File name:

Internet Download Manager 6.42 Build 10.exe

Full analysis: https://app.any.run/tasks/4b51fee5-11bb-4b3a-b4e0-4ece4adb746c
Verdict: Malicious activity
Analysis date: June 05, 2024, 12:40:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

826400CACBE4436152D70F3C89E525BB

SHA1:

7458FC6A999D3676095054947CD37852C1832064

SHA256:

D4C4D48A220BF66E92299CD4A0890D6A492ED0CAFAE7CA112E4707EC6BFB9055

SSDEEP:

98304:nDQPuum20WlpvlxJXJjSymTlNgRjPSL4vRcd1I0sPDEQFzNejTGLBCkgvfoi7vsP:LTeqKNiuBZFWU0YM/x2ZnKyu+b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)

    • Reads security settings of Internet Explorer

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)

    • Application launched itself

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • cmd.exe (PID: 6624)

    • Executable content was dropped or overwritten

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Process drops legitimate windows executable

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6624)
      • Kur.exe (PID: 6584)

    • Executing commands from a ".bat" file

      • Kur.exe (PID: 6584)

    • Identifying current user with WHOAMI command

      • cmd.exe (PID: 6712)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6624)

  • INFO

    • Checks supported languages

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)

    • Reads the computer name

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)

    • Process checks computer location settings

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)

    • Reads mouse settings

      • Kur.exe (PID: 6584)

    • Checks Windows language

      • Kur.exe (PID: 6584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 238592
UninitializedDataSize: -
EntryPoint: 0x1942f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.42.10.1
ProductVersionNumber: 6.42.10.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: SolidShare
FileDescription: SolidShare.Net Unattended Installer
LegalCopyright: © 2024 By KiNGHaZe
LegalTrademarks: -
InternalName: -
ProductName: Internet Download Manager
OriginalFileName: -
FileVersion: 6.42.10.1
ProductVersion: 6.42.10.1
Comments: SolidShare.Net Unattended Installer
PrivateBuild: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
13
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start internet download manager 6.42 build 10.exe no specs internet download manager 6.42 build 10.exe kur.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs whoami.exe no specs reg.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6428"C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe" C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exeexplorer.exe
User:
admin
Company:
SolidShare
Integrity Level:
MEDIUM
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\users\admin\desktop\internet download manager 6.42 build 10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6500"C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe" -sfxelevation C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe
Internet Download Manager 6.42 Build 10.exe
User:
admin
Company:
SolidShare
Integrity Level:
HIGH
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\users\admin\desktop\internet download manager 6.42 build 10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6584"C:\Kinghaze\Kur.exe" C:\Kinghaze\Kur.exeInternet Download Manager 6.42 Build 10.exe
User:
admin
Company:
SolidShare TEAM
Integrity Level:
HIGH
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\kinghaze\kur.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6624C:\WINDOWS\system32\cmd.exe /c ""C:\Kinghaze\Fixer.bat" "C:\Windows\SysWOW64\cmd.exeKur.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6712C:\WINDOWS\system32\cmd.exe /c whoami /user /fo listC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6728whoami /user /fo listC:\Windows\SysWOW64\whoami.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
whoami - displays logged on user information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\whoami.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6756reg query HKU\S-1-5-19C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6780taskkill /IM "IDMan.exe" /FC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6904taskkill /IM "IEMonitor.exe" /FC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
8 359
Read events
8 335
Write events
24
Delete events
0

Modification events

(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6584) Kur.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6584) Kur.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
48
Suspicious files
10
Text files
145
Unknown types
11

Dropped files

PID
Process
Filename
Type
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM1.tmpexecutable
MD5:1229943EC58E8BD8CF3B1673DCBD4760
SHA256:FF3CE8900CC246AB15BBF6E2B418C08DE39845735F47B724A59765FFEED66643
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM10.tmphtml
MD5:648E7B2602158D2FF9197D664F59B28B
SHA256:47937F8F34BA56718D4BD3B97BFD9E42468D6B7615C745B7841272A2E3D39E57
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM101.tmptext
MD5:F50ACF2F4AF9EA575B643576F3A190EF
SHA256:EA297E912D0CF36F2D973B9259BF8FABF622195D5481A11E7BD30967F213D950
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Fixer.battext
MD5:78ABE55D9C080E77673D3606084638FE
SHA256:D97CE135813A9518DA60B431010D1CA9A2C6DA619E5C8B33AEAE841EDA75A1F2
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM0.tmphtml
MD5:72F74DFF454C0699064AFFB0C83F2C4D
SHA256:5D33C887646E950545772F37BB8A3518B1929B435655303D9DD22D5F936A5CD1
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM100.tmpexecutable
MD5:09959EE223C5D34C82F1EFB8BC8233CB
SHA256:1FDB0D5B31E080084C82E0B773DAFC7860FA860938B8BAEF6A4D7F5BDE659F73
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM103.tmptext
MD5:16E2DAB5D2473C59DEA2B2BD316517E8
SHA256:07C8896550FBAA6E8FEC792E15D240DED0BCFFA258A928C1EFD8542FF0385511
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM104.tmptext
MD5:E1C1EF12FD935E72F2E676A593AD8E68
SHA256:DA36C077EC7C96128D0E5EE5941FAD1F779A58A33652D7190E814A75F8BC29CE
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM111.tmpexecutable
MD5:A91988279340B7C8AD008FD9BC95FF63
SHA256:C44FD11A6973F028CFF24B016E3CF0EA8AF76C4F9F73C7848CBB0DEED37218B9
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM112.tmpexecutable
MD5:53856B10A9679BBDA9C662E43B89F720
SHA256:E1A4DEA06F184BE2357BE4C72AC5315776F0DCE251C0C7FA5F1FA927DA69B9BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5656
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
5656
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
POST
200
13.89.179.11:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5656
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:1900
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5656
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5656
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
unknown
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
unknown
www.microsoft.com
  • 23.35.229.160
unknown
self.events.data.microsoft.com
  • 20.189.173.17
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Internet Download Manager 6.42 Build 10.exe