File name:

IDM_6.4x_Crack_v20.0.exe

Full analysis: https://app.any.run/tasks/94ab0fe6-2aa3-48a5-a6f7-e71e583b3413
Verdict: Malicious activity
Analysis date: April 16, 2025, 07:32:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed, 2 sections
MD5:

7235C81D6A1990BF7301194A9F778F9A

SHA1:

300001BD1550BF827E21739470EA07984691497E

SHA256:

D05FFF510254E92AD35A002F6224ED53D2557DF2D9F158A0FCBD6574973B68DD

SSDEEP:

1536:pqou2aP+PP3cjIwYKixQchFR1tREvARbB:I12a+PP3ckwY9xQchFRnREvARF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 7232)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7232)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7232)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 7232)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7232)

    • The process executes VB scripts

      • IDM_6.4x_Crack_v20.0.exe (PID: 7204)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 7232)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 7232)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 7232)

    • Executing commands from a ".bat" file

      • IDM_6.4x_Crack_v20.0.exe (PID: 7204)
      • cmd.exe (PID: 8052)

    • Uses REG/REGEDIT.EXE to modify registry

      • IDM_6.4x_Crack_v20.0.exe (PID: 7204)
      • cmd.exe (PID: 8052)
      • cmd.exe (PID: 7632)

    • Starts CMD.EXE for commands execution

      • IDM_6.4x_Crack_v20.0.exe (PID: 7204)
      • cmd.exe (PID: 8172)
      • cmd.exe (PID: 8052)

    • Application launched itself

      • cmd.exe (PID: 8052)
      • cmd.exe (PID: 8172)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 8052)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4976)
      • cmd.exe (PID: 8052)
      • cmd.exe (PID: 7520)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 8052)

    • Hides command output

      • cmd.exe (PID: 4976)
      • cmd.exe (PID: 7632)

  • INFO

    • Reads the computer name

      • IDM_6.4x_Crack_v20.0.exe (PID: 7204)

    • Checks supported languages

      • IDM_6.4x_Crack_v20.0.exe (PID: 7204)

    • Checks proxy server information

      • wscript.exe (PID: 7232)

    • Create files in a temporary directory

      • IDM_6.4x_Crack_v20.0.exe (PID: 7204)

    • Checks operating system version

      • cmd.exe (PID: 8052)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (v2.x) (50.1)
.exe | Win32 EXE PECompact compressed (generic) (35.2)
.dll | Win32 Dynamic Link Library (generic) (5.5)
.exe | Win32 Executable (generic) (3.8)
.exe | Win16/32 Executable Delphi generic (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 51200
InitializedDataSize: 96256
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
40
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start idm_6.4x_crack_v20.0.exe wscript.exe sppextcomobj.exe no specs slui.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs find.exe no specs powershell.exe no specs find.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs idm_6.4x_crack_v20.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
900powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2096reg add HKCU\IAS_TESTC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2108powershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2908find /i "C:\Users\admin\AppData\Local\Temp" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
3300find /i "FullLanguage" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
4120find /i "computersystem" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
4300"C:\Users\admin\AppData\Local\Temp\IDM_6.4x_Crack_v20.0.exe" C:\Users\admin\AppData\Local\Temp\IDM_6.4x_Crack_v20.0.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\idm_6.4x_crack_v20.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4696reg query HKU\S-1-5-21-1693682860-607145093-2874071422-1001\IAS_TEST C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4976C:\WINDOWS\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nulC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6640powershell.exe "$f=[io.file]::ReadAllText('C:\Users\admin\AppData\Local\Temp\BATCLEN.bat') -split ':PowerShellTest:\s*';iex ($f[1])" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
17 877
Read events
17 840
Write events
22
Delete events
15

Modification events

(PID) Process:(7204) IDM_6.4x_Crack_v20.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(7204) IDM_6.4x_Crack_v20.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(7204) IDM_6.4x_Crack_v20.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(7204) IDM_6.4x_Crack_v20.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
0
(PID) Process:(7204) IDM_6.4x_Crack_v20.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableCMD
Value:
0
(PID) Process:(7204) IDM_6.4x_Crack_v20.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
0
(PID) Process:(7204) IDM_6.4x_Crack_v20.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoRun
Value:
0
(PID) Process:(7204) IDM_6.4x_Crack_v20.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:DisallowRun
Value:
0
(PID) Process:(7204) IDM_6.4x_Crack_v20.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell
Operation:writeName:EnableScripts
Value:
1
(PID) Process:(7204) IDM_6.4x_Crack_v20.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics
Operation:writeName:ExecutionPolicy
Value:
Bypass
Executable files
0
Suspicious files
5
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
7232wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
7232wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:DD896E093CDB99F091D747D920470FB6
SHA256:3E2F9729731AA2F2AFE4FBF0A1CAEFA33A27A03BBC5442B103919808F19EA738
7204IDM_6.4x_Crack_v20.0.exeC:\Users\admin\AppData\Local\Temp\BATCLEN.battext
MD5:9FE22C4AD624881F8F0977CC7614346F
SHA256:12B47C1949CC555C2F68F9FD4677ED5266F25C4DA4630BEC36E303629B133225
7232wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:D5EAA074F3A14AAD9BF23DA2D9196D9C
SHA256:FA93CBDACA160720FD8E9C03FEA872E64D71405DCAC19090A2D8FEE5FDD7861B
7204IDM_6.4x_Crack_v20.0.exeC:\Users\admin\AppData\Local\Temp\IDM_UPDT.vbstext
MD5:B91C1157D6F1E605CC965D092551B307
SHA256:92FE72CCEB630C7EFF3B2D3BED9C6969F53E5B9DFF1F481888754E59B3C76AB7
7672powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4o4mdprv.m1e.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7204IDM_6.4x_Crack_v20.0.exeC:\Users\admin\AppData\Local\Temp\IDMRegClean.regtext
MD5:73C023B1480CC88BE4D7761EF11A7703
SHA256:9C7F6CE7CE6FA4093A20CFA3C1A6D2CDD7D5307AFF7405830C898A21F154ED68
7232wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\O4ZDJS1R.xmltext
MD5:1C09612A23F1ADCA82E116669C8BA78D
SHA256:87AE94373E2F7469E4E658E8C959851301D4CE6BDC65841788DC0078ECB17A2F
7232wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4A90329071AE30B759D279CCA342B0A6
SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
6640powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sa1dr4r5.mkp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7232
wscript.exe
GET
200
142.250.186.35:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7232
wscript.exe
GET
200
142.250.186.35:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7864
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7864
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7232
wscript.exe
188.114.96.3:443
idm.0dy.ir
CLOUDFLARENET
NL
unknown
7232
wscript.exe
142.250.186.35:80
c.pki.goog
GOOGLE
US
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.177
  • 23.48.23.147
  • 23.48.23.143
  • 23.48.23.176
whitelisted
google.com
  • 172.217.20.78
whitelisted
idm.0dy.ir
  • 188.114.96.3
  • 188.114.97.3
unknown
c.pki.goog
  • 142.250.186.35
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.4
  • 40.126.32.74
  • 20.190.160.131
  • 40.126.32.134
  • 20.190.160.67
  • 40.126.32.140
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
IDM_6.4x_Crack_v20.0.exe