File name:

Internet Download Manager 6.42 Build 10.exe

Full analysis: https://app.any.run/tasks/4b51fee5-11bb-4b3a-b4e0-4ece4adb746c
Verdict: Malicious activity
Analysis date: June 05, 2024, 12:40:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

826400CACBE4436152D70F3C89E525BB

SHA1:

7458FC6A999D3676095054947CD37852C1832064

SHA256:

D4C4D48A220BF66E92299CD4A0890D6A492ED0CAFAE7CA112E4707EC6BFB9055

SSDEEP:

98304:nDQPuum20WlpvlxJXJjSymTlNgRjPSL4vRcd1I0sPDEQFzNejTGLBCkgvfoi7vsP:LTeqKNiuBZFWU0YM/x2ZnKyu+b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

  • SUSPICIOUS

    • Application launched itself

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • cmd.exe (PID: 6624)

    • Reads the date of Windows installation

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)

    • Process drops legitimate windows executable

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Reads security settings of Internet Explorer

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Kur.exe (PID: 6584)

    • Executing commands from a ".bat" file

      • Kur.exe (PID: 6584)

    • Starts CMD.EXE for commands execution

      • Kur.exe (PID: 6584)
      • cmd.exe (PID: 6624)

    • Executable content was dropped or overwritten

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Identifying current user with WHOAMI command

      • cmd.exe (PID: 6712)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6624)

  • INFO

    • Checks supported languages

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Kur.exe (PID: 6584)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Reads mouse settings

      • Kur.exe (PID: 6584)

    • Reads the computer name

      • Kur.exe (PID: 6584)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)

    • Checks Windows language

      • Kur.exe (PID: 6584)

    • Process checks computer location settings

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 238592
UninitializedDataSize: -
EntryPoint: 0x1942f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.42.10.1
ProductVersionNumber: 6.42.10.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: SolidShare
FileDescription: SolidShare.Net Unattended Installer
LegalCopyright: © 2024 By KiNGHaZe
LegalTrademarks: -
InternalName: -
ProductName: Internet Download Manager
OriginalFileName: -
FileVersion: 6.42.10.1
ProductVersion: 6.42.10.1
Comments: SolidShare.Net Unattended Installer
PrivateBuild: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
13
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start internet download manager 6.42 build 10.exe no specs internet download manager 6.42 build 10.exe kur.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs whoami.exe no specs reg.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6428"C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe" C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exeexplorer.exe
User:
admin
Company:
SolidShare
Integrity Level:
MEDIUM
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\users\admin\desktop\internet download manager 6.42 build 10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6500"C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe" -sfxelevation C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe
Internet Download Manager 6.42 Build 10.exe
User:
admin
Company:
SolidShare
Integrity Level:
HIGH
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\users\admin\desktop\internet download manager 6.42 build 10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6584"C:\Kinghaze\Kur.exe" C:\Kinghaze\Kur.exeInternet Download Manager 6.42 Build 10.exe
User:
admin
Company:
SolidShare TEAM
Integrity Level:
HIGH
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\kinghaze\kur.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6624C:\WINDOWS\system32\cmd.exe /c ""C:\Kinghaze\Fixer.bat" "C:\Windows\SysWOW64\cmd.exeKur.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6712C:\WINDOWS\system32\cmd.exe /c whoami /user /fo listC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6728whoami /user /fo listC:\Windows\SysWOW64\whoami.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
whoami - displays logged on user information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\whoami.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6756reg query HKU\S-1-5-19C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6780taskkill /IM "IDMan.exe" /FC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6904taskkill /IM "IEMonitor.exe" /FC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
8 359
Read events
8 335
Write events
24
Delete events
0

Modification events

(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6584) Kur.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6584) Kur.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
48
Suspicious files
10
Text files
145
Unknown types
11

Dropped files

PID
Process
Filename
Type
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Fixer.battext
MD5:78ABE55D9C080E77673D3606084638FE
SHA256:D97CE135813A9518DA60B431010D1CA9A2C6DA619E5C8B33AEAE841EDA75A1F2
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM100.tmpexecutable
MD5:09959EE223C5D34C82F1EFB8BC8233CB
SHA256:1FDB0D5B31E080084C82E0B773DAFC7860FA860938B8BAEF6A4D7F5BDE659F73
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM103.tmptext
MD5:16E2DAB5D2473C59DEA2B2BD316517E8
SHA256:07C8896550FBAA6E8FEC792E15D240DED0BCFFA258A928C1EFD8542FF0385511
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM1.tmpexecutable
MD5:1229943EC58E8BD8CF3B1673DCBD4760
SHA256:FF3CE8900CC246AB15BBF6E2B418C08DE39845735F47B724A59765FFEED66643
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM109.tmptext
MD5:07A324E23BB33CE824A539CFA499BDA0
SHA256:9619F587E3EF863B7FD69650DCBC1D655D6062C3F73EAF52ACA59754AD856B83
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM105.tmptext
MD5:748C5590939571E92A7C16AC702A74CA
SHA256:9145CFE47D32CF3E45840CE0344DA1D29810EF9D756ECDDAEBB803C59869E945
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM114.tmpcompressed
MD5:10D9220EA4E455276734E884E830A0D2
SHA256:E691EBADD8C6E7A07D9C8C931F4760F9AADD2B151019E4F17A76A1665057C9CB
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM106.tmpexecutable
MD5:97569D4E2F159B0CB1B203D510749104
SHA256:58FD2D7B428640395D09778394231EE5AACC74726580C67A69020B698865B5C9
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM107.tmptext
MD5:21E7664F87E16AB82452D6F01713D54E
SHA256:84C92BD8AE5A90294D836851385FBF054B7AF4D78744F4542147AC436A2A2644
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM108.tmptext
MD5:3DA98A953BCBCC9F1E9D143542437C20
SHA256:14D51E3B9F5E68E97ED01A6BB1C598E3E09F9E330A90DBE363D6659AC725F679
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5656
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5656
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
POST
200
13.89.179.11:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
9 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5656
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:1900
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5656
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5656
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.189.173.17
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Internet Download Manager 6.42 Build 10.exe