File name:

IDM_6.4x_Crack_v20.1.exe

Full analysis: https://app.any.run/tasks/4c0c0b1d-ea15-4bcc-862e-96526f4400fa
Verdict: Malicious activity
Analysis date: May 29, 2025, 00:55:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

832EAC4526E3E0C9A96EA29D90A5B521

SHA1:

8B89CC3C79310BCAEB3428A86C64AB609F1333F5

SHA256:

C1BD821751C7F0ECD0741103EEF6888025F4509229E0C11F1CD436BF334AA240

SSDEEP:

1536:Se+j44X5OjRrmLlgOypw5JM8uaT3kDculsKdrX+UXaf+blAj:Se+04Xool46Lia/fKBXnq2blAj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 6372)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 6372)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 6372)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 6372)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4748)

    • Changes powershell execution policy (Bypass)

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)

  • SUSPICIOUS

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 6372)

    • The process executes VB scripts

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6372)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 6372)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 6372)

    • Executing commands from a ".bat" file

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)
      • cmd.exe (PID: 3868)
      • cmd.exe (PID: 4452)

    • Uses REG/REGEDIT.EXE to modify registry

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)
      • cmd.exe (PID: 3868)
      • cmd.exe (PID: 2316)
      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 5776)
      • cmd.exe (PID: 4452)

    • Starts CMD.EXE for commands execution

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)
      • cmd.exe (PID: 3868)
      • cmd.exe (PID: 6644)
      • powershell.exe (PID: 4748)
      • cmd.exe (PID: 6840)
      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 632)
      • cmd.exe (PID: 4404)
      • cmd.exe (PID: 1616)
      • cmd.exe (PID: 968)
      • cmd.exe (PID: 4452)

    • Application launched itself

      • cmd.exe (PID: 6644)
      • cmd.exe (PID: 3868)
      • cmd.exe (PID: 632)
      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 4404)
      • cmd.exe (PID: 1616)
      • cmd.exe (PID: 968)
      • cmd.exe (PID: 4452)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3868)
      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)
      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 3208)
      • cmd.exe (PID: 6324)
      • cmd.exe (PID: 4608)
      • cmd.exe (PID: 4452)
      • cmd.exe (PID: 6652)

    • Reads security settings of Internet Explorer

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3868)
      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)
      • cmd.exe (PID: 3208)
      • cmd.exe (PID: 6324)
      • cmd.exe (PID: 4452)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 4748)

    • Hides command output

      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 2316)
      • cmd.exe (PID: 3208)
      • cmd.exe (PID: 6324)
      • cmd.exe (PID: 6652)
      • cmd.exe (PID: 5776)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 3868)
      • cmd.exe (PID: 3208)
      • cmd.exe (PID: 6324)
      • cmd.exe (PID: 4452)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4748)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 5984)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 4748)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 5984)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4748)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 5984)

    • Executing commands from ".cmd" file

      • powershell.exe (PID: 4748)
      • cmd.exe (PID: 6840)
      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 4404)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 4748)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 4404)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5360)
      • sc.exe (PID: 1120)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 4404)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3208)
      • cmd.exe (PID: 6324)

    • Executes script without checking the security policy

      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 5984)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3868)
      • cmd.exe (PID: 4452)

  • INFO

    • Create files in a temporary directory

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)
      • reg.exe (PID: 3192)
      • reg.exe (PID: 2568)

    • Reads the computer name

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)

    • Creates files or folders in the user directory

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)

    • Checks supported languages

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)
      • mode.com (PID: 6540)
      • chcp.com (PID: 4776)
      • mode.com (PID: 5892)
      • mode.com (PID: 5212)

    • Checks proxy server information

      • wscript.exe (PID: 6372)
      • powershell.exe (PID: 4748)

    • Checks operating system version

      • cmd.exe (PID: 3868)
      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 4404)
      • cmd.exe (PID: 4452)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4776)
      • powershell.exe (PID: 4748)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 5212)
      • powershell.exe (PID: 5984)
      • powershell.exe (PID: 2416)

    • Process checks computer location settings

      • IDM_6.4x_Crack_v20.1.exe (PID: 6048)

    • Disables trace logs

      • powershell.exe (PID: 4748)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4748)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 5984)

    • Creates a byte array (POWERSHELL)

      • powershell.exe (PID: 4748)
      • powershell.exe (PID: 6208)
      • powershell.exe (PID: 5984)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 6540)
      • mode.com (PID: 5212)
      • mode.com (PID: 5892)

    • Changes the display of characters in the console

      • cmd.exe (PID: 3868)
      • cmd.exe (PID: 4452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 61440
InitializedDataSize: 4096
UninitializedDataSize: 188416
EntryPoint: 0x3cf20
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
303
Monitored processes
174
Malicious processes
9
Suspicious processes
5

Behavior graph

Click at the process to see the details
start idm_6.4x_crack_v20.1.exe wscript.exe sppextcomobj.exe no specs slui.exe reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs find.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs cmd.exe no specs mode.com no specs reg.exe no specs find.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs mode.com no specs cmd.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs choice.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs find.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs svchost.exe idm_6.4x_crack_v20.1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632C:\WINDOWS\System32\cmd.exe /c echo prompt $E | cmdC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
656reg.exe import C:\Users\admin\AppData\Local\Temp\IDMRegClean.regC:\Windows\SysWOW64\reg.exeIDM_6.4x_Crack_v20.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
656"C:\WINDOWS\system32\cmd.exe" /c "echo CMD is working"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
684cmdC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
684REG ADD "HKLM\Software\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
732findstr /v "f7f81a39-5f63-5b42-9efd-1f13b5431005quot; "MAS_4837d8cf-f570-4440-a8d8-5e33c5413a9f.cmd" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
732C:\WINDOWS\System32\cmd.exe /S /D /c" echo prompt $E "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
732find /i "ARM64" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
732find /i "FullLanguage" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
Total events
61 867
Read events
61 783
Write events
53
Delete events
31

Modification events

(PID) Process:(6372) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6372) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6372) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6048) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(6048) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(6048) IDM_6.4x_Crack_v20.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(6048) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
0
(PID) Process:(6048) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableCMD
Value:
0
(PID) Process:(6048) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
0
(PID) Process:(6048) IDM_6.4x_Crack_v20.1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoRun
Value:
0
Executable files
0
Suspicious files
8
Text files
37
Unknown types
0

Dropped files

PID
Process
Filename
Type
6048IDM_6.4x_Crack_v20.1.exeC:\Users\admin\AppData\Roaming\WinRAR\rarreg.keytext
MD5:CC72935D4E4BD54DB0ED6BF4701FDC9E
SHA256:2ABE74BB821BA46762AFDB23EAC95454EC7155D5379E3CD56385D900C34CB1BF
6372wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:88D2EF97589408FC922FB38C22B590DD
SHA256:79BC0AAA699E602D047989243CCF791DE119C606A429ACD6032EF4327057C515
4748powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:716753129D6DDAA48571C240A41C4E2F
SHA256:3A780FEFD0C341A6A351662F18DF8D58991016B39E727A9C814B15D26B02AB22
4776powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uoctudja.aop.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6048IDM_6.4x_Crack_v20.1.exeC:\Users\admin\AppData\Local\Temp\BATCLEN.battext
MD5:9FE22C4AD624881F8F0977CC7614346F
SHA256:12B47C1949CC555C2F68F9FD4677ED5266F25C4DA4630BEC36E303629B133225
4776powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:C9C1B1BCBC9BB1874DFDAB36BD336449
SHA256:43D67603C6FE37861A106F6B834D95832E629AE9500B4843C655AAF65722EF1A
4776powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_p1kxswwg.15c.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6048IDM_6.4x_Crack_v20.1.exeC:\Users\admin\AppData\Local\Temp\IDMRegClean.regtext
MD5:73C023B1480CC88BE4D7761EF11A7703
SHA256:9C7F6CE7CE6FA4093A20CFA3C1A6D2CDD7D5307AFF7405830C898A21F154ED68
4748powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PFSFL5OFMZN47D9IYS1B.tempbinary
MD5:716753129D6DDAA48571C240A41C4E2F
SHA256:3A780FEFD0C341A6A351662F18DF8D58991016B39E727A9C814B15D26B02AB22
1184powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_o1m0nr0a.xln.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
23
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6372
wscript.exe
GET
200
142.250.184.195:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6372
wscript.exe
GET
200
142.250.184.195:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
6044
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6044
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5796
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2416
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6372
wscript.exe
188.114.96.3:443
idm.0dy.ir
CLOUDFLARENET
NL
unknown
6372
wscript.exe
142.250.184.195:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
idm.0dy.ir
  • 188.114.96.3
  • 188.114.97.3
unknown
c.pki.goog
  • 142.250.184.195
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.128
  • 20.190.159.129
  • 40.126.31.129
  • 20.190.159.130
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.73
  • 40.126.31.130
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
get.activated.win
  • 104.21.24.156
  • 172.67.219.75
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IDM_6.4x_Crack_v20.1.exe