File name:

Internet Download Manager 6.42 Build 10.exe

Full analysis: https://app.any.run/tasks/4b51fee5-11bb-4b3a-b4e0-4ece4adb746c
Verdict: Malicious activity
Analysis date: June 05, 2024, 12:40:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

826400CACBE4436152D70F3C89E525BB

SHA1:

7458FC6A999D3676095054947CD37852C1832064

SHA256:

D4C4D48A220BF66E92299CD4A0890D6A492ED0CAFAE7CA112E4707EC6BFB9055

SSDEEP:

98304:nDQPuum20WlpvlxJXJjSymTlNgRjPSL4vRcd1I0sPDEQFzNejTGLBCkgvfoi7vsP:LTeqKNiuBZFWU0YM/x2ZnKyu+b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Kur.exe (PID: 6584)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Reads the date of Windows installation

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Kur.exe (PID: 6584)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Application launched itself

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • cmd.exe (PID: 6624)

    • Executable content was dropped or overwritten

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Process drops legitimate windows executable

      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Executing commands from a ".bat" file

      • Kur.exe (PID: 6584)

    • Starts CMD.EXE for commands execution

      • Kur.exe (PID: 6584)
      • cmd.exe (PID: 6624)

    • Identifying current user with WHOAMI command

      • cmd.exe (PID: 6712)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6624)

  • INFO

    • Checks supported languages

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)

    • Reads the computer name

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)
      • Kur.exe (PID: 6584)

    • Process checks computer location settings

      • Internet Download Manager 6.42 Build 10.exe (PID: 6428)
      • Kur.exe (PID: 6584)
      • Internet Download Manager 6.42 Build 10.exe (PID: 6500)

    • Checks Windows language

      • Kur.exe (PID: 6584)

    • Reads mouse settings

      • Kur.exe (PID: 6584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 238592
UninitializedDataSize: -
EntryPoint: 0x1942f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.42.10.1
ProductVersionNumber: 6.42.10.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: SolidShare
FileDescription: SolidShare.Net Unattended Installer
LegalCopyright: © 2024 By KiNGHaZe
LegalTrademarks: -
InternalName: -
ProductName: Internet Download Manager
OriginalFileName: -
FileVersion: 6.42.10.1
ProductVersion: 6.42.10.1
Comments: SolidShare.Net Unattended Installer
PrivateBuild: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
13
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start internet download manager 6.42 build 10.exe no specs internet download manager 6.42 build 10.exe kur.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs whoami.exe no specs reg.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6428"C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe" C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exeexplorer.exe
User:
admin
Company:
SolidShare
Integrity Level:
MEDIUM
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\users\admin\desktop\internet download manager 6.42 build 10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6500"C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe" -sfxelevation C:\Users\admin\Desktop\Internet Download Manager 6.42 Build 10.exe
Internet Download Manager 6.42 Build 10.exe
User:
admin
Company:
SolidShare
Integrity Level:
HIGH
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\users\admin\desktop\internet download manager 6.42 build 10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6584"C:\Kinghaze\Kur.exe" C:\Kinghaze\Kur.exeInternet Download Manager 6.42 Build 10.exe
User:
admin
Company:
SolidShare TEAM
Integrity Level:
HIGH
Description:
SolidShare.Net Unattended Installer
Version:
6.42.10.1
Modules
Images
c:\kinghaze\kur.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6624C:\WINDOWS\system32\cmd.exe /c ""C:\Kinghaze\Fixer.bat" "C:\Windows\SysWOW64\cmd.exeKur.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6712C:\WINDOWS\system32\cmd.exe /c whoami /user /fo listC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6728whoami /user /fo listC:\Windows\SysWOW64\whoami.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
whoami - displays logged on user information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\whoami.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6756reg query HKU\S-1-5-19C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6780taskkill /IM "IDMan.exe" /FC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6904taskkill /IM "IEMonitor.exe" /FC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
8 359
Read events
8 335
Write events
24
Delete events
0

Modification events

(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6428) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6500) Internet Download Manager 6.42 Build 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6584) Kur.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6584) Kur.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
48
Suspicious files
10
Text files
145
Unknown types
11

Dropped files

PID
Process
Filename
Type
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM100.tmpexecutable
MD5:09959EE223C5D34C82F1EFB8BC8233CB
SHA256:1FDB0D5B31E080084C82E0B773DAFC7860FA860938B8BAEF6A4D7F5BDE659F73
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM10.tmphtml
MD5:648E7B2602158D2FF9197D664F59B28B
SHA256:47937F8F34BA56718D4BD3B97BFD9E42468D6B7615C745B7841272A2E3D39E57
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM0.tmphtml
MD5:72F74DFF454C0699064AFFB0C83F2C4D
SHA256:5D33C887646E950545772F37BB8A3518B1929B435655303D9DD22D5F936A5CD1
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM1.tmpexecutable
MD5:1229943EC58E8BD8CF3B1673DCBD4760
SHA256:FF3CE8900CC246AB15BBF6E2B418C08DE39845735F47B724A59765FFEED66643
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM101.tmptext
MD5:F50ACF2F4AF9EA575B643576F3A190EF
SHA256:EA297E912D0CF36F2D973B9259BF8FABF622195D5481A11E7BD30967F213D950
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM102.tmptext
MD5:A5F24E957E1C79AE5F0EDD0BB932A3D0
SHA256:F02E6C6F71D07D992FF20F8E74A28AA5F89C8DEB6244B796DC897529BAE9EDF6
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM104.tmptext
MD5:E1C1EF12FD935E72F2E676A593AD8E68
SHA256:DA36C077EC7C96128D0E5EE5941FAD1F779A58A33652D7190E814A75F8BC29CE
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM106.tmpexecutable
MD5:97569D4E2F159B0CB1B203D510749104
SHA256:58FD2D7B428640395D09778394231EE5AACC74726580C67A69020B698865B5C9
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Kur\IDM105.tmptext
MD5:748C5590939571E92A7C16AC702A74CA
SHA256:9145CFE47D32CF3E45840CE0344DA1D29810EF9D756ECDDAEBB803C59869E945
6500Internet Download Manager 6.42 Build 10.exeC:\Kinghaze\Fixer.battext
MD5:78ABE55D9C080E77673D3606084638FE
SHA256:D97CE135813A9518DA60B431010D1CA9A2C6DA619E5C8B33AEAE841EDA75A1F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5656
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5656
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
POST
200
13.89.179.11:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5656
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:1900
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5656
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5656
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.189.173.17
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Internet Download Manager 6.42 Build 10.exe