File name:

IDM_6.4x_Crack_v19.7.exe

Full analysis: https://app.any.run/tasks/4309c6c9-07dc-4c21-b207-50910cc97e54
Verdict: Malicious activity
Analysis date: May 23, 2024, 02:55:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

27016937B5781C4F84B6B3432170F4D0

SHA1:

BC812A8C4D44A3503FFD6A46E4FDAB925C622344

SHA256:

FC1A02B509B8F351AC45BD45EFD4E7296B365545A48FFD6A14E8E07BC7189155

SSDEEP:

1536:kaaR+ChjLjFnDrpfBzftBr20ezIL6bFwNA5fufSiaAx:khRdHjNDrpfdfjr20xUH9uKdAx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • IDM_6.4x_Crack_v19.7.exe (PID: 4088)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 588)

    • Unusual connection from system programs

      • wscript.exe (PID: 588)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 588)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 588)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 588)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 588)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • IDM_6.4x_Crack_v19.7.exe (PID: 4088)
      • cmd.exe (PID: 1064)

    • Uses REG/REGEDIT.EXE to modify registry

      • IDM_6.4x_Crack_v19.7.exe (PID: 4088)
      • cmd.exe (PID: 2356)
      • cmd.exe (PID: 1064)

    • Executing commands from a ".bat" file

      • IDM_6.4x_Crack_v19.7.exe (PID: 4088)
      • cmd.exe (PID: 1064)

    • Application launched itself

      • cmd.exe (PID: 1064)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 1064)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 1064)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1064)
      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 1612)

    • The process executes VB scripts

      • IDM_6.4x_Crack_v19.7.exe (PID: 4088)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 588)

    • Hides command output

      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 2356)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 588)

  • INFO

    • Create files in a temporary directory

      • IDM_6.4x_Crack_v19.7.exe (PID: 4088)
      • reg.exe (PID: 956)

    • Checks supported languages

      • IDM_6.4x_Crack_v19.7.exe (PID: 4088)
      • wmpnscfg.exe (PID: 1072)

    • Reads the computer name

      • IDM_6.4x_Crack_v19.7.exe (PID: 4088)
      • wmpnscfg.exe (PID: 1072)

    • Checks operating system version

      • cmd.exe (PID: 1064)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 328)
      • powershell.exe (PID: 2636)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 57344
InitializedDataSize: 4096
UninitializedDataSize: 184320
EntryPoint: 0x3b700
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
82
Monitored processes
45
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start idm_6.4x_crack_v19.7.exe reg.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs powershell.exe no specs find.exe no specs reg.exe no specs find.exe no specs powershell.exe no specs find.exe no specs wscript.exe cmd.exe no specs powershell.exe no specs wmpnscfg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs idm_6.4x_crack_v19.7.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188reg query HKU\S-1-5-21-1302019708-1500728564-335382590-1000\Software C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
316reg query HKCU\Console /v QuickEdit C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
328powershell.exe "$f=[io.file]::ReadAllText('C:\Users\admin\AppData\Local\Temp\BATCLEN.bat') -split ':PowerShellTest:\s*';iex ($f[1])" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
336find /i "FullLanguage" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
524find /i "0x0" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
588wscript.exe "C:\Users\admin\AppData\Local\Temp\\UPDT.vbs" /browser:"C:\Program Files\Google\Chrome\Application\chrome.exe" /crkver:"19.7"C:\Windows\System32\wscript.exe
IDM_6.4x_Crack_v19.7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
664reg add HKU\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Classes\CLSID\IAS_TESTC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
820reg.exe import C:\Users\admin\AppData\Local\Temp\IDMRegClean.regC:\Windows\System32\reg.exeIDM_6.4x_Crack_v19.7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
956reg export HKCU\Software\Classes\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240523-035543400.reg"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
992reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTUREC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
17 721
Read events
17 667
Write events
36
Delete events
18

Modification events

(PID) Process:(4088) IDM_6.4x_Crack_v19.7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(4088) IDM_6.4x_Crack_v19.7.exeKey:HKEY_CURRENT_USER\Software\WOW6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(4088) IDM_6.4x_Crack_v19.7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(4088) IDM_6.4x_Crack_v19.7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(4088) IDM_6.4x_Crack_v19.7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
0
(PID) Process:(4088) IDM_6.4x_Crack_v19.7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableCMD
Value:
0
(PID) Process:(4088) IDM_6.4x_Crack_v19.7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
0
(PID) Process:(4088) IDM_6.4x_Crack_v19.7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoRun
Value:
0
(PID) Process:(4088) IDM_6.4x_Crack_v19.7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:DisallowRun
Value:
0
(PID) Process:(4088) IDM_6.4x_Crack_v19.7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell
Operation:writeName:EnableScripts
Value:
1
Executable files
0
Suspicious files
11
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
328powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
4088IDM_6.4x_Crack_v19.7.exeC:\Users\admin\AppData\Local\Temp\IDMRegClean.regtext
MD5:73C023B1480CC88BE4D7761EF11A7703
SHA256:9C7F6CE7CE6FA4093A20CFA3C1A6D2CDD7D5307AFF7405830C898A21F154ED68
328powershell.exeC:\Users\admin\AppData\Local\Temp\fplpw3aw.ibj.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1368powershell.exeC:\Users\admin\AppData\Local\Temp\otfids2o.3vi.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
4088IDM_6.4x_Crack_v19.7.exeC:\Users\admin\AppData\Local\Temp\BATCLEN.battext
MD5:9FE22C4AD624881F8F0977CC7614346F
SHA256:12B47C1949CC555C2F68F9FD4677ED5266F25C4DA4630BEC36E303629B133225
956reg.exeC:\Users\admin\AppData\Local\Temp\REG985A.tmptext
MD5:F58D4E5F0B6A7E69AA96964ABCDEF744
SHA256:253D606D5060BB62CFA2411477004C8ED2ECA7925A2B0770691D485678AABF73
956reg.exeC:\Windows\Temp\_Backup_HKCU_CLSID_20240523-035543400.regtext
MD5:F58D4E5F0B6A7E69AA96964ABCDEF744
SHA256:253D606D5060BB62CFA2411477004C8ED2ECA7925A2B0770691D485678AABF73
1380powershell.exeC:\Users\admin\AppData\Local\Temp\vuhlqsy2.h0e.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1380powershell.exeC:\Users\admin\AppData\Local\Temp\wvpllckh.4yh.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
328powershell.exeC:\Users\admin\AppData\Local\Temp\dxoyy3kf.zni.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
588
wscript.exe
188.114.96.3:443
idm.0dy.ir
CLOUDFLARENET
NL
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
idm.0dy.ir
  • 188.114.96.3
  • 188.114.97.3
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IDM_6.4x_Crack_v19.7.exe