PID: 2160)
  - IDMan.exe (PID: 2972)
  - IDMan.exe (PID: 9652)
- OPERA mutex has been found
  - opera.exe (PID: 8276)
  - opera.exe (PID: 8228)
  - browser_assistant.exe (PID: 8200)
  - opera_autoupdate.exe (PID: 8636)
  - opera_autoupdate.exe (PID: 9116)
  - opera_autoupdate.exe (PID: 1336)
- Application based on Golang
  - infatica-service-app.exe (PID: 3688)
- Detects GO elliptic curve encryption (YARA)
  - infatica-service-app.exe (PID: 3688)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 10160)
  - runonce.exe (PID: 9836)
- The sample compiled with russian language support
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
  - 360TS_Setup.exe (PID: 10476)
- Creates files in the program directory
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
  - IDMan.exe (PID: 2972)
  - 360TS_Setup.exe (PID: 10360)
  - 360TS_Setup.exe (PID: 10476)
- Creates a software uninstall entry
  - Internet Download Manager 6.42.41.tmp (PID: 8832)
- Reads the time zone
  - runonce.exe (PID: 9836)
- INTERNETDOWNLOADMANAGER mutex has been found
  - IDMan.exe (PID: 2972)
  - IDMan.exe (PID: 9652)
- Process checks whether UAC notifications are on
  - IDMan.exe (PID: 9652)
- Reads Microsoft Office registry keys
  - firefox.exe (PID: 7772)
- Reads CPU info
  - opera.exe (PID: 8228)
- The sample compiled with chinese language support
  - 360TS_Setup.exe (PID: 10360)
  - 360TS_Setup.exe (PID: 10476)
- The sample compiled with turkish language support
  - 360TS_Setup.exe (PID: 10476)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

568

Monitored processes

412

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

432

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=6816,i,1724692224239861215,14648539650455627234,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

536

reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /F

C:\Windows\SysWOW64\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1056

"C:\Users\admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --no-pre-read-main-dll --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=on --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-dropdown-keyword-ads=on --with-feature:address-bar-keywords-monetization=on --with-feature:ai-tab-management=on --with-feature:ai-writing-mode-in-context-menu=on --with-feature:amazon-bookmarks-tags-update=on --with-feature:amp-requests-stats=on --with-feature:aria-in-tab-view=on --with-feature:bluesky-in-sidebar=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-amazon-us-associates=off --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:discord-in-sidebar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:hide-navigations-from-extensions=on --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:slack-in-sidebar=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:suggestion-redirect-handler=on --with-feature:installer-experiment-test=off --ab_tests=DNA-121339-1:DNA-121339 --field-trial-handle=1936,i,1138391738563264833,767673769694733159,262144 --disable-features=CertificateTransparencyAskBeforeEnabling,PlatformSoftwareH264EncoderInGpu,UpdatableKeyPins --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:8

C:\Users\admin\AppData\Local\Programs\Opera\opera.exe

—

opera.exe

User:

admin

Company:

Opera Software

Integrity Level:

LOW

Description:

Opera Internet Browser

Exit code:

Version:

119.0.5497.94

Modules

Images
c:\users\admin\appdata\local\programs\opera\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\opera\119.0.5497.94\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll

1096

reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /F

C:\Windows\SysWOW64\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1268

reg delete "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /F

C:\Windows\SysWOW64\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1268

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

—

IDMan.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1336

"C:\Users\admin\AppData\Local\Programs\Opera\autoupdate\opera_autoupdate.exe" --edition --host=https://autoupdate.opera.com/ --installationdatadir="C:\Users\admin\AppData\Local\Programs\Opera" --installdir="C:\Users\admin\AppData\Local\Programs\Opera" --lang=en-US --pipeid --producttype --requesttype=shutdown --version=119.0.5497.94 --enableipv6 --bypasslauncher --user-data-dir="C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Default" --firstrunver=119.0.5497.94 --firstrunts=1750542679 --consent-info=eyJzdGF0aXN0aWNzX2NvbGxlY3Rpb25fZW5hYmxlZCI6dHJ1ZSwidXNlcl9leHBlcmllbmNlX21ldHJpY3NfcmVwb3J0aW5nX2VuYWJsZWQiOnRydWV9

C:\Users\admin\AppData\Local\Programs\Opera\autoupdate\opera_autoupdate.exe

opera.exe

User:

admin

Company:

Opera Software

Integrity Level:

MEDIUM

Description:

Opera auto-updater

Exit code:

Version:

119.0.5497.94

Modules

Images
c:\users\admin\appdata\local\programs\opera\autoupdate\opera_autoupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

1704

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

—

IDMan.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1712

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffc43bdf208,0x7ffc43bdf214,0x7ffc43bdf220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1808

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

taskkill.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

78 795

Read events

76 665

Write events

1 652

Delete events

478

Modification events


(PID) Process:	(6672) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6672) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(6672) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value:
(PID) Process:	(6672) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(6672) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(3756) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3756) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3756) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3756) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(3756) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:	write	Name:	SecuritySafe
Value: 1

Add for printing

Executable files

1 386

Suspicious files

2 254

Text files

1 777

Unknown types

Dropped files

PID	Process	Filename		Type
6672	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1767a3.TMP		—
		MD5:—	SHA256:—
6672	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old		—
		MD5:—	SHA256:—
6672	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1767b3.TMP		—
		MD5:—	SHA256:—
6672	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
6672	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF1767b3.TMP		—
		MD5:—	SHA256:—
6672	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old		—
		MD5:—	SHA256:—
6672	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1767e1.TMP		—
		MD5:—	SHA256:—
6672	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
6672	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1767b3.TMP		—
		MD5:—	SHA256:—
6672	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

145

TCP/UDP connections

5 313

DNS requests

345

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1984	msedge.exe	GET	200	150.171.28.11:80	http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:EnpHBYtk-fW4s9UFsJrNVurWUs0Bo1VAmebxtg9m_Q8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	unknown	—	—	whitelisted
5012	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.55.104.190:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7404	svchost.exe	HEAD	200	208.89.74.19:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1751048712&P2=404&P3=2&P4=DkbWPdjOrxFvsmeGh5CWJ18u3j%2f6xfqSDdcmej%2fSZ5tTeoH8lji%2b%2fc%2fB1u0Qbu7K9iNWJFZ1U%2b4Jw%2fZSa%2fEYgQ%3d%3d	unknown	—	—	whitelisted
7568	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7568	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7404	svchost.exe	GET	206	208.89.74.19:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1751048712&P2=404&P3=2&P4=DkbWPdjOrxFvsmeGh5CWJ18u3j%2f6xfqSDdcmej%2fSZ5tTeoH8lji%2b%2fc%2fB1u0Qbu7K9iNWJFZ1U%2b4Jw%2fZSa%2fEYgQ%3d%3d	unknown	—	—	whitelisted
7404	svchost.exe	GET	206	208.89.74.19:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1751048712&P2=404&P3=2&P4=DkbWPdjOrxFvsmeGh5CWJ18u3j%2f6xfqSDdcmej%2fSZ5tTeoH8lji%2b%2fc%2fB1u0Qbu7K9iNWJFZ1U%2b4Jw%2fZSa%2fEYgQ%3d%3d	unknown	—	—	whitelisted
7404	svchost.exe	GET	200	208.89.74.19:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/4c4fdee0-d69c-42b7-bf5c-3ec046e9dfc9?P1=1751048714&P2=404&P3=2&P4=Qg7HlE35Y2IW3Rh7LOyEubjeKwVOhyKR%2fMmsQR6Y7rGM%2fEUfyTtM5ch9q9xqnzVxxEgSfeRylfhbj9O5jHkikA%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1508	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1984	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1984	msedge.exe	150.171.28.11:80	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1984	msedge.exe	2.16.241.224:443	copilot.microsoft.com	Akamai International B.V.	DE	whitelisted
1984	msedge.exe	150.171.28.11:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1984	msedge.exe	91.201.113.214:443	vipmolik.net	Informational-measuring systems Ltd.	RU	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.186.78	whitelisted
vipmolik.net	91.201.113.214	unknown
edge.microsoft.com	150.171.28.11 150.171.27.11	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
copilot.microsoft.com	2.16.241.224 2.16.241.220	whitelisted
www.bing.com	2.16.241.201 2.16.241.218 104.126.37.130 104.126.37.128 104.126.37.139 104.126.37.176 104.126.37.123 104.126.37.163 104.126.37.131 2.23.227.215 2.23.227.208	whitelisted
counter.yadro.ru	88.212.201.198 88.212.202.52 88.212.201.204	whitelisted
arc.msn.com	20.31.169.57 20.223.36.55	whitelisted
xpaywalletcdn.azureedge.net	13.107.246.44	whitelisted

Threats

PID	Process	Class	Message
7460	mediaget.exe	Misc activity	INFO [ANY.RUN] P2P BitTorrent Protocol
7460	mediaget.exe	Potential Corporate Privacy Violation	ET P2P Vuze BT UDP Connection (5)
2200	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5008	idm-6-42-41-keys_id557943ids1s.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
5008	idm-6-42-41-keys_id557943ids1s.exe	Misc activity	ET INFO Packed Executable Download
7460	mediaget.exe	Potential Corporate Privacy Violation	ET P2P BitTorrent Announce
7460	mediaget.exe	Potential Corporate Privacy Violation	GPL P2P BitTorrent announce request
7460	mediaget.exe	Misc activity	INFO [ANY.RUN] P2P BitTorrent Protocol
7460	mediaget.exe	Misc activity	INFO [ANY.RUN] P2P BitTorrent Protocol
2160	antivirus360.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP

Add for printing

Process	Message
mediaget.exe	AUTOSELECT OGL
mediaget.exe	> __thiscall Application::Application(int &,char *[])
mediaget.exe	os version: "10.0.19045v" __ os name: "Windows 10 Version 2009"
mediaget.exe	> int __thiscall Application::exec(void)
mediaget.exe	> __thiscall MediagetServerSettings::MediagetServerSettings(void)
mediaget.exe	INSTALL ID: "" _ OLD ID: ""
mediaget.exe	> void __thiscall MediagetServerSettings::flushSettings(void)
mediaget.exe	reseller - "" installId ""
assistant_installer.exe	[0621/215100.194:INFO:assistant_installer_main.cc(168)] Running assistant installer with command line "C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202506212150441\assistant\assistant_installer.exe" --version
assistant_installer.exe	[0621/215115.434:INFO:assistant_installer_main.cc(168)] Running assistant installer with command line "C:\Users\admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202506212150441\assistant\assistant_installer.exe" --installfolder="C:\Users\admin\AppData\Local\Programs\Opera\assistant" --copyonly=0 --allusers=0

General Info

https://vipmolik.net/internet/1000-internet-download-manager-606-build-8-final-zakachka-faylov-iz-interneta.html

BA3BC081A44C4D596A8142163375C366

1A3EE5A965B770AFF252F0B505B2F7E649DAFB51

AE905D733B2959A119FDA47D9BBB27A6CE72CA58240DFE0B121FBCA6EE3BDCE3

3:N8aISgaC5EmIDXuNnNnVcD1J1MfI6J:2Ogt5GDXuNNaDkI6J

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Changes the autorun value in the registry

BITTORRENT has been detected (SURICATA)

Steals credentials from Web Browsers

Registers / Runs the DLL via REGSVR32.EXE

GENERIC has been found (auto)

Starts NET.EXE for service management

SUSPICIOUS

Reads security settings of Internet Explorer

Reads Microsoft Outlook installation path

Executable content was dropped or overwritten

Reads Internet Explorer settings

Process drops legitimate windows executable

The process drops C-runtime libraries

Creates a software uninstall entry

Reads the Windows owner or organization settings

Potential Corporate Privacy Violation

Adds/modifies Windows certificates

Application launched itself

Starts itself from another location

Uses TASKKILL.EXE to kill process

Connects to unusual port

Process requests binary or script from the Internet

Found regular expressions for crypto-addresses (YARA)

There is functionality for taking screenshot (YARA)

Searches for installed software

Reads the date of Windows installation

Process drops python dynamic module

Reads Mozilla Firefox installation path

The process executes via Task Scheduler

The process checks if it is being run in the virtual environment

Drops a system driver (possible attempt to evade defenses)

Creates/Modifies COM task schedule object

Executing commands from a ".bat" file

Uses RUNDLL32.EXE to load library

Creates files in the driver directory

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Creates or modifies Windows services

Creates file in the systems drive root

The process verifies whether the antivirus software is installed

Drops 7-zip archiver for unpacking

INFO

Reads Environment values

Application launched itself

The sample compiled with english language support

Executable content was dropped or overwritten

Checks supported languages

Reads the computer name

Launching a file from the Downloads directory

Manual execution by a user

Create files in a temporary directory

Checks proxy server information

Creates files or folders in the user directory

Process checks computer location settings

Reads the machine GUID from the registry

Launching a file from a Registry key

Reads the software policy settings

Disables trace logs

OPERA mutex has been found

Application based on Golang

Detects GO elliptic curve encryption (YARA)

Reads security settings of Internet Explorer

The sample compiled with russian language support

Creates files in the program directory

Creates a software uninstall entry

Reads the time zone

INTERNETDOWNLOADMANAGER mutex has been found