File name:

idm.6.42.27_with_activator_v3.3.rar

Full analysis: https://app.any.run/tasks/2ab2c86e-dbff-40cb-bdbc-d19325f8a67b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 05, 2025, 22:10:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-scr
arch-html
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

FE3DEF1A73CE71128F4811375A1A6D85

SHA1:

D5F874533ADA0A702BB351C9005EE9D21A61F8F6

SHA256:

CEF2A6288FDECA597AC77119F7DE8E01C8987694B4671EB362A910A11D51E98E

SSDEEP:

98304:yGFiXWFrsaGqEHYuX7cBLzZmYbLUdzTY1s0U2cpVi+1A64iMM1T7HnNYnUWC5JuO:kM56B774PkUI5BQTB0/xa0T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)
      • Uninstall.exe (PID: 4516)
      • IDMan.exe (PID: 7772)
      • IDMan.exe (PID: 6576)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 6948)
      • IDMan.exe (PID: 3792)

    • Starts NET.EXE for service management

      • Uninstall.exe (PID: 4516)
      • net.exe (PID: 7412)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 7476)

    • Execute application with conhost.exe as parent process

      • powershell.exe (PID: 7388)

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 7476)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 7476)

    • Actions looks like stealing of personal data

      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 4360)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 5340)
      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)
      • Uninstall.exe (PID: 4516)
      • IDMan.exe (PID: 7772)
      • WinRAR.exe (PID: 7068)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 1512)
      • IDMan.exe (PID: 424)

    • Starts application with an unusual extension

      • idman642build27.exe (PID: 2144)

    • Creates/Modifies COM task schedule object

      • IDM1.tmp (PID: 2728)
      • regsvr32.exe (PID: 624)
      • regsvr32.exe (PID: 5308)
      • regsvr32.exe (PID: 3840)
      • regsvr32.exe (PID: 4540)
      • regsvr32.exe (PID: 6360)
      • IDMan.exe (PID: 3792)
      • regsvr32.exe (PID: 6316)
      • regsvr32.exe (PID: 6292)
      • regsvr32.exe (PID: 7624)
      • IDMan.exe (PID: 6576)
      • IDMIntegrator64.exe (PID: 6284)
      • regsvr32.exe (PID: 2280)
      • regsvr32.exe (PID: 444)
      • regsvr32.exe (PID: 7008)
      • regsvr32.exe (PID: 6424)

    • The process creates files with name similar to system file names

      • IDM1.tmp (PID: 2728)
      • 7za.exe (PID: 7644)

    • Creates a software uninstall entry

      • IDM1.tmp (PID: 2728)

    • Checks Windows Trust Settings

      • IDMan.exe (PID: 3792)
      • drvinst.exe (PID: 2380)
      • IDMan.exe (PID: 7772)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 424)
      • IDMan.exe (PID: 1512)
      • IDMan.exe (PID: 4360)

    • Executable content was dropped or overwritten

      • IDMan.exe (PID: 3792)
      • drvinst.exe (PID: 2380)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • rundll32.exe (PID: 6948)
      • 7za.exe (PID: 2904)
      • 7za.exe (PID: 7644)

    • Uses RUNDLL32.EXE to load library

      • Uninstall.exe (PID: 4516)

    • Drops a system driver (possible attempt to evade defenses)

      • rundll32.exe (PID: 6948)
      • drvinst.exe (PID: 2380)
      • 7za.exe (PID: 7644)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 6500)
      • Uninstall.exe (PID: 4516)

    • Application launched itself

      • WinRAR.exe (PID: 5340)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 6752)
      • cmd.exe (PID: 7344)
      • cmd.exe (PID: 7292)

    • Drops 7-zip archiver for unpacking

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7396)
      • cmd.exe (PID: 7476)

    • Starts CMD.EXE for commands execution

      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • cmd.exe (PID: 6864)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 6752)
      • powershell.exe (PID: 7388)
      • cmd.exe (PID: 7344)
      • cmd.exe (PID: 7292)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2380)

    • The executable file from the user directory is run by the CMD process

      • 7za.exe (PID: 5732)
      • 7za.exe (PID: 6796)
      • 7za.exe (PID: 7416)
      • 7za.exe (PID: 7408)
      • 7za.exe (PID: 7644)
      • 7za.exe (PID: 2904)
      • NSudo86x.exe (PID: 3656)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 6864)
      • powershell.exe (PID: 7388)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7476)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7868)
      • sc.exe (PID: 6472)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 7344)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 7344)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7476)
      • conhost.exe (PID: 6348)
      • cmd.exe (PID: 7344)
      • cmd.exe (PID: 7132)
      • cmd.exe (PID: 188)
      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 3820)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 7344)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 7344)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 6556)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 7476)

    • Hides command output

      • cmd.exe (PID: 7132)
      • cmd.exe (PID: 6484)
      • cmd.exe (PID: 3464)
      • cmd.exe (PID: 2120)
      • cmd.exe (PID: 6556)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7344)
      • cmd.exe (PID: 6484)
      • cmd.exe (PID: 3464)

    • Process drops legitimate windows executable

      • 7za.exe (PID: 7644)

    • Get information on the list of running processes

      • cmd.exe (PID: 7344)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7344)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7344)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5340)
      • WinRAR.exe (PID: 7068)

    • Checks supported languages

      • idman642build27.exe (PID: 2144)
      • IDM1.tmp (PID: 2728)
      • idmBroker.exe (PID: 1804)
      • IDMan.exe (PID: 3792)
      • Uninstall.exe (PID: 4516)
      • drvinst.exe (PID: 2380)
      • drvinst.exe (PID: 6500)
      • MediumILStart.exe (PID: 7736)
      • IDMan.exe (PID: 7772)
      • 7za.exe (PID: 6796)
      • 7za.exe (PID: 7408)
      • 7za.exe (PID: 5732)
      • 7za.exe (PID: 7416)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • mode.com (PID: 8)
      • 7za.exe (PID: 7644)
      • mode.com (PID: 4764)
      • 7za.exe (PID: 2904)
      • IDMan.exe (PID: 6576)
      • IDMIntegrator64.exe (PID: 6284)
      • IDMan.exe (PID: 424)
      • IDMan.exe (PID: 1512)
      • NSudo86x.exe (PID: 3656)
      • IDMan.exe (PID: 4360)
      • identity_helper.exe (PID: 3540)
      • mode.com (PID: 7976)
      • identity_helper.exe (PID: 7472)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 5340)
      • IDMan.exe (PID: 3792)
      • rundll32.exe (PID: 6948)
      • drvinst.exe (PID: 2380)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)

    • Local mutex for internet shortcut management

      • WinRAR.exe (PID: 5340)

    • Create files in a temporary directory

      • idman642build27.exe (PID: 2144)
      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)
      • rundll32.exe (PID: 6948)
      • IDMan.exe (PID: 7772)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • 7za.exe (PID: 7408)
      • 7za.exe (PID: 5732)
      • 7za.exe (PID: 2904)
      • reg.exe (PID: 7820)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 4360)

    • Reads the computer name

      • idman642build27.exe (PID: 2144)
      • IDM1.tmp (PID: 2728)
      • idmBroker.exe (PID: 1804)
      • IDMan.exe (PID: 3792)
      • Uninstall.exe (PID: 4516)
      • drvinst.exe (PID: 6500)
      • drvinst.exe (PID: 2380)
      • MediumILStart.exe (PID: 7736)
      • IDMan.exe (PID: 7772)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • 7za.exe (PID: 7408)
      • 7za.exe (PID: 2904)
      • 7za.exe (PID: 7416)
      • 7za.exe (PID: 6796)
      • 7za.exe (PID: 5732)
      • 7za.exe (PID: 7644)
      • IDMan.exe (PID: 6576)
      • IDMIntegrator64.exe (PID: 6284)
      • IDMan.exe (PID: 1512)
      • IDMan.exe (PID: 424)
      • NSudo86x.exe (PID: 3656)
      • IDMan.exe (PID: 4360)
      • identity_helper.exe (PID: 3540)
      • identity_helper.exe (PID: 7472)

    • Creates files in the program directory

      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)

    • Process checks computer location settings

      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)
      • Uninstall.exe (PID: 4516)
      • IDMan.exe (PID: 7772)
      • IDM 6.xx Activator or Resetter v3.3.exe (PID: 3876)
      • IDMan.exe (PID: 6576)

    • Creates files or folders in the user directory

      • IDM1.tmp (PID: 2728)
      • IDMan.exe (PID: 3792)
      • 7za.exe (PID: 7644)
      • IDMan.exe (PID: 6576)

    • Reads the machine GUID from the registry

      • IDMan.exe (PID: 3792)
      • drvinst.exe (PID: 2380)
      • IDMan.exe (PID: 7772)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 424)
      • IDMan.exe (PID: 1512)
      • IDMan.exe (PID: 4360)
      • IDMIntegrator64.exe (PID: 6284)

    • Disables trace logs

      • IDMan.exe (PID: 3792)
      • IDMan.exe (PID: 7772)
      • powershell.exe (PID: 7540)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 424)
      • IDMan.exe (PID: 1512)
      • IDMan.exe (PID: 4360)

    • Reads the software policy settings

      • IDMan.exe (PID: 3792)
      • drvinst.exe (PID: 2380)
      • IDMan.exe (PID: 7772)
      • IDMan.exe (PID: 6576)
      • IDMan.exe (PID: 1512)
      • IDMan.exe (PID: 424)
      • IDMan.exe (PID: 4360)

    • Checks proxy server information

      • IDMan.exe (PID: 3792)
      • IDMan.exe (PID: 7772)
      • powershell.exe (PID: 7540)
      • IDMan.exe (PID: 6576)

    • Manual execution by a user

      • firefox.exe (PID: 6436)
      • msedge.exe (PID: 8188)

    • Application launched itself

      • firefox.exe (PID: 6436)
      • firefox.exe (PID: 3488)
      • msedge.exe (PID: 2976)
      • msedge.exe (PID: 8188)
      • msedge.exe (PID: 6436)

    • Reads the time zone

      • runonce.exe (PID: 2124)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 2124)

    • Checks operating system version

      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 7344)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6380)
      • powershell.exe (PID: 7260)
      • powershell.exe (PID: 6840)
      • powershell.exe (PID: 5432)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6380)
      • powershell.exe (PID: 7260)
      • powershell.exe (PID: 6840)
      • powershell.exe (PID: 5432)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 6380)
      • powershell.exe (PID: 7260)
      • powershell.exe (PID: 5432)
      • powershell.exe (PID: 6840)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 7528)
      • powershell.exe (PID: 5920)
      • powershell.exe (PID: 8088)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 5920)
      • powershell.exe (PID: 7528)
      • powershell.exe (PID: 8088)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 8)
      • mode.com (PID: 4764)
      • mode.com (PID: 7976)

    • The sample compiled with japanese language support

      • 7za.exe (PID: 7644)

    • Process checks whether UAC notifications are on

      • IDMan.exe (PID: 6576)

    • Reads Environment values

      • identity_helper.exe (PID: 3540)
      • identity_helper.exe (PID: 7472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 12145984
UncompressedSize: 12263256
OperatingSystem: Win32
ArchivedFileName: idman642build27.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
388
Monitored processes
253
Malicious processes
16
Suspicious processes
8

Behavior graph

Click at the process to see the details
start winrar.exe idman642build27.exe no specs idman642build27.exe idm1.tmp no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs idmbroker.exe no specs regsvr32.exe no specs idman.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe uninstall.exe no specs rundll32.exe firefox.exe no specs firefox.exe no specs drvinst.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs drvinst.exe no specs runonce.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs grpconv.exe no specs net.exe no specs firefox.exe no specs conhost.exe no specs net1.exe no specs regsvr32.exe no specs regsvr32.exe no specs mediumilstart.exe no specs idman.exe no specs regsvr32.exe no specs regsvr32.exe no specs winrar.exe idm 6.xx activator or resetter v3.3.exe no specs idm 6.xx activator or resetter v3.3.exe cmd.exe no specs conhost.exe no specs attrib.exe no specs 7za.exe no specs 7za.exe no specs 7za.exe 7za.exe no specs 7za.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs find.exe no specs fltmc.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs fltmc.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs mode.com no specs choice.exe no specs powershell.exe 7za.exe schtasks.exe no specs mode.com no specs powershell.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs tasklist.exe no specs findstr.exe no specs taskkill.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs idman.exe timeout.exe no specs idmintegrator64.exe no specs timeout.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs idman.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs idman.exe no specs timeout.exe no specs timeout.exe no specs tasklist.exe no specs findstr.exe no specs taskkill.exe no specs powershell.exe no specs nsudo86x.exe no specs idman.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs mode.com no specs choice.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8mode 75, 28C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcp_win.dll
188C:\WINDOWS\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
396reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
420"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"C:\Windows\SysWOW64\regsvr32.exeIDM1.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
420cmdC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
424"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/register/IDMlib/images/idman_logos.png" /p "C:\WINDOWS\Temp" /f temp.pngC:\Program Files (x86)\Internet Download Manager\IDMan.execmd.exe
User:
admin
Company:
Tonec Inc.
Integrity Level:
HIGH
Description:
Internet Download Manager (IDM)
Exit code:
0
Version:
6, 42, 27, 2
Modules
Images
c:\program files (x86)\internet download manager\idman.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
444 /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
624 /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
640find /i "FullLanguage" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
836reg query "HKCU\Software\DownloadManager" "/v" "Email" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
Total events
136 088
Read events
134 867
Write events
895
Delete events
326

Modification events

(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\idm.6.42.27_with_activator_v3.3.rar
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5340) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2728) IDM1.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager
Operation:writeName:DisplayVersion
Value:
6.42.27
Executable files
46
Suspicious files
594
Text files
189
Unknown types
4

Dropped files

PID
Process
Filename
Type
5340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb5340.24491\idman642build27.exeexecutable
MD5:85CB23830796C3B754F4DBFE65BA6427
SHA256:CE11F4450C5F4FDC090A3E655EE5996D2A2234AAA5FC68B618546DBCCAD00139
2728IDM1.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Uninstall IDM.lnkbinary
MD5:CB341CC14DFEF00D4C0F7F337C3C2E2C
SHA256:4849E66AB191001C77A9D7133EF13E4CBD4B4304FA1CFD8076642C13AEBC0A62
2728IDM1.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\TUTORIALS.lnkbinary
MD5:EA5C78B3014C62AAFE55989F88598CB9
SHA256:28D45ABAB59A59A0DAED5CE6319F0DD0595B7AC996D551FEE77E94FC0D4A968C
2728IDM1.tmpC:\Users\admin\AppData\Local\Temp\IDM_Setup_Temp\IDMSetup2.logbinary
MD5:5A032ACD38AB177AE8FBD17D52335C22
SHA256:10F2E057D9A43BC3E7C1D26CA19BC84E43BEB32D79A02EE6744468A2A0FDD808
2728IDM1.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnkbinary
MD5:6F6644C1E250FD65B7FE5BF31A4EBDFA
SHA256:164A87191D001F79845F3CF419FA0E983A0D3194A8EBD3EA25AFE8FBB9EA98E6
2728IDM1.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Internet Download Manager.lnkbinary
MD5:B3FC527AB347591A2D01DADDEE13BB6F
SHA256:4388182AB34A5AD17C836E13E7C910717E84D64F381D1B556D56A5742966D13D
2728IDM1.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnkbinary
MD5:A0D27B69C7C5399BDF6E6037614886D6
SHA256:F4785A89B2093E406B29C83349BDEB6DAA774DDDFB7FE652EED31F46E280E4D2
2728IDM1.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\IDM Help.lnkbinary
MD5:DC74CFCB55A9951E8BD55266EB4D05E3
SHA256:6BF28A1580747A4E168693B2F684002959519B575A6924862EC3599FF32A17CD
2728IDM1.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Uninstall IDM.lnkbinary
MD5:63A761E5DB7EBF55253D4B72B1B8F03C
SHA256:D245D3971B6AF395899E16E876A41BF9C77D532DC24E9C0E7D619D5957B29EA7
2728IDM1.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\TUTORIALS.lnkbinary
MD5:41D22D9192B81C6A0327F2A3B08749CB
SHA256:83AA40F36E3775D2FDDA5AF82B9E14BFC63CAC27802C2F56E9BEFD5A37EAFC18
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
222
DNS requests
282
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7040
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7040
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6592
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3488
firefox.exe
POST
200
142.250.185.131:80
http://o.pki.goog/s/wr3/jLM
unknown
whitelisted
3488
firefox.exe
POST
200
2.23.82.9:80
http://r10.o.lencr.org/
unknown
whitelisted
3488
firefox.exe
POST
200
2.16.2.75:80
http://r11.o.lencr.org/
unknown
whitelisted
3488
firefox.exe
POST
18.173.205.76:80
http://ocsps.ssl.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6068
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6068
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.16.204.135:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.162
  • 23.48.23.173
  • 23.48.23.177
  • 23.48.23.167
  • 23.48.23.169
  • 23.48.23.145
  • 23.48.23.159
  • 23.48.23.141
whitelisted
www.microsoft.com
  • 2.19.217.218
  • 95.101.149.131
whitelisted
www.bing.com
  • 2.16.204.135
  • 2.16.204.149
  • 2.16.204.150
  • 2.16.204.161
  • 2.16.204.138
  • 2.16.204.160
  • 2.16.204.134
  • 2.16.204.153
  • 2.16.204.157
  • 2.21.65.132
  • 2.21.65.154
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.0
  • 20.190.159.73
  • 40.126.31.130
  • 40.126.31.69
  • 20.190.159.71
  • 40.126.31.2
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
7932
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7932
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
7932
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7932
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
7932
msedge.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
idm.6.42.27_with_activator_v3.3.rar