File name:

IDM_6.4x_Crack_v20.1.exe

Full analysis: https://app.any.run/tasks/0288bb2f-a11b-40af-90df-e7d5e2e6b0ca
Verdict: Malicious activity
Analysis date: April 29, 2025, 07:54:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

832EAC4526E3E0C9A96EA29D90A5B521

SHA1:

8B89CC3C79310BCAEB3428A86C64AB609F1333F5

SHA256:

C1BD821751C7F0ECD0741103EEF6888025F4509229E0C11F1CD436BF334AA240

SSDEEP:

1536:Se+j44X5OjRrmLlgOypw5JM8uaT3kDculsKdrX+UXaf+blAj:Se+04Xool46Lia/fKBXnq2blAj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 1072)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 1072)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 1072)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 5744)

    • Changes powershell execution policy (Bypass)

      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 1072)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 5744)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4756)
      • cmd.exe (PID: 4892)
      • cmd.exe (PID: 664)
      • powershell.exe (PID: 4336)
      • cmd.exe (PID: 6004)
      • cmd.exe (PID: 6700)
      • powershell.exe (PID: 6700)
      • cmd.exe (PID: 4728)
      • cmd.exe (PID: 4424)
      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)

    • Executing commands from a ".bat" file

      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)
      • cmd.exe (PID: 4756)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 1072)

    • The process executes VB scripts

      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 1072)

    • Application launched itself

      • cmd.exe (PID: 4892)
      • cmd.exe (PID: 6004)
      • cmd.exe (PID: 6700)
      • cmd.exe (PID: 4424)
      • cmd.exe (PID: 4728)
      • cmd.exe (PID: 4756)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4756)
      • cmd.exe (PID: 5352)
      • cmd.exe (PID: 1512)
      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)
      • cmd.exe (PID: 4652)
      • cmd.exe (PID: 6004)
      • cmd.exe (PID: 2384)
      • cmd.exe (PID: 4424)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 4756)
      • cmd.exe (PID: 4652)
      • cmd.exe (PID: 2384)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 4756)
      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)
      • cmd.exe (PID: 4652)
      • cmd.exe (PID: 2384)

    • Hides command output

      • cmd.exe (PID: 5352)
      • cmd.exe (PID: 1348)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1348)
      • cmd.exe (PID: 4756)
      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4756)

    • Reads security settings of Internet Explorer

      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 4336)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 5436)
      • powershell.exe (PID: 4464)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 5436)
      • powershell.exe (PID: 4464)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 5436)
      • powershell.exe (PID: 4464)

    • Executing commands from ".cmd" file

      • powershell.exe (PID: 4336)
      • cmd.exe (PID: 664)
      • cmd.exe (PID: 6004)
      • powershell.exe (PID: 6700)
      • cmd.exe (PID: 4424)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 4336)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6004)
      • cmd.exe (PID: 4424)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6004)
      • cmd.exe (PID: 4424)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4424)
      • sc.exe (PID: 1812)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 1072)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 1072)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Creates a directory (POWERSHELL)

      • powershell.exe (PID: 5744)

  • INFO

    • Creates files or folders in the user directory

      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)

    • Reads the computer name

      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)

    • Checks operating system version

      • cmd.exe (PID: 4756)
      • cmd.exe (PID: 6004)
      • cmd.exe (PID: 4424)

    • Checks supported languages

      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)
      • chcp.com (PID: 5212)
      • mode.com (PID: 5436)

    • Create files in a temporary directory

      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)
      • reg.exe (PID: 856)

    • Checks proxy server information

      • wscript.exe (PID: 1072)
      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 5744)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 632)
      • powershell.exe (PID: 6872)
      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 5436)
      • powershell.exe (PID: 4464)

    • Changes the display of characters in the console

      • cmd.exe (PID: 4756)

    • Process checks computer location settings

      • IDM_6.4x_Crack_v20.1.exe (PID: 3300)

    • Disables trace logs

      • powershell.exe (PID: 4336)

    • Creates a byte array (POWERSHELL)

      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 5436)
      • powershell.exe (PID: 4464)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 5436)
      • powershell.exe (PID: 4464)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 5436)
      • powershell.exe (PID: 4464)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 5436)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 61440
InitializedDataSize: 4096
UninitializedDataSize: 188416
EntryPoint: 0x3cf20
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
248
Monitored processes
121
Malicious processes
7
Suspicious processes
7

Behavior graph

Click at the process to see the details
start idm_6.4x_crack_v20.1.exe wscript.exe sppextcomobj.exe no specs slui.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs find.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs fltmc.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs cmd.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs fltmc.exe no specs powershell.exe no specs find.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs choice.exe no specs powershell.exe conhost.exe no specs idm_6.4x_crack_v20.1.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
632powershell.exe "$f=[io.file]::ReadAllText('C:\Users\admin\AppData\Local\Temp\BATCLEN.bat') -split ':PowerShellTest:\s*';iex ($f[1])" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
664"C:\WINDOWS\system32\cmd.exe" /c ""C:\WINDOWS\Temp\MAS_10581ed6-7d3b-44e8-8fc3-22b8b7e8af83.cmd" " C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
684fltmc C:\Windows\System32\fltMC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Filter Manager Control Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fltmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
728REG ADD "HKLM\Software\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
732C:\WINDOWS\System32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_10581ed6-7d3b-44e8-8fc3-22b8b7e8af83.cmd" "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
856reg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\WINDOWS\Temp\_Backup_HKCU_CLSID_20250429-075515721.reg"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
920cmdC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
1056\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1072wscript.exe "C:\Users\admin\AppData\Local\Temp\\CRK_UPDT.vbs" "https://idm.0dy.ir/" "Version" "Download_URL" "20.1" "Crack" "C:\Program Files\Google\Chrome\Application\chrome.exe" silentC:\Windows\SysWOW64\wscript.exe
IDM_6.4x_Crack_v20.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
59 149
Read events
59 090
Write events
44
Delete events
15

Modification events

(PID) Process:(3300) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(3300) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(3300) IDM_6.4x_Crack_v20.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(3300) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
0
(PID) Process:(3300) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableCMD
Value:
0
(PID) Process:(3300) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
0
(PID) Process:(3300) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoRun
Value:
0
(PID) Process:(3300) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:DisallowRun
Value:
0
(PID) Process:(3300) IDM_6.4x_Crack_v20.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell
Operation:writeName:EnableScripts
Value:
1
(PID) Process:(3300) IDM_6.4x_Crack_v20.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics
Operation:writeName:ExecutionPolicy
Value:
Bypass
Executable files
0
Suspicious files
11
Text files
35
Unknown types
0

Dropped files

PID
Process
Filename
Type
3300IDM_6.4x_Crack_v20.1.exeC:\Users\admin\AppData\Local\Temp\CRK_UPDT.vbstext
MD5:B91C1157D6F1E605CC965D092551B307
SHA256:92FE72CCEB630C7EFF3B2D3BED9C6969F53E5B9DFF1F481888754E59B3C76AB7
1072wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
3300IDM_6.4x_Crack_v20.1.exeC:\Users\admin\AppData\Roaming\WinRAR\rarreg.keytext
MD5:CC72935D4E4BD54DB0ED6BF4701FDC9E
SHA256:2ABE74BB821BA46762AFDB23EAC95454EC7155D5379E3CD56385D900C34CB1BF
3300IDM_6.4x_Crack_v20.1.exeC:\Users\admin\AppData\Local\Temp\IDM_UPDT.vbstext
MD5:B91C1157D6F1E605CC965D092551B307
SHA256:92FE72CCEB630C7EFF3B2D3BED9C6969F53E5B9DFF1F481888754E59B3C76AB7
4880powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_n3ybip0f.hx4.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4880powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_14sbq33b.fws.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
632powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:4434896CEEE521CC551DF7725295C0CA
SHA256:904F0E10C2D80FF38B2936FBC558AC698AA0FB72E2FE3B93E66A76CF2B882EE1
2984powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4snvq0gd.tfl.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
856reg.exeC:\Users\admin\AppData\Local\Temp\REG18D4.tmptext
MD5:345823A0BDDB596A43415D67C9880B8A
SHA256:D9CB0467BD3FC677837C380F3A7D5C69291E001B210907FD302B3CE61FF98682
1072wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:F59D92D223CE737B95200A3D38C1EE3B
SHA256:A338479E0C1098B6FE3A807376157FD42FDE7427A8383C768846823AEC0CE892
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
28
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1072
wscript.exe
GET
200
142.250.184.195:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1072
wscript.exe
GET
200
142.250.184.195:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
5228
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5228
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1072
wscript.exe
188.114.96.3:443
idm.0dy.ir
CLOUDFLARENET
NL
unknown
1072
wscript.exe
142.250.184.195:80
c.pki.goog
GOOGLE
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.43
  • 2.16.164.72
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
idm.0dy.ir
  • 188.114.96.3
  • 188.114.97.3
unknown
c.pki.goog
  • 142.250.184.195
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.2
  • 20.190.159.75
  • 20.190.159.129
  • 40.126.31.129
  • 40.126.31.1
  • 20.190.159.73
  • 40.126.31.130
  • 40.126.31.0
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IDM_6.4x_Crack_v20.1.exe