File name:

idm.6.42.27_with_activator_v3.3.rar

Full analysis: https://app.any.run/tasks/2ab2c86e-dbff-40cb-bdbc-d19325f8a67b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 05, 2025, 22:10:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-scr
arch-html
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

FE3DEF1A73CE71128F4811375A1A6D85

SHA1:

D5F874533ADA0A702BB351C9005EE9D21A61F8F6

SHA256:

CEF2A6288FDECA597AC77119F7DE8E01C8987694B4671EB362A910A11D51E98E

SSDEEP:

98304:yGFiXWFrsaGqEHYuX7cBLzZmYbLUdzTY1s0U2cpVi+1A64iMM1T7HnNYnUWC5JuO:kM56B774PkUI5BQTB0/xa0T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)
      • Uninstall.exe (PID: 4516)
      • IDMan.exe (PID: 7772)
      • IDMan.exe (PID: 6576)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 6948)
      • IDMan.exe (PID: 3792)

    • Starts NET.EXE for service management

      • net.exe (PID: 7412)
      • Uninstall.exe (PID: 4516)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 7476)

    • Execute application with conhost.exe as parent process

      • powershell.exe (PID: 7388)

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 7476)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 7476)

    • Actions looks like stealing of personal data

      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 4360)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 5340)
      • IDMan.exe (PID: 3792)
      • IDM1.tmp (PID: 2728)
      • Uninstall.exe (PID: 4516)
      • IDMan.exe (PID: 7772)
      • WinRAR.exe (PID: 7068)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 424)
      • IDMan.exe (PID: 1512)

    • Starts application with an unusual extension

      • idman642build27.exe (PID: 2144)

    • The process creates files with name similar to system file names

      • IDM1.tmp (PID: 2728)
      • 7za.exe (PID: 7644)

    • Creates a software uninstall entry

      • IDM1.tmp (PID: 2728)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 624)
      • regsvr32.exe (PID: 3840)
      • regsvr32.exe (PID: 5308)
      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)
      • regsvr32.exe (PID: 4540)
      • regsvr32.exe (PID: 6360)
      • regsvr32.exe (PID: 6316)
      • regsvr32.exe (PID: 6292)
      • regsvr32.exe (PID: 7624)
      • IDMan.exe (PID: 6576)
      • regsvr32.exe (PID: 2280)
      • regsvr32.exe (PID: 444)
      • regsvr32.exe (PID: 7008)
      • regsvr32.exe (PID: 6424)
      • IDMIntegrator64.exe (PID: 6284)

    • Checks Windows Trust Settings

      • IDMan.exe (PID: 3792)
      • drvinst.exe (PID: 2380)
      • IDMan.exe (PID: 7772)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 424)
      • IDMan.exe (PID: 4360)
      • IDMan.exe (PID: 1512)

    • Executable content was dropped or overwritten

      • IDMan.exe (PID: 3792)
      • drvinst.exe (PID: 2380)
      • rundll32.exe (PID: 6948)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • 7za.exe (PID: 2904)
      • 7za.exe (PID: 7644)

    • Uses RUNDLL32.EXE to load library

      • Uninstall.exe (PID: 4516)

    • Drops a system driver (possible attempt to evade defenses)

      • drvinst.exe (PID: 2380)
      • rundll32.exe (PID: 6948)
      • 7za.exe (PID: 7644)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2380)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 6500)
      • Uninstall.exe (PID: 4516)

    • Application launched itself

      • WinRAR.exe (PID: 5340)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 6752)
      • cmd.exe (PID: 7344)
      • cmd.exe (PID: 7292)

    • Executing commands from a ".bat" file

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • cmd.exe (PID: 6864)
      • powershell.exe (PID: 7388)

    • Drops 7-zip archiver for unpacking

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)

    • Starts CMD.EXE for commands execution

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • cmd.exe (PID: 6864)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 6752)
      • powershell.exe (PID: 7388)
      • cmd.exe (PID: 7344)
      • cmd.exe (PID: 7292)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7396)
      • cmd.exe (PID: 7476)

    • The executable file from the user directory is run by the CMD process

      • 7za.exe (PID: 2904)
      • 7za.exe (PID: 5732)
      • 7za.exe (PID: 7408)
      • 7za.exe (PID: 6796)
      • 7za.exe (PID: 7416)
      • 7za.exe (PID: 7644)
      • NSudo86x.exe (PID: 3656)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7476)
      • conhost.exe (PID: 6348)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 7344)
      • cmd.exe (PID: 7132)
      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 188)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7476)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 7344)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7868)
      • sc.exe (PID: 6472)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 7344)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 7344)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 7344)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 6556)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 7476)

    • Hides command output

      • cmd.exe (PID: 7132)
      • cmd.exe (PID: 6484)
      • cmd.exe (PID: 3464)
      • cmd.exe (PID: 2120)
      • cmd.exe (PID: 6556)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7344)
      • cmd.exe (PID: 6484)
      • cmd.exe (PID: 3464)

    • Process drops legitimate windows executable

      • 7za.exe (PID: 7644)

    • Get information on the list of running processes

      • cmd.exe (PID: 7344)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7344)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7344)

  • INFO

    • Local mutex for internet shortcut management

      • WinRAR.exe (PID: 5340)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 5340)
      • IDMan.exe (PID: 3792)
      • rundll32.exe (PID: 6948)
      • drvinst.exe (PID: 2380)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5340)
      • WinRAR.exe (PID: 7068)

    • Checks supported languages

      • idman642build27.exe (PID: 2144)
      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)
      • idmBroker.exe (PID: 1804)
      • Uninstall.exe (PID: 4516)
      • drvinst.exe (PID: 2380)
      • drvinst.exe (PID: 6500)
      • MediumILStart.exe (PID: 7736)
      • IDMan.exe (PID: 7772)
      • 7za.exe (PID: 2904)
      • 7za.exe (PID: 5732)
      • 7za.exe (PID: 7408)
      • 7za.exe (PID: 6796)
      • 7za.exe (PID: 7416)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • mode.com (PID: 8)
      • 7za.exe (PID: 7644)
      • mode.com (PID: 4764)
      • IDMan.exe (PID: 6576)
      • IDMIntegrator64.exe (PID: 6284)
      • IDMan.exe (PID: 424)
      • NSudo86x.exe (PID: 3656)
      • IDMan.exe (PID: 4360)
      • IDMan.exe (PID: 1512)
      • mode.com (PID: 7976)
      • identity_helper.exe (PID: 7472)
      • identity_helper.exe (PID: 3540)

    • Create files in a temporary directory

      • idman642build27.exe (PID: 2144)
      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)
      • rundll32.exe (PID: 6948)
      • IDMan.exe (PID: 7772)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • 7za.exe (PID: 2904)
      • 7za.exe (PID: 5732)
      • 7za.exe (PID: 7408)
      • reg.exe (PID: 7820)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 4360)

    • Reads the computer name

      • IDM1.tmp (PID: 2728)
      • idman642build27.exe (PID: 2144)
      • idmBroker.exe (PID: 1804)
      • IDMan.exe (PID: 3792)
      • Uninstall.exe (PID: 4516)
      • drvinst.exe (PID: 2380)
      • drvinst.exe (PID: 6500)
      • MediumILStart.exe (PID: 7736)
      • IDMan.exe (PID: 7772)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • 7za.exe (PID: 2904)
      • 7za.exe (PID: 6796)
      • 7za.exe (PID: 5732)
      • 7za.exe (PID: 7408)
      • 7za.exe (PID: 7416)
      • 7za.exe (PID: 7644)
      • IDMan.exe (PID: 6576)
      • IDMIntegrator64.exe (PID: 6284)
      • IDMan.exe (PID: 424)
      • IDMan.exe (PID: 1512)
      • IDMan.exe (PID: 4360)
      • NSudo86x.exe (PID: 3656)
      • identity_helper.exe (PID: 3540)
      • identity_helper.exe (PID: 7472)

    • Creates files in the program directory

      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)

    • Disables trace logs

      • IDMan.exe (PID: 3792)
      • IDMan.exe (PID: 7772)
      • powershell.exe (PID: 7540)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 424)
      • IDMan.exe (PID: 1512)
      • IDMan.exe (PID: 4360)

    • Reads the machine GUID from the registry

      • IDMan.exe (PID: 3792)
      • drvinst.exe (PID: 2380)
      • IDMan.exe (PID: 7772)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 424)
      • IDMan.exe (PID: 1512)
      • IDMan.exe (PID: 4360)
      • IDMIntegrator64.exe (PID: 6284)

    • Reads the software policy settings

      • IDMan.exe (PID: 3792)
      • drvinst.exe (PID: 2380)
      • IDMan.exe (PID: 7772)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 424)
      • IDMan.exe (PID: 1512)
      • IDMan.exe (PID: 4360)

    • Creates files or folders in the user directory

      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)
      • 7za.exe (PID: 7644)
      • IDMan.exe (PID: 6576)

    • Process checks computer location settings

      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)
      • Uninstall.exe (PID: 4516)
      • IDMan.exe (PID: 7772)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • IDMan.exe (PID: 6576)

    • Checks proxy server information

      • IDMan.exe (PID: 3792)
      • IDMan.exe (PID: 7772)
      • powershell.exe (PID: 7540)
      • IDMan.exe (PID: 6576)

    • Application launched itself

      • firefox.exe (PID: 6436)
      • firefox.exe (PID: 3488)
      • msedge.exe (PID: 2976)
      • msedge.exe (PID: 8188)
      • msedge.exe (PID: 6436)

    • Manual execution by a user

      • firefox.exe (PID: 6436)
      • msedge.exe (PID: 8188)

    • Reads the time zone

      • runonce.exe (PID: 2124)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 2124)

    • Checks operating system version

      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 7344)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 6380)
      • powershell.exe (PID: 7260)
      • powershell.exe (PID: 6840)
      • powershell.exe (PID: 5432)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6380)
      • powershell.exe (PID: 7260)
      • powershell.exe (PID: 6840)
      • powershell.exe (PID: 5432)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 7528)
      • powershell.exe (PID: 5920)
      • powershell.exe (PID: 8088)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6380)
      • powershell.exe (PID: 7260)
      • powershell.exe (PID: 6840)
      • powershell.exe (PID: 5432)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 7528)
      • powershell.exe (PID: 5920)
      • powershell.exe (PID: 8088)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 8)
      • mode.com (PID: 4764)
      • mode.com (PID: 7976)

    • The sample compiled with japanese language support

      • 7za.exe (PID: 7644)

    • Process checks whether UAC notifications are on

      • IDMan.exe (PID: 6576)

    • Reads Environment values

      • identity_helper.exe (PID: 3540)
      • identity_helper.exe (PID: 7472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 12145984
UncompressedSize: 12263256
OperatingSystem: Win32
ArchivedFileName: idman642build27.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
388
Monitored processes
253
Malicious processes
16
Suspicious processes
8

Behavior graph

Click at the process to see the details
start winrar.exe idman642build27.exe no specs idman642build27.exe idm1.tmp no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs idmbroker.exe no specs regsvr32.exe no specs idman.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe uninstall.exe no specs rundll32.exe firefox.exe no specs firefox.exe no specs drvinst.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs drvinst.exe no specs runonce.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs grpconv.exe no specs net.exe no specs firefox.exe no specs conhost.exe no specs net1.exe no specs regsvr32.exe no specs regsvr32.exe no specs mediumilstart.exe no specs idman.exe no specs regsvr32.exe no specs regsvr32.exe no specs winrar.exe idm 6.xx activator or resetter v3.3.exe no specs idm 6.xx activator or resetter v3.3.exe cmd.exe no specs conhost.exe no specs attrib.exe no specs 7za.exe no specs 7za.exe no specs 7za.exe 7za.exe no specs 7za.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs find.exe no specs fltmc.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs fltmc.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs mode.com no specs choice.exe no specs powershell.exe 7za.exe schtasks.exe no specs mode.com no specs powershell.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs tasklist.exe no specs findstr.exe no specs taskkill.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs idman.exe timeout.exe no specs idmintegrator64.exe no specs timeout.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs idman.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs idman.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs findstr.exe no specs taskkill.exe no specs powershell.exe no specs nsudo86x.exe no specs idman.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs mode.com no specs choice.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8mode 75, 28C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcp_win.dll
188C:\WINDOWS\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
396reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
420"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"C:\Windows\SysWOW64\regsvr32.exeIDM1.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
420cmdC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
424"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/register/IDMlib/images/idman_logos.png" /p "C:\WINDOWS\Temp" /f temp.pngC:\Program Files (x86)\Internet Download Manager\IDMan.execmd.exe
User:
admin
Company:
Tonec Inc.
Integrity Level:
HIGH
Description:
Internet Download Manager (IDM)
Exit code:
0
Version:
6, 42, 27, 2
Modules
Images
c:\program files (x86)\internet download manager\idman.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
444 /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
624 /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
640find /i "FullLanguage" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
836reg query "HKCU\Software\DownloadManager" "/v" "Email" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
Total events
136 088
Read events
134 867
Write events
895
Delete events
326

Modification events

(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\idm.6.42.27_with_activator_v3.3.rar
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2728) IDM1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager
Operation:writeName:DisplayVersion
Value:
6.42.27
Executable files
46
Suspicious files
594
Text files
189
Unknown types
4

Dropped files

PID
Process
Filename
Type
5340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb5340.24491\idman642build27.exeexecutable
MD5:85CB23830796C3B754F4DBFE65BA6427
SHA256:CE11F4450C5F4FDC090A3E655EE5996D2A2234AAA5FC68B618546DBCCAD00139
5340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb5340.24491\ReadMe.txttext
MD5:72E3D7EAB468C407176C02136501252E
SHA256:64C2EA910DAEEDCCAE5537B9991400403DDB8C595A4649A07FC12A984F400667
5340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb5340.24491\www.crackingcity.com - Free full version software.urlbinary
MD5:075E86F12563B1EA5A6E307F1A0FBF3B
SHA256:4DE29B8987250D20BDD095148E21E504493E0E2A160D4106AE97EED1E5F92175
2728IDM1.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Uninstall IDM.lnkbinary
MD5:63A761E5DB7EBF55253D4B72B1B8F03C
SHA256:D245D3971B6AF395899E16E876A41BF9C77D532DC24E9C0E7D619D5957B29EA7
2728IDM1.tmpC:\Users\admin\AppData\Local\Temp\~DFFAC7ABEF3BCD649E.TMPbinary
MD5:82415768059755984A9BFCDE84955705
SHA256:801316B85A0731C6D2443D26E4199023FA08DD0A7AA39A7E11DDE3A406377DC9
2728IDM1.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Uninstall IDM.lnkbinary
MD5:CB341CC14DFEF00D4C0F7F337C3C2E2C
SHA256:4849E66AB191001C77A9D7133EF13E4CBD4B4304FA1CFD8076642C13AEBC0A62
5340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb5340.24491\IDM 6.xx Activator or Resetter v3.3.rarcompressed
MD5:80B622CB8A4EB0B1EE0412BA7B383495
SHA256:C17B7A2EAF68B8767F6A53E394E1BE6661342162831EF3067AE5316D00D78A1F
2728IDM1.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnkbinary
MD5:6F6644C1E250FD65B7FE5BF31A4EBDFA
SHA256:164A87191D001F79845F3CF419FA0E983A0D3194A8EBD3EA25AFE8FBB9EA98E6
2728IDM1.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnkbinary
MD5:A0D27B69C7C5399BDF6E6037614886D6
SHA256:F4785A89B2093E406B29C83349BDEB6DAA774DDDFB7FE652EED31F46E280E4D2
2728IDM1.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\TUTORIALS.lnkbinary
MD5:EA5C78B3014C62AAFE55989F88598CB9
SHA256:28D45ABAB59A59A0DAED5CE6319F0DD0595B7AC996D551FEE77E94FC0D4A968C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
222
DNS requests
282
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7040
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7040
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3488
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
3488
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6592
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3488
firefox.exe
POST
200
2.16.2.75:80
http://r11.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6068
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6068
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.16.204.135:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.162
  • 23.48.23.173
  • 23.48.23.177
  • 23.48.23.167
  • 23.48.23.169
  • 23.48.23.145
  • 23.48.23.159
  • 23.48.23.141
whitelisted
www.microsoft.com
  • 2.19.217.218
  • 95.101.149.131
whitelisted
www.bing.com
  • 2.16.204.135
  • 2.16.204.149
  • 2.16.204.150
  • 2.16.204.161
  • 2.16.204.138
  • 2.16.204.160
  • 2.16.204.134
  • 2.16.204.153
  • 2.16.204.157
  • 2.21.65.132
  • 2.21.65.154
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.0
  • 20.190.159.73
  • 40.126.31.130
  • 40.126.31.69
  • 20.190.159.71
  • 40.126.31.2
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
7932
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7932
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
7932
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7932
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
idm.6.42.27_with_activator_v3.3.rar