File name:

Internet Download Manager 6.42 Build 10.exe

Full analysis: https://app.any.run/tasks/4b51fee5-11bb-4b3a-b4e0-4ece4adb746c
Verdict: Malicious activity
Analysis date: June 05, 2024, 12:40:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

826400CACBE4436152D70F3C89E525BB

SHA1:

7458FC6A999D3676095054947CD37852C1832064

SHA256:

D4C4D48A220BF66E92299CD4A0890D6A492ED0CAFAE7CA112E4707EC6BFB9055

SSDEEP:

98304:nDQPuum20WlpvlxJXJjSymTlNgRjPSL4vRcd1I0sPDEQFzNejTGLBCkgvfoi7vsP:LTeqKNiuBZFWU0YM/x2ZnKyu+b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)

    • Reads security settings of Internet Explorer

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)

    • Application launched itself

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • cmd.exe (PID: 6624)

    • Executable content was dropped or overwritten

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Process drops legitimate windows executable

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6624)

    • Executing commands from a ".bat" file

      • Kur.exe (PID: 6584)

    • Starts CMD.EXE for commands execution

      • Kur.exe (PID: 6584)
      • cmd.exe (PID: 6624)

    • Identifying current user with WHOAMI command

      • cmd.exe (PID: 6712)

  • INFO

    • Reads the computer name

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)

    • Process checks computer location settings

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)

    • Checks supported languages

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Kur.exe (PID: 6584)

    • Reads mouse settings

      • Kur.exe (PID: 6584)

    • Checks Windows language

      • Kur.exe (PID: 6584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 238592
UninitializedDataSize: -
EntryPoint: 0x1942f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.42.10.1
ProductVersionNumber: 6.42.10.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: SolidShare
FileDescription: SolidShare.Net Unattended Installer
LegalCopyright: © 2024 By KiNGHaZe
LegalTrademarks: -
InternalName: -
ProductName: Internet Download Manager
OriginalFileName: -
FileVersion: 6.42.10.1
ProductVersion: 6.42.10.1
Comments: SolidShare.Net Unattended Installer
PrivateBuild: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
13
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start internet download manager 6.42 build 10.exe no specs internet download manager 6.42 build 10.exe kur.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs whoami.exe no specs reg.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6428"C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe" C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exeexplorer.exe
User:
admin
Company:
SolidShare
Integrity Level:
MEDIUM
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\users\admin\desktop\internet download manager 6.42 build 10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6500"C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe" -sfxelevation C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe
Internet Download Manager 6.42 Build 10.exe
User:
admin
Company:
SolidShare
Integrity Level:
HIGH
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\users\admin\desktop\internet download manager 6.42 build 10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6584"C:\Kinghaze\Kur.exe" C:\Kinghaze\Kur.exeInternet Download Manager 6.42 Build 10.exe
User:
admin
Company:
SolidShare TEAM
Integrity Level:
HIGH
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\kinghaze\kur.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6624C:\WINDOWS\system32\cmd.exe /c ""C:\Kinghaze\Fixer.bat" "C:\Windows\SysWOW64\cmd.exeKur.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6712C:\WINDOWS\system32\cmd.exe /c whoami /user /fo listC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6728whoami /user /fo listC:\Windows\SysWOW64\whoami.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
whoami - displays logged on user information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\whoami.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6756reg query HKU\S-1-5-19C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6780taskkill /IM "IDMan.exe" /FC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6904taskkill /IM "IEMonitor.exe" /FC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
8 359
Read events
8 335
Write events
24
Delete events
0

Modification events

(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6584) Kur.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6584) Kur.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
48
Suspicious files
10
Text files
145
Unknown types
11

Dropped files

PID
Process
Filename
Type
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM1.tmpexecutable
MD5:1229943EC58E8BD8CF3B1673DCBD4760
SHA256:FF3CE8900CC246AB15BBF6E2B418C08DE39845735F47B724A59765FFEED66643
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM104.tmptext
MD5:E1C1EF12FD935E72F2E676A593AD8E68
SHA256:DA36C077EC7C96128D0E5EE5941FAD1F779A58A33652D7190E814A75F8BC29CE
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM102.tmptext
MD5:A5F24E957E1C79AE5F0EDD0BB932A3D0
SHA256:F02E6C6F71D07D992FF20F8E74A28AA5F89C8DEB6244B796DC897529BAE9EDF6
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM113.tmpexecutable
MD5:C0A6FB25175D79B6DA9B9B8C390166C2
SHA256:D464E8E7C84CB2FC62EACF932E841BBD73C3294A37812CCEE7FFBBB9E01572A6
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM112.tmpexecutable
MD5:53856B10A9679BBDA9C662E43B89F720
SHA256:E1A4DEA06F184BE2357BE4C72AC5315776F0DCE251C0C7FA5F1FA927DA69B9BC
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM110.tmpexecutable
MD5:3114BB1630E44CFBD48B09E0D6057C8F
SHA256:1621FD14DD72DCCE8BBA2E7F46D656744D2975F8AD94B36D2ADE01415F48022A
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM11.tmptext
MD5:E7A9F01178B8F6CEB1D02333D6916B4F
SHA256:92F60CDA7A7395D5D4CACE82C7270AFAC5D1B68A2B7714BB1510058FAC23879F
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM108.tmptext
MD5:3DA98A953BCBCC9F1E9D143542437C20
SHA256:14D51E3B9F5E68E97ED01A6BB1C598E3E09F9E330A90DBE363D6659AC725F679
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM114.tmpcompressed
MD5:10D9220EA4E455276734E884E830A0D2
SHA256:E691EBADD8C6E7A07D9C8C931F4760F9AADD2B151019E4F17A76A1665057C9CB
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM10.tmphtml
MD5:648E7B2602158D2FF9197D664F59B28B
SHA256:47937F8F34BA56718D4BD3B97BFD9E42468D6B7615C745B7841272A2E3D39E57
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5656
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5656
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
POST
200
13.89.179.11:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
9 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5656
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:1900
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5656
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5656
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.189.173.17
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Internet Download Manager 6.42 Build 10.exe