20fad721ad99f8a82c2eaf4743229f8c921d00b9ee0caa49c96edfd15156d749

Analysis

max time kernel
55s
max time network
62s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13-10-2022 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/!绿化.bat
Size

12KB
MD5

9989aa53d90411bda70ff107e72d2b3e
SHA1

67ed47b4648f173b3285406d2ff5989090c8b05c
SHA256

8ec6d310fb11d5c016324ab90be3a01cad14802c6b4dcd17b7397b2eca8e4d85
SHA512

278969818c17513902ca3459eb6b8be79a7cf5feeb416ba653d2085590ecc4f42a9aacd3fddc89f00de3a8f7332a2adf8b3b803780dcfbf3fe71d9f0afbba68e
SSDEEP

96:6hCwB6OFpMhtC1MhtxP08htGyghtwOR0TDaD3Y/AAa/AAQ2Rx3cZAzQs:8fsvyMvW8v1gvPR0b/AAa/AAQk7zQs

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\idmwfp.sys	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET81ED.tmp	rundll32.exe
File created	C:\Windows\system32\DRIVERS\SET81ED.tmp	rundll32.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1488 takeown.exe
1076 icacls.exe

pid	process
1488	takeown.exe
1076	icacls.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1488 takeown.exe
1076 icacls.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1488	takeown.exe
1076	icacls.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2008 taskkill.exe
1932 taskkill.exe

pid	process
2008	taskkill.exe
1932	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

idmBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppName = "idmBroker.exe"	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager"	idmBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	idmBroker.exe

Modifies registry class 60 IoCs

Processes:

idmBroker.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\Version = "1.0"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\Version = "1.0"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\ = "OptionsReader Class"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CurVer\ = "idmBroker.OptionsReader.1"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\ = "idmBroker 1.0 Type Library"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\ = "IDM Shell Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\ = "OptionsReader Class"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CurVer	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\ProgID	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\ProgID\ = "idmBroker.OptionsReader.1"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\TypeLib	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\TypeLib\ = "{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\ = "{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\Programmable	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CLSID\ = "{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\VersionIndependentProgID\ = "idmBroker.OptionsReader"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\idmBroker.EXE\AppID = "{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\CLSID	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ = "IOptionsReader"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\0	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\0\win32	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}\ = "idmBroker"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\idmBroker.exe\""	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\CLSID\ = "{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\ = "OptionsReader Class"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\VersionIndependentProgID	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\HELPDIR	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\idmBroker.EXE	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\LocalServer32	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ = "IOptionsReader"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\FLAGS	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\FLAGS\ = "0"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\idmBroker.exe"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CLSID	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\ = "{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}"	idmBroker.exe

Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeidmBroker.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

1704 regsvr32.exe
584 regsvr32.exe
1868 regsvr32.exe
1692 idmBroker.exe
1872 regsvr32.exe
1944 regsvr32.exe
964 regsvr32.exe
1112 regsvr32.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
1704	regsvr32.exe
584	regsvr32.exe
1868	regsvr32.exe
1692	idmBroker.exe
1872	regsvr32.exe
1944	regsvr32.exe
964	regsvr32.exe
1112	regsvr32.exe

pid	process
460

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeIncreaseQuotaPrivilege	112	WMIC.exe
Token: SeSecurityPrivilege	112	WMIC.exe
Token: SeTakeOwnershipPrivilege	112	WMIC.exe
Token: SeLoadDriverPrivilege	112	WMIC.exe
Token: SeSystemProfilePrivilege	112	WMIC.exe
Token: SeSystemtimePrivilege	112	WMIC.exe
Token: SeProfSingleProcessPrivilege	112	WMIC.exe
Token: SeIncBasePriorityPrivilege	112	WMIC.exe
Token: SeCreatePagefilePrivilege	112	WMIC.exe
Token: SeBackupPrivilege	112	WMIC.exe
Token: SeRestorePrivilege	112	WMIC.exe
Token: SeShutdownPrivilege	112	WMIC.exe
Token: SeDebugPrivilege	112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	112	WMIC.exe
Token: SeRemoteShutdownPrivilege	112	WMIC.exe
Token: SeUndockPrivilege	112	WMIC.exe
Token: SeManageVolumePrivilege	112	WMIC.exe
Token: 33	112	WMIC.exe
Token: 34	112	WMIC.exe
Token: 35	112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	112	WMIC.exe
Token: SeSecurityPrivilege	112	WMIC.exe
Token: SeTakeOwnershipPrivilege	112	WMIC.exe
Token: SeLoadDriverPrivilege	112	WMIC.exe
Token: SeSystemProfilePrivilege	112	WMIC.exe
Token: SeSystemtimePrivilege	112	WMIC.exe
Token: SeProfSingleProcessPrivilege	112	WMIC.exe
Token: SeIncBasePriorityPrivilege	112	WMIC.exe
Token: SeCreatePagefilePrivilege	112	WMIC.exe
Token: SeBackupPrivilege	112	WMIC.exe
Token: SeRestorePrivilege	112	WMIC.exe
Token: SeShutdownPrivilege	112	WMIC.exe
Token: SeDebugPrivilege	112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	112	WMIC.exe
Token: SeRemoteShutdownPrivilege	112	WMIC.exe
Token: SeUndockPrivilege	112	WMIC.exe
Token: SeManageVolumePrivilege	112	WMIC.exe
Token: 33	112	WMIC.exe
Token: 34	112	WMIC.exe
Token: 35	112	WMIC.exe
Token: SeRestorePrivilege	664	rundll32.exe
Token: SeRestorePrivilege	664	rundll32.exe
Token: SeRestorePrivilege	664	rundll32.exe
Token: SeRestorePrivilege	664	rundll32.exe
Token: SeRestorePrivilege	664	rundll32.exe
Token: SeRestorePrivilege	664	rundll32.exe
Token: SeRestorePrivilege	664	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1572 wrote to memory of 316	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 316	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 316	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2008	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 2008	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 2008	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 1932	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 1932	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 1932	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 584	1572	cmd.exe	cmd.exe
PID 1572 wrote to memory of 584	1572	cmd.exe	cmd.exe
PID 1572 wrote to memory of 584	1572	cmd.exe	cmd.exe
PID 584 wrote to memory of 112	584	cmd.exe	WMIC.exe
PID 584 wrote to memory of 112	584	cmd.exe	WMIC.exe
PID 584 wrote to memory of 112	584	cmd.exe	WMIC.exe
PID 1572 wrote to memory of 1868	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1868	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1868	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1692	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1692	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1692	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1636	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1636	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1636	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1688	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1688	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1688	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1816	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1816	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1816	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2044	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2044	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 2044	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1048	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1048	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1048	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1220	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1220	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1220	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1360	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1360	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1360	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1320	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1320	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1320	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1528	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1528	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1528	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1208	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1208	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1208	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1760	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1760	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1760	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1604	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1604	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1604	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1724	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1724	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1724	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1212	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1212	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1212	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1928	1572	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\!绿化.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19\Environment"
2⤵
PID:316

C:\Windows\system32\taskkill.exe
taskkill /f /im IDM*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\taskkill.exe
taskkill /f /im IEMon*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic userAccount where "Name='Admin'" get SID /value
2⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:1868

C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:1692

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
2⤵
PID:1636

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
2⤵
PID:1688

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
2⤵
PID:1816

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
2⤵
PID:2044

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
2⤵
PID:1048

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
2⤵
PID:1220

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
2⤵
PID:1360

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
2⤵
PID:1320

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
2⤵
PID:1528

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
2⤵
PID:1208

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
2⤵
PID:1760

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
2⤵
PID:1604

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
2⤵
PID:1724

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
2⤵
PID:1212

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
2⤵
PID:1928

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
2⤵
PID:1044

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:1784

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:1944

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:972

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:1064

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:864

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:2028

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:1324

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:1160

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:1156

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:512

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:564

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:1504

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
2⤵
PID:1616

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
2⤵
PID:888

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
2⤵
PID:916

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
2⤵
PID:1536

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
2⤵
PID:1448

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
2⤵
PID:316

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
2⤵
PID:944

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
2⤵
PID:1280

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
2⤵
PID:984

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
2⤵
PID:896

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
2⤵
PID:976

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
2⤵
PID:1756

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f
2⤵
PID:1376

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f
2⤵
PID:1380

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f
2⤵
PID:1632

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f
2⤵
PID:1712

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
2⤵
PID:1696

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
2⤵
PID:884

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
2⤵
PID:1412

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
2⤵
PID:1816

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
2⤵
PID:2044

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:1048

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
2⤵
PID:1108

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
2⤵
PID:1360

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:1320

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
2⤵
PID:1532

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}" /f
2⤵
PID:1820

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
2⤵
PID:1760

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
2⤵
PID:1604

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:1724

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
2⤵
PID:1192

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:1196

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
2⤵
PID:1928

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
2⤵
PID:468

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:1872

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
2⤵
PID:1732

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
2⤵
PID:920

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
2⤵
PID:964

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
2⤵
PID:972

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f
2⤵
PID:1112

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
2⤵
PID:696

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:864

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
2⤵
PID:828

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:1564

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
2⤵
PID:1076

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
2⤵
PID:1700

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}" /f
2⤵
PID:788

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
2⤵
PID:1664

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f
2⤵
PID:676

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
2⤵
PID:288

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
2⤵
PID:1020

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
2⤵
PID:1152

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
2⤵
PID:1100

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
2⤵
PID:436

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
2⤵
PID:2032

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
2⤵
PID:1504

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
2⤵
PID:1464

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f
2⤵
PID:816

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "LName" /f
2⤵
PID:888

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "FName" /f
2⤵
PID:1072

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "Email" /f
2⤵
PID:1340

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "Serial" /f
2⤵
PID:1536

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "scansk" /f
2⤵
PID:1996

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "MData" /f
2⤵
PID:1484

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "tvfrdt" /f
2⤵
PID:1992

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "CheckUpdtVM" /f
2⤵
PID:944

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Internet Download Manager" /f
2⤵
PID:1280

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /f
2⤵
PID:780

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDMan" /f
2⤵
PID:1720

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDMan" /f
2⤵
PID:940

C:\Windows\system32\reg.exe
reg add "HKCU\Software\DownloadManager" /f /v "LanguageID" /t REG_DWORD /d "2052"
2⤵
PID:2008

C:\Windows\system32\reg.exe
reg add "HKCU\Software\DownloadManager" /f /v "LaunchOnStart" /t REG_DWORD /d "0"
2⤵
PID:1084

C:\Windows\system32\reg.exe
reg add "HKCU\Software\DownloadManager" /f /v "ToolbarStyle" /d "Faenza"
2⤵
PID:976

C:\Windows\system32\reg.exe
reg add "HKLM\Software\WOW6432Node\Internet Download Manager" /f /v "LName" /d "All Users"
2⤵
PID:1756

C:\Windows\system32\reg.exe
reg add "HKLM\Software\WOW6432Node\Internet Download Manager" /f /v "Serial" /d "88888-88888-88888-88888"
2⤵
PID:2016

C:\Windows\system32\regsvr32.exe
regsvr32 /s IDMIECC64.dll
2⤵
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1704

C:\Windows\system32\regsvr32.exe
regsvr32 /s IDMGetAll64.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:584

C:\Windows\system32\regsvr32.exe
regsvr32 /s downlWithIDM64.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1868

C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\idmBroker.exe
idmBroker.exe -RegServer
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1692

C:\Windows\system32\net.exe
net stop IDMWFP
2⤵
PID:1740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IDMWFP
3⤵
PID:1412

C:\Windows\system32\rundll32.exe
Rundll32 setupapi.dll,InstallHinfSection DefaultInstall 128 .\idmwfp.inf
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
3⤵
- Checks processor information in registry
PID:1124

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
4⤵
PID:1096

C:\Windows\system32\net.exe
net start IDMWFP
2⤵
PID:1960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start IDMWFP
3⤵
PID:1760

C:\Windows\system32\regsvr32.exe
regsvr32 /s IDMShellExt64.dll
2⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1872

C:\Windows\system32\regsvr32.exe
regsvr32 /s IDMIECC64.dll
2⤵
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1944

C:\Windows\system32\regsvr32.exe
regsvr32 /s IDMGetAll64.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:964

C:\Windows\system32\regsvr32.exe
regsvr32 /s downlWithIDM64.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1112

C:\Windows\system32\takeown.exe
takeown /f "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\\" /a /r /d y
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
2⤵
PID:2028

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\\" /c /grant Everyone:(OI)(CI)(F)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1076

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /f /v "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\IDM.exe" /d "~ RUNASADMIN"
2⤵
PID:1324

C:\Windows\system32\mshta.exe
mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\IDM.lnk""):b.TargetPath=""C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\IDMan.exe"":b.WorkingDirectory=""C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\"":b.Save:close")
2⤵
PID:1200

C:\Windows\System32\Wbem\WMIC.exe
wmic userAccount where "Name='Admin'" get SID /value
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:112

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-58-0x0000000000000000-mapping.dmp

Download
memory/316-54-0x0000000000000000-mapping.dmp

Download
memory/316-94-0x0000000000000000-mapping.dmp

Download
memory/512-86-0x0000000000000000-mapping.dmp

Download
memory/564-87-0x0000000000000000-mapping.dmp

Download
memory/584-57-0x0000000000000000-mapping.dmp

Download
memory/864-81-0x0000000000000000-mapping.dmp

Download
memory/884-106-0x0000000000000000-mapping.dmp

Download
memory/888-90-0x0000000000000000-mapping.dmp

Download
memory/896-98-0x0000000000000000-mapping.dmp

Download
memory/916-91-0x0000000000000000-mapping.dmp

Download
memory/944-95-0x0000000000000000-mapping.dmp

Download
memory/972-79-0x0000000000000000-mapping.dmp

Download
memory/976-99-0x0000000000000000-mapping.dmp

Download
memory/984-97-0x0000000000000000-mapping.dmp

Download
memory/1044-76-0x0000000000000000-mapping.dmp

Download
memory/1048-110-0x0000000000000000-mapping.dmp

Download
memory/1048-65-0x0000000000000000-mapping.dmp

Download
memory/1064-80-0x0000000000000000-mapping.dmp

Download
memory/1108-111-0x0000000000000000-mapping.dmp

Download
memory/1156-85-0x0000000000000000-mapping.dmp

Download
memory/1160-84-0x0000000000000000-mapping.dmp

Download
memory/1208-70-0x0000000000000000-mapping.dmp

Download
memory/1212-74-0x0000000000000000-mapping.dmp

Download
memory/1220-66-0x0000000000000000-mapping.dmp

Download
memory/1280-96-0x0000000000000000-mapping.dmp

Download
memory/1320-68-0x0000000000000000-mapping.dmp

Download
memory/1320-113-0x0000000000000000-mapping.dmp

Download
memory/1324-83-0x0000000000000000-mapping.dmp

Download
memory/1360-112-0x0000000000000000-mapping.dmp

Download
memory/1360-67-0x0000000000000000-mapping.dmp

Download
memory/1376-101-0x0000000000000000-mapping.dmp

Download
memory/1380-102-0x0000000000000000-mapping.dmp

Download
memory/1412-107-0x0000000000000000-mapping.dmp

Download
memory/1448-93-0x0000000000000000-mapping.dmp

Download
memory/1504-88-0x0000000000000000-mapping.dmp

Download
memory/1528-69-0x0000000000000000-mapping.dmp

Download
memory/1532-114-0x0000000000000000-mapping.dmp

Download
memory/1536-92-0x0000000000000000-mapping.dmp

Download
memory/1604-117-0x0000000000000000-mapping.dmp

Download
memory/1604-72-0x0000000000000000-mapping.dmp

Download
memory/1616-89-0x0000000000000000-mapping.dmp

Download
memory/1632-103-0x0000000000000000-mapping.dmp

Download
memory/1636-61-0x0000000000000000-mapping.dmp

Download
memory/1688-62-0x0000000000000000-mapping.dmp

Download
memory/1692-60-0x0000000000000000-mapping.dmp

Download
memory/1696-105-0x0000000000000000-mapping.dmp

Download
memory/1704-118-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/1712-104-0x0000000000000000-mapping.dmp

Download
memory/1724-73-0x0000000000000000-mapping.dmp

Download
memory/1756-100-0x0000000000000000-mapping.dmp

Download
memory/1760-71-0x0000000000000000-mapping.dmp

Download
memory/1760-116-0x0000000000000000-mapping.dmp

Download
memory/1784-77-0x0000000000000000-mapping.dmp

Download
memory/1816-108-0x0000000000000000-mapping.dmp

Download
memory/1816-63-0x0000000000000000-mapping.dmp

Download
memory/1820-115-0x0000000000000000-mapping.dmp

Download
memory/1868-59-0x0000000000000000-mapping.dmp

Download
memory/1928-75-0x0000000000000000-mapping.dmp

Download
memory/1932-56-0x0000000000000000-mapping.dmp

Download
memory/1944-78-0x0000000000000000-mapping.dmp

Download
memory/2008-55-0x0000000000000000-mapping.dmp

Download
memory/2028-82-0x0000000000000000-mapping.dmp

Download
memory/2044-109-0x0000000000000000-mapping.dmp

Download
memory/2044-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads