20fad721ad99f8a82c2eaf4743229f8c921d00b9ee0caa49c96edfd15156d749

Analysis

max time kernel
128s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2022 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

新建文件夹/Inet_Download_Manager_v6.37.14_Final/Internet Download Manager/!绿化.bat
Size

12KB
MD5

9989aa53d90411bda70ff107e72d2b3e
SHA1

67ed47b4648f173b3285406d2ff5989090c8b05c
SHA256

8ec6d310fb11d5c016324ab90be3a01cad14802c6b4dcd17b7397b2eca8e4d85
SHA512

278969818c17513902ca3459eb6b8be79a7cf5feeb416ba653d2085590ecc4f42a9aacd3fddc89f00de3a8f7332a2adf8b3b803780dcfbf3fe71d9f0afbba68e
SSDEEP

96:6hCwB6OFpMhtC1MhtxP08htGyghtwOR0TDaD3Y/AAa/AAQ2Rx3cZAzQs:8fsvyMvW8v1gvPR0b/AAa/AAQk7zQs

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\idmwfp.sys	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET5AE1.tmp	rundll32.exe
File created	C:\Windows\system32\DRIVERS\SET5AE1.tmp	rundll32.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1440 takeown.exe
4916 icacls.exe

pid	process
1440	takeown.exe
4916	icacls.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1440 takeown.exe
4916 icacls.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1440	takeown.exe
4916	icacls.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3032 taskkill.exe
4764 taskkill.exe

pid	process
3032	taskkill.exe
4764	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

idmBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Low Rights	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppName = "idmBroker.exe"	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager"	idmBroker.exe

Modifies registry class 60 IoCs

Processes:

regsvr32.exeidmBroker.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CurVer	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\VersionIndependentProgID	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\idmBroker.exe"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CurVer\ = "idmBroker.OptionsReader.1"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\VersionIndependentProgID\ = "idmBroker.OptionsReader"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\FLAGS\ = "0"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\ = "IDM Shell Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\idmBroker.EXE	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\idmBroker.EXE\AppID = "{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CLSID	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CLSID\ = "{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}\ = "idmBroker"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\0	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\ = "OptionsReader Class"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\ = "OptionsReader Class"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\CLSID	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\0\win32	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\ = "{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\Version = "1.0"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\Version = "1.0"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\Programmable	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\ = "idmBroker 1.0 Type Library"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\HELPDIR	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\idmBroker.exe\""	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\TypeLib\ = "{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\FLAGS	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\ProgID	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\ = "{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ = "IOptionsReader"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\ = "OptionsReader Class"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ = "IOptionsReader"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\新建文件夹\\Inet_Download_Manager_v6.37.14_Final\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\CLSID\ = "{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\TypeLib	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\ProgID\ = "idmBroker.OptionsReader.1"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\LocalServer32	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32	idmBroker.exe

Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648

pid	process
648

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4668	WMIC.exe
Token: SeSecurityPrivilege	4668	WMIC.exe
Token: SeTakeOwnershipPrivilege	4668	WMIC.exe
Token: SeLoadDriverPrivilege	4668	WMIC.exe
Token: SeSystemProfilePrivilege	4668	WMIC.exe
Token: SeSystemtimePrivilege	4668	WMIC.exe
Token: SeProfSingleProcessPrivilege	4668	WMIC.exe
Token: SeIncBasePriorityPrivilege	4668	WMIC.exe
Token: SeCreatePagefilePrivilege	4668	WMIC.exe
Token: SeBackupPrivilege	4668	WMIC.exe
Token: SeRestorePrivilege	4668	WMIC.exe
Token: SeShutdownPrivilege	4668	WMIC.exe
Token: SeDebugPrivilege	4668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4668	WMIC.exe
Token: SeRemoteShutdownPrivilege	4668	WMIC.exe
Token: SeUndockPrivilege	4668	WMIC.exe
Token: SeManageVolumePrivilege	4668	WMIC.exe
Token: 33	4668	WMIC.exe
Token: 34	4668	WMIC.exe
Token: 35	4668	WMIC.exe
Token: 36	4668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4668	WMIC.exe
Token: SeSecurityPrivilege	4668	WMIC.exe
Token: SeTakeOwnershipPrivilege	4668	WMIC.exe
Token: SeLoadDriverPrivilege	4668	WMIC.exe
Token: SeSystemProfilePrivilege	4668	WMIC.exe
Token: SeSystemtimePrivilege	4668	WMIC.exe
Token: SeProfSingleProcessPrivilege	4668	WMIC.exe
Token: SeIncBasePriorityPrivilege	4668	WMIC.exe
Token: SeCreatePagefilePrivilege	4668	WMIC.exe
Token: SeBackupPrivilege	4668	WMIC.exe
Token: SeRestorePrivilege	4668	WMIC.exe
Token: SeShutdownPrivilege	4668	WMIC.exe
Token: SeDebugPrivilege	4668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4668	WMIC.exe
Token: SeRemoteShutdownPrivilege	4668	WMIC.exe
Token: SeUndockPrivilege	4668	WMIC.exe
Token: SeManageVolumePrivilege	4668	WMIC.exe
Token: 33	4668	WMIC.exe
Token: 34	4668	WMIC.exe
Token: 35	4668	WMIC.exe
Token: 36	4668	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 4056 wrote to memory of 4808	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4808	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3032	4056	cmd.exe	taskkill.exe
PID 4056 wrote to memory of 3032	4056	cmd.exe	taskkill.exe
PID 4056 wrote to memory of 4764	4056	cmd.exe	taskkill.exe
PID 4056 wrote to memory of 4764	4056	cmd.exe	taskkill.exe
PID 4056 wrote to memory of 4924	4056	cmd.exe	cmd.exe
PID 4056 wrote to memory of 4924	4056	cmd.exe	cmd.exe
PID 4924 wrote to memory of 4668	4924	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 4668	4924	cmd.exe	WMIC.exe
PID 4056 wrote to memory of 1460	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 1460	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 1272	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 1272	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4300	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4300	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 2128	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 2128	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 1956	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 1956	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3588	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3588	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 2364	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 2364	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 2792	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 2792	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4296	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4296	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4648	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4648	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3940	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3940	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 808	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 808	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3500	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3500	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4264	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4264	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 204	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 204	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 320	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 320	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3164	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3164	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3036	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3036	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4848	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4848	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 2292	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 2292	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3580	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3580	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4740	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4740	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3484	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3484	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4136	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 4136	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3808	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 3808	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 2152	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 2152	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 1208	4056	cmd.exe	reg.exe
PID 4056 wrote to memory of 1208	4056	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\!绿化.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19\Environment"
2⤵
PID:4808

C:\Windows\system32\taskkill.exe
taskkill /f /im IDM*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\taskkill.exe
taskkill /f /im IEMon*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic userAccount where "Name='Admin'" get SID /value
2⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\System32\Wbem\WMIC.exe
wmic userAccount where "Name='Admin'" get SID /value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:1460

C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:1272

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
2⤵
PID:4300

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
2⤵
PID:2128

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
2⤵
PID:1956

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
2⤵
PID:3588

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
2⤵
PID:2364

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
2⤵
PID:2792

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
2⤵
PID:4296

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
2⤵
PID:3940

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
2⤵
PID:4648

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
2⤵
PID:808

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
2⤵
PID:3500

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
2⤵
PID:4264

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
2⤵
PID:204

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
2⤵
PID:320

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
2⤵
PID:3164

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
2⤵
PID:3036

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:4848

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:2292

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:3580

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:4740

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:3484

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:4136

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:3808

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:2152

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:1208

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:1344

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:4928

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:1444

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
2⤵
PID:1260

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
2⤵
PID:3572

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
2⤵
PID:3436

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
2⤵
PID:3412

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
2⤵
PID:4164

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
2⤵
PID:1504

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
2⤵
PID:2244

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
2⤵
PID:1600

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
2⤵
PID:1288

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
2⤵
PID:1248

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
2⤵
PID:3872

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
2⤵
PID:1788

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f
2⤵
PID:1276

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f
2⤵
PID:1720

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f
2⤵
PID:4720

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{84797876-C678-1780-A556-0CD06786780F}" /f
2⤵
PID:1960

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
2⤵
PID:3492

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
2⤵
PID:2988

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
2⤵
PID:1792

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
2⤵
PID:3380

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
2⤵
PID:2340

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:4984

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
2⤵
PID:904

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
2⤵
PID:1484

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:1892

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
2⤵
PID:1108

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}" /f
2⤵
PID:3804

C:\Windows\system32\reg.exe
reg delete "HKCR\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
2⤵
PID:1268

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
2⤵
PID:960

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
2⤵
PID:3452

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
2⤵
PID:3732

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:1156

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
2⤵
PID:2360

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
2⤵
PID:3416

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:504

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
2⤵
PID:1712

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
2⤵
PID:1068

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
2⤵
PID:788

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
2⤵
PID:760

C:\Windows\system32\reg.exe
reg delete "HKCR\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f
2⤵
PID:2004

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
2⤵
PID:360

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" /f
2⤵
PID:4884

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
2⤵
PID:4532

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
2⤵
PID:1144

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" /f
2⤵
PID:4332

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
2⤵
PID:2480

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}" /f
2⤵
PID:2580

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
2⤵
PID:3916

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f
2⤵
PID:4032

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
2⤵
PID:4812

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
2⤵
PID:712

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}" /f
2⤵
PID:876

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" /f
2⤵
PID:3032

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f
2⤵
PID:4704

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
2⤵
PID:4764

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
2⤵
PID:3504

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}" /f
2⤵
PID:3012

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f
2⤵
PID:4580

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "LName" /f
2⤵
PID:3852

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "FName" /f
2⤵
PID:4004

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "Email" /f
2⤵
PID:4684

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "Serial" /f
2⤵
PID:4236

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "scansk" /f
2⤵
PID:1172

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "MData" /f
2⤵
PID:4784

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "tvfrdt" /f
2⤵
PID:1560

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "CheckUpdtVM" /f
2⤵
PID:1936

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Internet Download Manager" /f
2⤵
PID:1632

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /f
2⤵
PID:992

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDMan" /f
2⤵
PID:4308

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDMan" /f
2⤵
PID:4464

C:\Windows\system32\reg.exe
reg add "HKCU\Software\DownloadManager" /f /v "LanguageID" /t REG_DWORD /d "2052"
2⤵
PID:1956

C:\Windows\system32\reg.exe
reg add "HKCU\Software\DownloadManager" /f /v "LaunchOnStart" /t REG_DWORD /d "0"
2⤵
PID:4412

C:\Windows\system32\reg.exe
reg add "HKLM\Software\WOW6432Node\Internet Download Manager" /f /v "LName" /d "All Users"
2⤵
PID:4272

C:\Windows\system32\reg.exe
reg add "HKCU\Software\DownloadManager" /f /v "ToolbarStyle" /d "Faenza"
2⤵
PID:1836

C:\Windows\system32\reg.exe
reg add "HKLM\Software\WOW6432Node\Internet Download Manager" /f /v "Serial" /d "88888-88888-88888-88888"
2⤵
PID:5088

C:\Windows\system32\regsvr32.exe
regsvr32 /s IDMIECC64.dll
2⤵
- Modifies registry class
PID:4364

C:\Windows\system32\regsvr32.exe
regsvr32 /s IDMGetAll64.dll
2⤵
PID:3940

C:\Windows\system32\regsvr32.exe
regsvr32 /s downlWithIDM64.dll
2⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\idmBroker.exe
idmBroker.exe -RegServer
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:784

C:\Windows\system32\net.exe
net stop IDMWFP
2⤵
PID:4352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop IDMWFP
3⤵
PID:1940

C:\Windows\system32\rundll32.exe
Rundll32 setupapi.dll,InstallHinfSection DefaultInstall 128 .\idmwfp.inf
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
PID:2292

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
3⤵
- Checks processor information in registry
PID:4504

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
4⤵
PID:4344

C:\Windows\system32\net.exe
net start IDMWFP
2⤵
PID:1600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start IDMWFP
3⤵
PID:2244

C:\Windows\system32\regsvr32.exe
regsvr32 /s IDMShellExt64.dll
2⤵
- Registers COM server for autorun
- Modifies registry class
PID:4276

C:\Windows\system32\regsvr32.exe
regsvr32 /s IDMIECC64.dll
2⤵
- Modifies registry class
PID:3152

C:\Windows\system32\regsvr32.exe
regsvr32 /s IDMGetAll64.dll
2⤵
PID:3900

C:\Windows\system32\regsvr32.exe
regsvr32 /s downlWithIDM64.dll
2⤵
PID:4628

C:\Windows\system32\takeown.exe
takeown /f "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\\" /a /r /d y
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
2⤵
PID:2976

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\\" /c /grant Everyone:(OI)(CI)(F)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4916

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /f /v "C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\IDM.exe" /d "~ RUNASADMIN"
2⤵
PID:4968

C:\Windows\system32\mshta.exe
mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\IDM.lnk""):b.TargetPath=""C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\IDMan.exe"":b.WorkingDirectory=""C:\Users\Admin\AppData\Local\Temp\新建文件夹\Inet_Download_Manager_v6.37.14_Final\Internet Download Manager\"":b.Save:close")
2⤵
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/204-151-0x0000000000000000-mapping.dmp

Download
memory/320-152-0x0000000000000000-mapping.dmp

Download
memory/808-148-0x0000000000000000-mapping.dmp

Download
memory/904-189-0x0000000000000000-mapping.dmp

Download
memory/960-195-0x0000000000000000-mapping.dmp

Download
memory/1108-192-0x0000000000000000-mapping.dmp

Download
memory/1208-163-0x0000000000000000-mapping.dmp

Download
memory/1248-175-0x0000000000000000-mapping.dmp

Download
memory/1260-167-0x0000000000000000-mapping.dmp

Download
memory/1268-194-0x0000000000000000-mapping.dmp

Download
memory/1272-138-0x0000000000000000-mapping.dmp

Download
memory/1276-179-0x0000000000000000-mapping.dmp

Download
memory/1288-176-0x0000000000000000-mapping.dmp

Download
memory/1344-164-0x0000000000000000-mapping.dmp

Download
memory/1444-166-0x0000000000000000-mapping.dmp

Download
memory/1460-137-0x0000000000000000-mapping.dmp

Download
memory/1484-190-0x0000000000000000-mapping.dmp

Download
memory/1504-174-0x0000000000000000-mapping.dmp

Download
memory/1600-172-0x0000000000000000-mapping.dmp

Download
memory/1720-180-0x0000000000000000-mapping.dmp

Download
memory/1788-177-0x0000000000000000-mapping.dmp

Download
memory/1792-185-0x0000000000000000-mapping.dmp

Download
memory/1892-191-0x0000000000000000-mapping.dmp

Download
memory/1956-141-0x0000000000000000-mapping.dmp

Download
memory/1960-182-0x0000000000000000-mapping.dmp

Download
memory/2128-140-0x0000000000000000-mapping.dmp

Download
memory/2152-162-0x0000000000000000-mapping.dmp

Download
memory/2244-173-0x0000000000000000-mapping.dmp

Download
memory/2292-156-0x0000000000000000-mapping.dmp

Download
memory/2340-187-0x0000000000000000-mapping.dmp

Download
memory/2364-143-0x0000000000000000-mapping.dmp

Download
memory/2792-144-0x0000000000000000-mapping.dmp

Download
memory/2988-184-0x0000000000000000-mapping.dmp

Download
memory/3032-133-0x0000000000000000-mapping.dmp

Download
memory/3036-154-0x0000000000000000-mapping.dmp

Download
memory/3164-153-0x0000000000000000-mapping.dmp

Download
memory/3380-186-0x0000000000000000-mapping.dmp

Download
memory/3412-170-0x0000000000000000-mapping.dmp

Download
memory/3436-169-0x0000000000000000-mapping.dmp

Download
memory/3484-159-0x0000000000000000-mapping.dmp

Download
memory/3492-183-0x0000000000000000-mapping.dmp

Download
memory/3500-149-0x0000000000000000-mapping.dmp

Download
memory/3572-168-0x0000000000000000-mapping.dmp

Download
memory/3580-157-0x0000000000000000-mapping.dmp

Download
memory/3588-142-0x0000000000000000-mapping.dmp

Download
memory/3804-193-0x0000000000000000-mapping.dmp

Download
memory/3808-161-0x0000000000000000-mapping.dmp

Download
memory/3872-178-0x0000000000000000-mapping.dmp

Download
memory/3940-147-0x0000000000000000-mapping.dmp

Download
memory/4136-160-0x0000000000000000-mapping.dmp

Download
memory/4164-171-0x0000000000000000-mapping.dmp

Download
memory/4264-150-0x0000000000000000-mapping.dmp

Download
memory/4296-145-0x0000000000000000-mapping.dmp

Download
memory/4300-139-0x0000000000000000-mapping.dmp

Download
memory/4648-146-0x0000000000000000-mapping.dmp

Download
memory/4668-136-0x0000000000000000-mapping.dmp

Download
memory/4720-181-0x0000000000000000-mapping.dmp

Download
memory/4740-158-0x0000000000000000-mapping.dmp

Download
memory/4764-134-0x0000000000000000-mapping.dmp

Download
memory/4808-132-0x0000000000000000-mapping.dmp

Download
memory/4848-155-0x0000000000000000-mapping.dmp

Download
memory/4924-135-0x0000000000000000-mapping.dmp

Download
memory/4928-165-0x0000000000000000-mapping.dmp

Download
memory/4984-188-0x0000000000000000-mapping.dmp

Download