Overview
overview
8Static
static
新建文....bat
windows7-x64
8新建文....bat
windows10-2004-x64
8新建文....bat
windows7-x64
8新建文....bat
windows10-2004-x64
8新建文...64.dll
windows7-x64
3新建文...64.dll
windows10-2004-x64
3新建文...ll.dll
windows7-x64
1新建文...ll.dll
windows10-2004-x64
1新建文...64.dll
windows7-x64
1新建文...64.dll
windows10-2004-x64
1新建文...CC.dll
windows7-x64
1新建文...CC.dll
windows10-2004-x64
1新建文...64.dll
windows7-x64
1新建文...64.dll
windows10-2004-x64
1新建文...64.exe
windows7-x64
1新建文...64.exe
windows10-2004-x64
1新建文...on.dll
windows7-x64
1新建文...on.dll
windows10-2004-x64
1新建文...64.dll
windows7-x64
1新建文...64.dll
windows10-2004-x64
1新建文...xt.dll
windows7-x64
1新建文...xt.dll
windows10-2004-x64
1新建文...64.dll
windows7-x64
8新建文...64.dll
windows10-2004-x64
8新建文...rs.dll
windows7-x64
3新建文...rs.dll
windows10-2004-x64
3新建文...64.dll
windows7-x64
1新建文...64.dll
windows10-2004-x64
3新建文...xt.vbs
windows7-x64
1新建文...xt.vbs
windows10-2004-x64
1新建文...ll.vbs
windows7-x64
1新建文...ll.vbs
windows10-2004-x64
1Analysis
-
max time kernel
55s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-10-2022 05:33
Static task
static1
Behavioral task
behavioral1
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/!卸载.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/!卸载.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/!绿化.bat
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/!绿化.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMFType64.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMFType64.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMGetAll.dll
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMGetAll.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMGetAll64.dll
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMGetAll64.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMIECC.dll
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMIECC.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMIECC64.dll
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMIECC64.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMIntegrator64.exe
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMIntegrator64.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMNetMon.dll
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMNetMon.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMNetMon64.dll
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMNetMon64.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMShellExt.dll
Resource
win7-20220812-en
Behavioral task
behavioral22
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMShellExt.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMShellExt64.dll
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMShellExt64.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMVMPrs.dll
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMVMPrs.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMVMPrs64.dll
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IDMVMPrs64.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IEExt.vbs
Resource
win7-20220901-en
Behavioral task
behavioral30
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IEExt.vbs
Resource
win10v2004-20220812-en
Behavioral task
behavioral31
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IEGetAll.vbs
Resource
win7-20220812-en
Behavioral task
behavioral32
Sample
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/IEGetAll.vbs
Resource
win10v2004-20220812-en
General
-
Target
新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/!绿化.bat
-
Size
12KB
-
MD5
9989aa53d90411bda70ff107e72d2b3e
-
SHA1
67ed47b4648f173b3285406d2ff5989090c8b05c
-
SHA256
8ec6d310fb11d5c016324ab90be3a01cad14802c6b4dcd17b7397b2eca8e4d85
-
SHA512
278969818c17513902ca3459eb6b8be79a7cf5feeb416ba653d2085590ecc4f42a9aacd3fddc89f00de3a8f7332a2adf8b3b803780dcfbf3fe71d9f0afbba68e
-
SSDEEP
96:6hCwB6OFpMhtC1MhtxP08htGyghtwOR0TDaD3Y/AAa/AAQ2Rx3cZAzQs:8fsvyMvW8v1gvPR0b/AAa/AAQk7zQs
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\idmwfp.sys rundll32.exe File opened for modification C:\Windows\system32\DRIVERS\SET81ED.tmp rundll32.exe File created C:\Windows\system32\DRIVERS\SET81ED.tmp rundll32.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1488 takeown.exe 1076 icacls.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\IDMShellExt64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1488 takeown.exe 1076 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
runonce.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2008 taskkill.exe 1932 taskkill.exe -
Processes:
idmBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B} idmBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppName = "idmBroker.exe" idmBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager" idmBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3" idmBroker.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights idmBroker.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy idmBroker.exe -
Modifies registry class 60 IoCs
Processes:
idmBroker.exeregsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E} idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32 idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8} idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32 idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\Version = "1.0" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\IDMShellExt64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\Version = "1.0" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\ = "OptionsReader Class" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CurVer\ = "idmBroker.OptionsReader.1" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\ = "idmBroker 1.0 Type Library" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0 idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\ = "IDM Shell Extension" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\ = "OptionsReader Class" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CurVer idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\ProgID idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\ProgID\ = "idmBroker.OptionsReader.1" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\TypeLib idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\TypeLib\ = "{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\ = "{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\Programmable idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CLSID\ = "{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\VersionIndependentProgID\ = "idmBroker.OptionsReader" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\idmBroker.EXE\AppID = "{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\CLSID idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B} idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ = "IOptionsReader" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\0 idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\0\win32 idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}\ = "idmBroker" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\idmBroker.exe\"" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B} idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1 idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\CLSID\ = "{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\ = "OptionsReader Class" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\VersionIndependentProgID idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA} idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\HELPDIR idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\idmBroker.EXE idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\LocalServer32 idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ = "IOptionsReader" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\FLAGS idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\FLAGS\ = "0" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\idmBroker.exe" idmBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CLSID idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager" idmBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\ = "{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}" idmBroker.exe -
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeidmBroker.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 1704 regsvr32.exe 584 regsvr32.exe 1868 regsvr32.exe 1692 idmBroker.exe 1872 regsvr32.exe 1944 regsvr32.exe 964 regsvr32.exe 1112 regsvr32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
taskkill.exetaskkill.exeWMIC.exerundll32.exedescription pid process Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 1932 taskkill.exe Token: SeIncreaseQuotaPrivilege 112 WMIC.exe Token: SeSecurityPrivilege 112 WMIC.exe Token: SeTakeOwnershipPrivilege 112 WMIC.exe Token: SeLoadDriverPrivilege 112 WMIC.exe Token: SeSystemProfilePrivilege 112 WMIC.exe Token: SeSystemtimePrivilege 112 WMIC.exe Token: SeProfSingleProcessPrivilege 112 WMIC.exe Token: SeIncBasePriorityPrivilege 112 WMIC.exe Token: SeCreatePagefilePrivilege 112 WMIC.exe Token: SeBackupPrivilege 112 WMIC.exe Token: SeRestorePrivilege 112 WMIC.exe Token: SeShutdownPrivilege 112 WMIC.exe Token: SeDebugPrivilege 112 WMIC.exe Token: SeSystemEnvironmentPrivilege 112 WMIC.exe Token: SeRemoteShutdownPrivilege 112 WMIC.exe Token: SeUndockPrivilege 112 WMIC.exe Token: SeManageVolumePrivilege 112 WMIC.exe Token: 33 112 WMIC.exe Token: 34 112 WMIC.exe Token: 35 112 WMIC.exe Token: SeIncreaseQuotaPrivilege 112 WMIC.exe Token: SeSecurityPrivilege 112 WMIC.exe Token: SeTakeOwnershipPrivilege 112 WMIC.exe Token: SeLoadDriverPrivilege 112 WMIC.exe Token: SeSystemProfilePrivilege 112 WMIC.exe Token: SeSystemtimePrivilege 112 WMIC.exe Token: SeProfSingleProcessPrivilege 112 WMIC.exe Token: SeIncBasePriorityPrivilege 112 WMIC.exe Token: SeCreatePagefilePrivilege 112 WMIC.exe Token: SeBackupPrivilege 112 WMIC.exe Token: SeRestorePrivilege 112 WMIC.exe Token: SeShutdownPrivilege 112 WMIC.exe Token: SeDebugPrivilege 112 WMIC.exe Token: SeSystemEnvironmentPrivilege 112 WMIC.exe Token: SeRemoteShutdownPrivilege 112 WMIC.exe Token: SeUndockPrivilege 112 WMIC.exe Token: SeManageVolumePrivilege 112 WMIC.exe Token: 33 112 WMIC.exe Token: 34 112 WMIC.exe Token: 35 112 WMIC.exe Token: SeRestorePrivilege 664 rundll32.exe Token: SeRestorePrivilege 664 rundll32.exe Token: SeRestorePrivilege 664 rundll32.exe Token: SeRestorePrivilege 664 rundll32.exe Token: SeRestorePrivilege 664 rundll32.exe Token: SeRestorePrivilege 664 rundll32.exe Token: SeRestorePrivilege 664 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1572 wrote to memory of 316 1572 cmd.exe reg.exe PID 1572 wrote to memory of 316 1572 cmd.exe reg.exe PID 1572 wrote to memory of 316 1572 cmd.exe reg.exe PID 1572 wrote to memory of 2008 1572 cmd.exe taskkill.exe PID 1572 wrote to memory of 2008 1572 cmd.exe taskkill.exe PID 1572 wrote to memory of 2008 1572 cmd.exe taskkill.exe PID 1572 wrote to memory of 1932 1572 cmd.exe taskkill.exe PID 1572 wrote to memory of 1932 1572 cmd.exe taskkill.exe PID 1572 wrote to memory of 1932 1572 cmd.exe taskkill.exe PID 1572 wrote to memory of 584 1572 cmd.exe cmd.exe PID 1572 wrote to memory of 584 1572 cmd.exe cmd.exe PID 1572 wrote to memory of 584 1572 cmd.exe cmd.exe PID 584 wrote to memory of 112 584 cmd.exe WMIC.exe PID 584 wrote to memory of 112 584 cmd.exe WMIC.exe PID 584 wrote to memory of 112 584 cmd.exe WMIC.exe PID 1572 wrote to memory of 1868 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1868 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1868 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1692 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1692 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1692 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1636 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1636 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1636 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1688 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1688 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1688 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1816 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1816 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1816 1572 cmd.exe reg.exe PID 1572 wrote to memory of 2044 1572 cmd.exe reg.exe PID 1572 wrote to memory of 2044 1572 cmd.exe reg.exe PID 1572 wrote to memory of 2044 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1048 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1048 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1048 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1220 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1220 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1220 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1360 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1360 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1360 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1320 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1320 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1320 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1528 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1528 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1528 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1208 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1208 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1208 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1760 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1760 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1760 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1604 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1604 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1604 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1724 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1724 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1724 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1212 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1212 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1212 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1928 1572 cmd.exe reg.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\!绿化.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY "HKU\S-1-5-19\Environment"2⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im IDM*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im IEMon*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic userAccount where "Name='Admin'" get SID /value2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /v "LName" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /v "FName" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /v "Email" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /v "Serial" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /v "scansk" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /v "MData" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /v "tvfrdt" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /v "CheckUpdtVM" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Internet Download Manager" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDMan" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDMan" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\DownloadManager" /f /v "LanguageID" /t REG_DWORD /d "2052"2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\DownloadManager" /f /v "LaunchOnStart" /t REG_DWORD /d "0"2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\DownloadManager" /f /v "ToolbarStyle" /d "Faenza"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\WOW6432Node\Internet Download Manager" /f /v "LName" /d "All Users"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\WOW6432Node\Internet Download Manager" /f /v "Serial" /d "88888-88888-88888-88888"2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s IDMIECC64.dll2⤵
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\regsvr32.exeregsvr32 /s IDMGetAll64.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\regsvr32.exeregsvr32 /s downlWithIDM64.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\idmBroker.exeidmBroker.exe -RegServer2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\net.exenet stop IDMWFP2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop IDMWFP3⤵
-
C:\Windows\system32\rundll32.exeRundll32 setupapi.dll,InstallHinfSection DefaultInstall 128 .\idmwfp.inf2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵
-
C:\Windows\system32\net.exenet start IDMWFP2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start IDMWFP3⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s IDMShellExt64.dll2⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\regsvr32.exeregsvr32 /s IDMIECC64.dll2⤵
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\regsvr32.exeregsvr32 /s IDMGetAll64.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\regsvr32.exeregsvr32 /s downlWithIDM64.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\takeown.exetakeown /f "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\\" /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\\" /c /grant Everyone:(OI)(CI)(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /f /v "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\IDM.exe" /d "~ RUNASADMIN"2⤵
-
C:\Windows\system32\mshta.exemshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\IDM.lnk""):b.TargetPath=""C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\IDMan.exe"":b.WorkingDirectory=""C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\"":b.Save:close")2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic userAccount where "Name='Admin'" get SID /value1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-58-0x0000000000000000-mapping.dmp
-
memory/316-54-0x0000000000000000-mapping.dmp
-
memory/316-94-0x0000000000000000-mapping.dmp
-
memory/512-86-0x0000000000000000-mapping.dmp
-
memory/564-87-0x0000000000000000-mapping.dmp
-
memory/584-57-0x0000000000000000-mapping.dmp
-
memory/864-81-0x0000000000000000-mapping.dmp
-
memory/884-106-0x0000000000000000-mapping.dmp
-
memory/888-90-0x0000000000000000-mapping.dmp
-
memory/896-98-0x0000000000000000-mapping.dmp
-
memory/916-91-0x0000000000000000-mapping.dmp
-
memory/944-95-0x0000000000000000-mapping.dmp
-
memory/972-79-0x0000000000000000-mapping.dmp
-
memory/976-99-0x0000000000000000-mapping.dmp
-
memory/984-97-0x0000000000000000-mapping.dmp
-
memory/1044-76-0x0000000000000000-mapping.dmp
-
memory/1048-110-0x0000000000000000-mapping.dmp
-
memory/1048-65-0x0000000000000000-mapping.dmp
-
memory/1064-80-0x0000000000000000-mapping.dmp
-
memory/1108-111-0x0000000000000000-mapping.dmp
-
memory/1156-85-0x0000000000000000-mapping.dmp
-
memory/1160-84-0x0000000000000000-mapping.dmp
-
memory/1208-70-0x0000000000000000-mapping.dmp
-
memory/1212-74-0x0000000000000000-mapping.dmp
-
memory/1220-66-0x0000000000000000-mapping.dmp
-
memory/1280-96-0x0000000000000000-mapping.dmp
-
memory/1320-68-0x0000000000000000-mapping.dmp
-
memory/1320-113-0x0000000000000000-mapping.dmp
-
memory/1324-83-0x0000000000000000-mapping.dmp
-
memory/1360-112-0x0000000000000000-mapping.dmp
-
memory/1360-67-0x0000000000000000-mapping.dmp
-
memory/1376-101-0x0000000000000000-mapping.dmp
-
memory/1380-102-0x0000000000000000-mapping.dmp
-
memory/1412-107-0x0000000000000000-mapping.dmp
-
memory/1448-93-0x0000000000000000-mapping.dmp
-
memory/1504-88-0x0000000000000000-mapping.dmp
-
memory/1528-69-0x0000000000000000-mapping.dmp
-
memory/1532-114-0x0000000000000000-mapping.dmp
-
memory/1536-92-0x0000000000000000-mapping.dmp
-
memory/1604-117-0x0000000000000000-mapping.dmp
-
memory/1604-72-0x0000000000000000-mapping.dmp
-
memory/1616-89-0x0000000000000000-mapping.dmp
-
memory/1632-103-0x0000000000000000-mapping.dmp
-
memory/1636-61-0x0000000000000000-mapping.dmp
-
memory/1688-62-0x0000000000000000-mapping.dmp
-
memory/1692-60-0x0000000000000000-mapping.dmp
-
memory/1696-105-0x0000000000000000-mapping.dmp
-
memory/1704-118-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmpFilesize
8KB
-
memory/1712-104-0x0000000000000000-mapping.dmp
-
memory/1724-73-0x0000000000000000-mapping.dmp
-
memory/1756-100-0x0000000000000000-mapping.dmp
-
memory/1760-71-0x0000000000000000-mapping.dmp
-
memory/1760-116-0x0000000000000000-mapping.dmp
-
memory/1784-77-0x0000000000000000-mapping.dmp
-
memory/1816-108-0x0000000000000000-mapping.dmp
-
memory/1816-63-0x0000000000000000-mapping.dmp
-
memory/1820-115-0x0000000000000000-mapping.dmp
-
memory/1868-59-0x0000000000000000-mapping.dmp
-
memory/1928-75-0x0000000000000000-mapping.dmp
-
memory/1932-56-0x0000000000000000-mapping.dmp
-
memory/1944-78-0x0000000000000000-mapping.dmp
-
memory/2008-55-0x0000000000000000-mapping.dmp
-
memory/2028-82-0x0000000000000000-mapping.dmp
-
memory/2044-109-0x0000000000000000-mapping.dmp
-
memory/2044-64-0x0000000000000000-mapping.dmp