Malware analysis IDM Online Installer 1.0.4.1.exe Malicious activity

Add for printing

File name:	IDM Online Installer 1.0.4.1.exe
Full analysis:	https://app.any.run/tasks/b4c35885-0f72-485e-9319-208d48e7d5fc
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	August 16, 2025, 10:30:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader autoit auto donutloader upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:	38D24846DF793E5A2F05573BF1A26989
SHA1:	2A260684F5702BE7B6063CF7E90FD7228BCCE6B2
SHA256:	D2D23868395B6AA85AAA72D41684C9DF3FE1E19BED0C065C94EAF73C84043712
SSDEEP:	49152:YfSRCMkn3Uhm2JJBWtz0pom2M3iIzV64iHHNfSRgIcRAGY9iOKq6qsShafQgCDEQ:YRznum2lWyOpMyIzV64iNbi5KDXYzHiu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- DONUTLOADER has been found (auto)
  - IDM Online Installer 1.0.4.1.exe (PID: 2280)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - IDM Online Installer 1.0.4.1.exe (PID: 1100)
  - IDM Online Installer 1.0.4.1.exe (PID: 2280)
  - Kur.exe (PID: 5708)
- Application launched itself
  - IDM Online Installer 1.0.4.1.exe (PID: 1100)
- Executable content was dropped or overwritten
  - IDM Online Installer 1.0.4.1.exe (PID: 2280)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 1352)
  - cmd.exe (PID: 6176)
- Starts CMD.EXE for commands execution
  - Kur.exe (PID: 5708)
- Process requests binary or script from the Internet
  - Kur.exe (PID: 5708)
- Potential Corporate Privacy Violation
  - Kur.exe (PID: 5708)
- There is functionality for taking screenshot (YARA)
  - IDM Online Installer 1.0.4.1.exe (PID: 1100)
  - IDM Online Installer 1.0.4.1.exe (PID: 2280)
  - Kur.exe (PID: 5708)
INFO
- Checks supported languages
  - IDM Online Installer 1.0.4.1.exe (PID: 1100)
  - IDM Online Installer 1.0.4.1.exe (PID: 2280)
  - Kur.exe (PID: 5708)
- The sample compiled with russian language support
  - IDM Online Installer 1.0.4.1.exe (PID: 1100)
  - IDM Online Installer 1.0.4.1.exe (PID: 2280)
- Process checks computer location settings
  - IDM Online Installer 1.0.4.1.exe (PID: 1100)
  - IDM Online Installer 1.0.4.1.exe (PID: 2280)
  - Kur.exe (PID: 5708)
- Reads the computer name
  - IDM Online Installer 1.0.4.1.exe (PID: 1100)
  - IDM Online Installer 1.0.4.1.exe (PID: 2280)
  - Kur.exe (PID: 5708)
- The sample compiled with english language support
  - IDM Online Installer 1.0.4.1.exe (PID: 2280)
- Reads mouse settings
  - Kur.exe (PID: 5708)
- Checks proxy server information
  - Kur.exe (PID: 5708)
- Reads the software policy settings
  - Kur.exe (PID: 5708)
- Reads the machine GUID from the registry
  - Kur.exe (PID: 5708)
- Creates files or folders in the user directory
  - Kur.exe (PID: 5708)
- UPX packer has been detected
  - IDM Online Installer 1.0.4.1.exe (PID: 1100)
  - IDM Online Installer 1.0.4.1.exe (PID: 2280)
  - Kur.exe (PID: 5708)
- The process uses AutoIt
  - Kur.exe (PID: 5708)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:12:31 00:38:51+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	65536
InitializedDataSize:	221184
UninitializedDataSize:	307200
EntryPoint:	0x5aa80
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.4.1
ProductVersionNumber:	1.0.4.1
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	Russian
CharacterSet:	Unicode
CompanyName:	SolidShare
FileDescription:	SolidShare.Net Unattended Installer
LegalCopyright:	© 2025 By KiNGHaZe
LegalTrademarks:	-
InternalName:	-
ProductName:	IDM Online Installer
OriginalFileName:	-
FileVersion:	1.0.4.1
ProductVersion:	1.0.4.1
Comments:	SolidShare.Net Unattended Installer
PrivateBuild:	-
SpecialBuild:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

143

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1100

"C:\Users\admin\AppData\Local\Temp\IDM Online Installer 1.0.4.1.exe"

C:\Users\admin\AppData\Local\Temp\IDM Online Installer 1.0.4.1.exe

—

explorer.exe

User:

admin

Company:

SolidShare

Integrity Level:

MEDIUM

Description:

SolidShare.Net Unattended Installer

Version:

1.0.4.1

Modules

Images
c:\users\admin\appdata\local\temp\idm online installer 1.0.4.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1352

"C:\WINDOWS\system32\cmd.exe" /c netsh advfirewall firewall add rule name="IDM Online Installer" dir=in action=allow profile=any program="C:\Kinghaze\Kur.exe"

C:\Windows\SysWOW64\cmd.exe

—

Kur.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1380

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1512

netsh advfirewall firewall add rule name="IDM Online Installer" dir=out action=allow profile=any program="C:\Kinghaze\Kur.exe"

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2280

"C:\Users\admin\AppData\Local\Temp\IDM Online Installer 1.0.4.1.exe" -sfxelevation

C:\Users\admin\AppData\Local\Temp\IDM Online Installer 1.0.4.1.exe

IDM Online Installer 1.0.4.1.exe

User:

admin

Company:

SolidShare

Integrity Level:

HIGH

Description:

SolidShare.Net Unattended Installer

Version:

1.0.4.1

Modules

Images
c:\users\admin\appdata\local\temp\idm online installer 1.0.4.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2532

netsh advfirewall firewall add rule name="IDM Online Installer" dir=in action=allow profile=any program="C:\Kinghaze\Kur.exe"

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3108

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4060

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5708

"C:\Kinghaze\Kur.exe"

C:\Kinghaze\Kur.exe

IDM Online Installer 1.0.4.1.exe

User:

admin

Company:

SolidShare TEAM

Integrity Level:

HIGH

Description:

SolidShare.Net Unattended Installer

Version:

1.0.4.1

Modules

Images
c:\kinghaze\kur.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6176

"C:\WINDOWS\system32\cmd.exe" /c netsh advfirewall firewall add rule name="IDM Online Installer" dir=out action=allow profile=any program="C:\Kinghaze\Kur.exe"

C:\Windows\SysWOW64\cmd.exe

—

Kur.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

5 164

Read events

5 161

Write events

Delete events

Modification events


(PID) Process:	(5708) Kur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5708) Kur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5708) Kur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2280	IDM Online Installer 1.0.4.1.exe	C:\Kinghaze\Toolbar\Office Flat\Office Flat-Small_Normal.bmp		image
		MD5:E13AACD75E11CFE29BCE2C8277BFBAF3	SHA256:B920AB301A85B4838F875B329E3EC9AD184280A4DBF8C6C99C0871CEDE510E3F
2280	IDM Online Installer 1.0.4.1.exe	C:\Kinghaze\Toolbar\Office Flat\Office Flat-Large_Disabled.bmp		image
		MD5:F0B07264F4ED2978A09469C827E8440D	SHA256:EB913B66DDCA320DA073AF39953DDC0CA0C654D51E19D0DE6BA9368B7F7399F7
2280	IDM Online Installer 1.0.4.1.exe	C:\Kinghaze\Toolbar\Office Flat Dark\Office Flat Dark-Large_Disabled.bmp		image
		MD5:E07F30D1D1A637B4AEFBDDDE698E17BD	SHA256:765C726C12FBC96A34C3481B6E1C263C430612A46388AEB4E799F285248185D5
2280	IDM Online Installer 1.0.4.1.exe	C:\Kinghaze\Toolbar\Office Flat\Office Flat-Large_Hot.bmp		image
		MD5:9D82FB1B63B67F5E17946BB70676E0DB	SHA256:E819AA0287C03F7D51D7C628F8B38862C977BDCBCB4372A49AE31AB1F2714F16
2280	IDM Online Installer 1.0.4.1.exe	C:\Kinghaze\Toolbar\Office Flat Dark\Office Flat Dark-Large_Hot.bmp		image
		MD5:E4F1130DE55969FC77EDF8CFB139CB80	SHA256:0F302F63B07BE00E265B8C14A32F0AF733A4F6FEF306092993A76B0F67430971
2280	IDM Online Installer 1.0.4.1.exe	C:\Kinghaze\Toolbar\Office Flat Dark\Office Flat Dark-Large_Normal.bmp		image
		MD5:CF2A626AA7BD739471ADE5024F4D27D1	SHA256:52869B5B3C2C4676C225816F81F5FD1361D8096CE52BF4983F4E4441BCB07D26
2280	IDM Online Installer 1.0.4.1.exe	C:\Kinghaze\Toolbar\Office Flat\Office Flat-Large_Normal.bmp		image
		MD5:E234AD34A6DF806A8557152F82306C36	SHA256:BD20095CBC206613F76AB0D157587E5618202ADEFCF0EF2D57E069F63144833D
2280	IDM Online Installer 1.0.4.1.exe	C:\Kinghaze\Toolbar\Windows 10.tbi		text
		MD5:9742A118455B987BAF3395679DB52865	SHA256:FA881619122256EBF02BEF14F164F92F96D7C23AAB48C20A0AFD5B45658CD8F6
2280	IDM Online Installer 1.0.4.1.exe	C:\Kinghaze\Toolbar\Office Flat Dark\Office Flat Dark-Small_Hot.bmp		image
		MD5:AD3DAD88FC5F48F27C3D5D6BCE014294	SHA256:43E324B44BD572FA31292AD4B603794F91FA48F19DD6EADC9EB7A8941AE5B973
2280	IDM Online Installer 1.0.4.1.exe	C:\Kinghaze\Toolbar\Office Flat Dark\Office Flat Dark-Small_Disabled.bmp		image
		MD5:93DD36C0D7B9E394AD2090029520118E	SHA256:BCEEFFB498DDFEA5861511B11DB3364C4C60EACA95803FB9990C70434C008F50

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5708	Kur.exe	GET	200	18.173.205.43:80	http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQg3SSkKA74hABkhmlBtJTz8w3hlAQU%2BWC71OPVNPa49QaAJadz20ZpqJ4CEAOj9NBgMFKjN844CogwMYw%3D	unknown	—	—	whitelisted
5708	Kur.exe	GET	200	18.173.205.43:80	http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSOZnI3uW4l91H%2Fnmb99iT4JNV7YwQUv8Fah%2F8o%2BkE9%2FbdP5B2voGFYKb0CEF67H4z5kSV9LdlHbOP2Rts%3D	unknown	—	—	whitelisted
5708	Kur.exe	GET	404	169.60.186.153:80	http://mirror1.internetdownloadmanager.com/commerce/2odlksMSLPFNW84503ksu99vnwud/idman642build42f.exe	unknown	—	—	—
5708	Kur.exe	GET	—	174.127.113.77:80	http://mirror2.internetdownloadmanager.com/commerce/2odlksMSLPFNW84503ksu99vnwud/idman642build42f.exe	unknown	—	—	—
5708	Kur.exe	GET	—	174.127.113.77:80	http://mirror2.internetdownloadmanager.com/commerce/2odlksMSLPFNW84503ksu99vnwud/idman642build42f.exe	unknown	—	—	—
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.26:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2580	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3108	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3108	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3160	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5708	Kur.exe	169.61.27.133:443	www.internetdownloadmanager.com	SOFTLAYER	US	whitelisted
5708	Kur.exe	18.173.205.43:80	ocsps.ssl.com	—	US	whitelisted
5708	Kur.exe	169.60.186.153:80	mirror1.internetdownloadmanager.com	SOFTLAYER	US	suspicious
5708	Kur.exe	174.127.113.77:80	mirror2.internetdownloadmanager.com	UK-2 Limited	US	suspicious
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 20.73.194.208	whitelisted
google.com	142.250.185.142	whitelisted
www.internetdownloadmanager.com	169.61.27.133	whitelisted
ocsps.ssl.com	18.173.205.43 18.173.205.76 18.173.205.57 18.173.205.113	whitelisted
mirror1.internetdownloadmanager.com	169.60.186.153	unknown
mirror2.internetdownloadmanager.com	174.127.113.77	unknown
crl.microsoft.com	23.216.77.26 23.216.77.33 23.216.77.28 23.216.77.35 23.216.77.32 23.216.77.42 23.216.77.25 23.216.77.39 23.216.77.27	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
login.live.com	20.190.160.17 20.190.160.131 20.190.160.65 20.190.160.67 40.126.32.76 20.190.160.132 40.126.32.136 40.126.32.140	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
—	—	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
—	—	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
—	—	Misc activity	ET INFO AutoIt User Agent Executable Request
—	—	Misc activity	ET INFO AutoIt User Agent Executable Request
—	—	Potential Corporate Privacy Violation	ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
—	—	Misc activity	ET INFO AutoIt User Agent Executable Request
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Misc activity	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

Add for printing

No debug info

General Info

IDM Online Installer 1.0.4.1.exe

38D24846DF793E5A2F05573BF1A26989

2A260684F5702BE7B6063CF7E90FD7228BCCE6B2

D2D23868395B6AA85AAA72D41684C9DF3FE1E19BED0C065C94EAF73C84043712

49152:YfSRCMkn3Uhm2JJBWtz0pom2M3iIzV64iHHNfSRgIcRAGY9iOKq6qsShafQgCDEQ:YRznum2lWyOpMyIzV64iNbi5KDXYzHiu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

DONUTLOADER has been found (auto)

SUSPICIOUS

Reads security settings of Internet Explorer

Application launched itself

Executable content was dropped or overwritten

Uses NETSH.EXE to add a firewall rule or allowed programs

Starts CMD.EXE for commands execution

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

The sample compiled with russian language support

Process checks computer location settings

Reads the computer name

The sample compiled with english language support

Reads mouse settings

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Creates files or folders in the user directory

UPX packer has been detected

The process uses AutoIt

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings