2423440c08ec7e4919afb68e21311e9c5853f129c0f05071d0163fc7031754a8

System Information Discovery

Processes:

IDMan.exeUninstall.exeIDMan.exeIDMan.exeUninstall.exeIDMan.exeUninstall.exeUninstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Uninstall.exe

Executes dropped EXE 11 IoCs

Processes:

Internet Download Manager 6.41.7.tmpUninstall.exeidmBroker.exeIDMan.exeUninstall.exeMediumILStart.exeIDMan.exeIDMan.exeUninstall.exeIDMan.exeUninstall.exe

pid	process
3832	Internet Download Manager 6.41.7.tmp
4968	Uninstall.exe
800	idmBroker.exe
876	IDMan.exe
1124	Uninstall.exe
476	MediumILStart.exe
660	IDMan.exe
5088	IDMan.exe
1904	Uninstall.exe
2680	IDMan.exe
3540	Uninstall.exe

Loads dropped DLL 64 IoCs

Processes:

Internet Download Manager 6.41.7.tmpregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exereg.exereg.exereg.exeregsvr32.exeregsvr32.exeRundll32.exeregsvr32.exeregsvr32.exeIDMan.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeIDMan.exeIDMan.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeIDMan.exeregsvr32.exeregsvr32.exe

pid	process
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
4688	regsvr32.exe
3880	regsvr32.exe
332	regsvr32.exe
3544	regsvr32.exe
2920	regsvr32.exe
1488	regsvr32.exe
4188	regsvr32.exe
1788	reg.exe
860	reg.exe
2096	reg.exe
740	regsvr32.exe
1384
1384
3504	regsvr32.exe
2016	Rundll32.exe
3828	regsvr32.exe
4448	regsvr32.exe
876	IDMan.exe
1384
876	IDMan.exe
876	IDMan.exe
876	IDMan.exe
876	IDMan.exe
4388	regsvr32.exe
4484	regsvr32.exe
4636	regsvr32.exe
2004	regsvr32.exe
4344	regsvr32.exe
472	regsvr32.exe
4456	regsvr32.exe
3600	regsvr32.exe
660	IDMan.exe
660	IDMan.exe
660	IDMan.exe
660	IDMan.exe
660	IDMan.exe
5088	IDMan.exe
5088	IDMan.exe
5088	IDMan.exe
4564	regsvr32.exe
5088	IDMan.exe
5088	IDMan.exe
4968	regsvr32.exe
4344	regsvr32.exe
1320	regsvr32.exe
3052	regsvr32.exe
4372	regsvr32.exe
508	regsvr32.exe
4820	regsvr32.exe
1816	regsvr32.exe
4176	regsvr32.exe
4160	regsvr32.exe
3464	regsvr32.exe
2680	IDMan.exe
2680	IDMan.exe
2680	IDMan.exe
2680	IDMan.exe
2680	IDMan.exe
1488	regsvr32.exe
2960	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exereg.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	regsvr32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

RUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

IDMan.exeIDMan.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IDMan.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IDMan.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

Internet Download Manager 6.41.7.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	Internet Download Manager 6.41.7.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	Internet Download Manager 6.41.7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	Internet Download Manager 6.41.7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	Internet Download Manager 6.41.7.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	Internet Download Manager 6.41.7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	Internet Download Manager 6.41.7.tmp

Drops file in System32 directory 15 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f2e96b5d-0f2b-d745-be44-39c34fa1234f}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f2e96b5d-0f2b-d745-be44-39c34fa1234f}\SETC14C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f2e96b5d-0f2b-d745-be44-39c34fa1234f}\SETC14D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f2e96b5d-0f2b-d745-be44-39c34fa1234f}\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f2e96b5d-0f2b-d745-be44-39c34fa1234f}\idmwfp.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f2e96b5d-0f2b-d745-be44-39c34fa1234f}\SETC14C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f2e96b5d-0f2b-d745-be44-39c34fa1234f}\idmwfp64.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f2e96b5d-0f2b-d745-be44-39c34fa1234f}\SETC14E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp64.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f2e96b5d-0f2b-d745-be44-39c34fa1234f}\SETC14D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f2e96b5d-0f2b-d745-be44-39c34fa1234f}\SETC14E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe

Drops file in Program Files directory 64 IoCs

Processes:

Internet Download Manager 6.41.7.tmp

description	ioc	process
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-ITR1T.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-HJL17.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-CRE4B.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-ONSC0.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-HR3FU.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-SUHAP.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Helvet_3D_Dark\is-2K6LI.tmp	Internet Download Manager 6.41.7.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\grabber.chm	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-ULN1G.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-K6QH0.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-L5FUR.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Glyfz_2016\is-CP9VT.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-H3FSO.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-U9DEO.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-0UP0P.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-VD8C8.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Koushik_tb\is-VV9BD.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Pure_Flat_2013\is-JMBUC.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\ThL-Toolbar_bmps\is-DJ5SK.tmp	Internet Download Manager 6.41.7.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\IDMVMPrs.dll	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-UCG0A.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-UGEFA.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\H3M_Bronze_Shapes_Toolbar\is-HLRNN.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Office Flat\is-FTBH8.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Glyfz_2016\is-N7IUQ.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Glyfz_2016\is-5OP6P.tmp	Internet Download Manager 6.41.7.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\idmftype.dll	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-5S4M5.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-PRU6O.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Pure_Flat_2013\BITMAP\is-1LBDL.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Pure_Flat_2013\BITMAP\is-BSEC6.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-1T4S3.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-J2MD6.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\H3M_Olive_Shapes_Toolbar\is-BSDK5.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Pure_Flat_2013\BITMAP\is-CI14M.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-MH0PD.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-2F1AB.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-8L355.tmp	Internet Download Manager 6.41.7.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe	Internet Download Manager 6.41.7.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\PT LIGHT\is-NQFB3.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-497P2.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-SV54D.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-62V6R.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-S96B9.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-DUE1U.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-G890P.tmp	Internet Download Manager 6.41.7.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\IDMShellExt.dll	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-JJD95.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\is-34VCN.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-SAMNH.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-N8VSF.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-0RPM5.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Windows 11\is-J45FP.tmp	Internet Download Manager 6.41.7.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\IDMan.exe	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-LCGT0.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-MACF3.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-16J9D.tmp	Internet Download Manager 6.41.7.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\Languages\tut_ru.chm	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\is-4L5R9.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Helvet_3D_Color\is-5C7PH.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\is-4VHFT.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\7_IDM\is-2D2IB.tmp	Internet Download Manager 6.41.7.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\Dtu_Style\BITMAP\is-QF36N.tmp	Internet Download Manager 6.41.7.tmp

Drops file in Windows directory 12 IoCs

Processes:

DrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeRUNDLL32.EXEDrvInst.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEsvchost.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

DrvInst.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

runonce.exerunonce.exerunonce.exerunonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4844 taskkill.exe

pid	process
4844	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

Processes:

IDMan.exeIDMan.exeIDMan.exeIDMan.exeidmBroker.exeInternet Download Manager 6.41.7.tmp

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	Internet Download Manager 6.41.7.tmp
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3"	idmBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppName = "idmBroker.exe"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights	idmBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	Internet Download Manager 6.41.7.tmp

Modifies data under HKEY_USERS 41 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeIDMan.exeregsvr32.exeregsvr32.exeIDMan.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeIDMan.exeIDMan.exereg.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\ = "IDMDwnlMgr Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage\CLSID\ = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\TypeLib\Version = "1.0"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj.1\CLSID\ = "{0055C089-8582-441B-A0BF-17B458C2A3A8}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage.1\CLSID\ = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CurVer\ = "DownlWithIDM.IDMDwnlMgr.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\TypeLib\ = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID\ = "DownlWithIDM.LinkProcessor.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ = "IIDMEFSAgent2"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj.1\CLSID\ = "{0055C089-8582-441B-A0BF-17B458C2A3A8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ = "VLinkProcessor Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\TypeLib	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID\ = "Idmfsa.IDMEFSAgent.1"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\ProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\CLSID\ = "{0055C089-8582-441B-A0BF-17B458C2A3A8}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\Programmable	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ = "VLinkProcessor Class"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\ = "IDMIEHlprObj Class"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1\CLSID\ = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ProgID	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\CurVer\ = "DownlWithIDM.V2LinkProcessor.1"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\Programmable	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID\ = "DownlWithIDM.VLinkProcessor"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\idmfsa.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage.1\CLSID\ = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID\ = "IDMIECC.IDMIEHlprObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\CLSID\ = "{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\ = "V2LinkProcessor Class"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ = "LinkProcessor Class"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Control	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\CLSID\ = "{4764030F-2733-45B9-AE62-3D1F4F6F2861}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\VersionIndependentProgID	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ProgID	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\ProxyStubClsid32	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID\ = "DownlWithIDM.V2LinkProcessor"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\ProgID	IDMan.exe

Runs .reg file with regedit 3 IoCs

Processes:

regedit.exeregedit.exeregedit.exe

pid process

4636 regedit.exe
216 regedit.exe
3792 regedit.exe
Runs net.exe

pid	process
4636	regedit.exe
216	regedit.exe
3792	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Internet Download Manager 6.41.7.tmpIDMan.exeIDMan.exe

pid	process
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
876	IDMan.exe
876	IDMan.exe
5088	IDMan.exe
5088	IDMan.exe
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IDMan.exe

pid process

2680 IDMan.exe
Suspicious behavior: LoadsDriver 24 IoCs

Processes:

pid process

680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680

pid	process
2680	IDMan.exe

pid	process
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

svchost.exeDrvInst.exetaskkill.exeDrvInst.exeIDMan.exeDrvInst.exeRUNDLL32.EXEregsvr32.exeIDMan.exeIDMan.exeDrvInst.exe

description	pid	process
Token: SeAuditPrivilege	3912	svchost.exe
Token: SeSecurityPrivilege	3912	svchost.exe
Token: SeRestorePrivilege	4356	DrvInst.exe
Token: SeBackupPrivilege	4356	DrvInst.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeRestorePrivilege	2716	DrvInst.exe
Token: SeBackupPrivilege	2716	DrvInst.exe
Token: SeBackupPrivilege	876	IDMan.exe
Token: SeRestorePrivilege	4524	DrvInst.exe
Token: SeBackupPrivilege	4524	DrvInst.exe
Token: SeDebugPrivilege	3412	RUNDLL32.EXE
Token: SeDebugPrivilege	3412	RUNDLL32.EXE
Token: SeDebugPrivilege	3464	regsvr32.exe
Token: SeDebugPrivilege	3464	regsvr32.exe
Token: SeBackupPrivilege	5088	IDMan.exe
Token: SeBackupPrivilege	660	IDMan.exe
Token: SeRestorePrivilege	4296	DrvInst.exe
Token: SeBackupPrivilege	4296	DrvInst.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Internet Download Manager 6.41.7.tmpIDMan.exeIDMan.exeIDMan.exeIDMan.exe

pid process

3832 Internet Download Manager 6.41.7.tmp
876 IDMan.exe
660 IDMan.exe
5088 IDMan.exe
5088 IDMan.exe
660 IDMan.exe
2680 IDMan.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

IDMan.exeIDMan.exeIDMan.exeIDMan.exe

pid process

876 IDMan.exe
660 IDMan.exe
5088 IDMan.exe
5088 IDMan.exe
660 IDMan.exe
2680 IDMan.exe

pid	process
876	IDMan.exe
660	IDMan.exe
5088	IDMan.exe
5088	IDMan.exe
660	IDMan.exe
2680	IDMan.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

Internet Download Manager 6.41.7.tmpIDMan.exeUninstall.exeIDMan.exeIDMan.exeUninstall.exeIDMan.exe

pid	process
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
3832	Internet Download Manager 6.41.7.tmp
876	IDMan.exe
876	IDMan.exe
1124	Uninstall.exe
876	IDMan.exe
876	IDMan.exe
660	IDMan.exe
5088	IDMan.exe
660	IDMan.exe
660	IDMan.exe
660	IDMan.exe
660	IDMan.exe
5088	IDMan.exe
1904	Uninstall.exe
660	IDMan.exe
5088	IDMan.exe
5088	IDMan.exe
5088	IDMan.exe
5088	IDMan.exe
2680	IDMan.exe
2680	IDMan.exe
2680	IDMan.exe
2680	IDMan.exe
2680	IDMan.exe
2680	IDMan.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Internet Download Manager 6.41.7.exeInternet Download Manager 6.41.7.tmpregsvr32.exereg.exereg.execmd.exe

description	pid	process	target process
PID 4852 wrote to memory of 3832	4852	Internet Download Manager 6.41.7.exe	Internet Download Manager 6.41.7.tmp
PID 4852 wrote to memory of 3832	4852	Internet Download Manager 6.41.7.exe	Internet Download Manager 6.41.7.tmp
PID 4852 wrote to memory of 3832	4852	Internet Download Manager 6.41.7.exe	Internet Download Manager 6.41.7.tmp
PID 3832 wrote to memory of 4688	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 4688	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 4688	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 3880	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 3880	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 3880	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 332	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 332	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 332	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 3544	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 3544	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 3544	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 2920	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 2920	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 1488	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 1488	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 1488	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 1488 wrote to memory of 4188	1488	regsvr32.exe	regsvr32.exe
PID 1488 wrote to memory of 4188	1488	regsvr32.exe	regsvr32.exe
PID 3832 wrote to memory of 1788	3832	Internet Download Manager 6.41.7.tmp	reg.exe
PID 3832 wrote to memory of 1788	3832	Internet Download Manager 6.41.7.tmp	reg.exe
PID 3832 wrote to memory of 1788	3832	Internet Download Manager 6.41.7.tmp	reg.exe
PID 1788 wrote to memory of 860	1788	reg.exe	reg.exe
PID 1788 wrote to memory of 860	1788	reg.exe	reg.exe
PID 3832 wrote to memory of 2096	3832	Internet Download Manager 6.41.7.tmp	reg.exe
PID 3832 wrote to memory of 2096	3832	Internet Download Manager 6.41.7.tmp	reg.exe
PID 3832 wrote to memory of 2096	3832	Internet Download Manager 6.41.7.tmp	reg.exe
PID 2096 wrote to memory of 740	2096	reg.exe	regsvr32.exe
PID 2096 wrote to memory of 740	2096	reg.exe	regsvr32.exe
PID 3832 wrote to memory of 2852	3832	Internet Download Manager 6.41.7.tmp	reg.exe
PID 3832 wrote to memory of 2852	3832	Internet Download Manager 6.41.7.tmp	reg.exe
PID 3832 wrote to memory of 2852	3832	Internet Download Manager 6.41.7.tmp	reg.exe
PID 3832 wrote to memory of 3504	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 3504	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 3504	3832	Internet Download Manager 6.41.7.tmp	regsvr32.exe
PID 3832 wrote to memory of 3924	3832	Internet Download Manager 6.41.7.tmp	cmd.exe
PID 3832 wrote to memory of 3924	3832	Internet Download Manager 6.41.7.tmp	cmd.exe
PID 3832 wrote to memory of 3924	3832	Internet Download Manager 6.41.7.tmp	cmd.exe
PID 3924 wrote to memory of 2260	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 2260	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 2260	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 4168	3924	cmd.exe	reg.exe
PID 3924 wrote to memory of 4168	3924	cmd.exe	reg.exe
PID 3924 wrote to memory of 4168	3924	cmd.exe	reg.exe
PID 3924 wrote to memory of 2876	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 2876	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 2876	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 556	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 556	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 556	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 1556	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 1556	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 1556	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 4856	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 4856	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 4856	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 4068	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 4068	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 4068	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 3244	3924	cmd.exe	regini.exe
PID 3924 wrote to memory of 3244	3924	cmd.exe	regini.exe

C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.41.7.exe
"C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.41.7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4852

C:\Users\Admin\AppData\Local\Temp\is-4RAOP.tmp\Internet Download Manager 6.41.7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4RAOP.tmp\Internet Download Manager 6.41.7.tmp" /SL5="$8003E,14259744,64512,C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.41.7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:4688

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll"
3⤵
- Loads dropped DLL
PID:3880

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:332

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\idmfsa.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:3544

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
3⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:2920

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4188

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
3⤵
PID:1788

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
4⤵
PID:860

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
3⤵
PID:2096

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:740

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\idmantypeinfo.tlb"
3⤵
PID:2852

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files (x86)\Internet Download Manager\IDMShellExt.dll"
3⤵
- Loads dropped DLL
PID:3504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-6OS1C.tmp\cleanup.bat" install"
3⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:2260

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4168

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:2876

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:556

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:1556

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4856

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4068

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:3244

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:476

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:380

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4080

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:1900

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:3784

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:2804

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:208

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:220

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4480

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:3412

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4564

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4524

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4272

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:180

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4076

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:5116

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:1168

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:2076

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4468

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:3568

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:3960

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:3468

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:328

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:1124

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4912

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:2116

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4452

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:3476

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4176

C:\Windows\SysWOW64\regini.exe
regini "permdel.txt"
4⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /F
4⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /F
4⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /F
4⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /F
4⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /F
4⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /F
4⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /F
4⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /F
4⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /F
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:860

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /F
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /F
4⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /F
4⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /F
4⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /F
4⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /F
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /F
4⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /F
4⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /F
4⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /F
4⤵
PID:4276

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Internet Download Manager" /F
4⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /F
4⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /F
4⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /F
4⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /F
4⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /F
4⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /F
4⤵
PID:504

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /F
4⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /F
4⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /F
4⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /F
4⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /F
4⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /F
4⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /F
4⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /F
4⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /F
4⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /F
4⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /F
4⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /F
4⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "FName" /F
4⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "LName" /F
4⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "Email" /F
4⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "Serial" /F
4⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "LstCheck" /F
4⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "CheckUpdtVM" /F
4⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "scansk" /F
4⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\DownloadManager" /v "tvfrdt" /F
4⤵
PID:3036

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\settings.reg"
3⤵
- Runs .reg file with regedit
PID:4636

C:\Windows\SysWOW64\Rundll32.exe
"Rundll32.exe" "C:\Program Files (x86)\Internet Download Manager\KGIDM.dll" GEN
3⤵
- Loads dropped DLL
PID:2016

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4968

C:\Windows\system32\RUNDLL32.EXE
"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
4⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:3216

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
- Checks processor information in registry
PID:1580

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:768

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
PID:4576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:2792

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
PID:3532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:3504

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
PID:4200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:2876

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
PID:1260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:4148

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
PID:4360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:4456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
PID:2080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:2460

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
4⤵
- Loads dropped DLL
PID:3828

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:4448

C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
"C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:800

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /f /im IDMan.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\is-6OS1C.tmp\rname.reg"
3⤵
- Runs .reg file with regedit
PID:216

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\settings.reg"
3⤵
- Runs .reg file with regedit
PID:3792

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:876

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
4⤵
- Loads dropped DLL
PID:4388

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4344

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
4⤵
- Loads dropped DLL
PID:4484

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2004

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
4⤵
- Loads dropped DLL
PID:4636

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:472

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Windows\system32\RUNDLL32.EXE
"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
5⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:3096

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
6⤵
- Checks processor information in registry
PID:3524

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
7⤵
PID:4752

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
5⤵
PID:3352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
6⤵
PID:1316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
5⤵
PID:1408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
6⤵
PID:4336

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
5⤵
PID:4188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
6⤵
PID:2096

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
5⤵
PID:1296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
6⤵
PID:4516

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
5⤵
PID:1460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
6⤵
PID:3348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
5⤵
PID:3580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
6⤵
PID:504

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
5⤵
- Loads dropped DLL
PID:4456

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
6⤵
- Loads dropped DLL
PID:3600

C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe
"C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe"
4⤵
- Executes dropped EXE
PID:476

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /onboot
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:660

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
4⤵
- Loads dropped DLL
PID:4564

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:4968

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
4⤵
- Loads dropped DLL
PID:1320

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4820

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
4⤵
- Loads dropped DLL
PID:4344

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:508

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
4⤵
- Loads dropped DLL
PID:3052

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:1816

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
4⤵
- Loads dropped DLL
PID:4372

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{b32f2497-0769-9043-9bf9-7d67f13f0d50}\idmwfp.inf" "9" "4fc2928b3" "000000000000014C" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files (x86)\Internet Download Manager"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4368

C:\Windows\system32\DrvInst.exe
DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp.inf" "0" "4fc2928b3" "0000000000000164" "WinSta0\Default"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\system32\DrvInst.exe
DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp.inf" "0" "4fc2928b3" "0000000000000158" "WinSta0\Default"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\DrvInst.exe
DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp.inf" "0" "4fc2928b3" "0000000000000164" "WinSta0\Default"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\system32\DrvInst.exe
DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp.inf" "0" "4fc2928b3" "0000000000000164" "WinSta0\Default"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" -Embedding
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\system32\RUNDLL32.EXE
"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
PID:232

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
5⤵
PID:856

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:4028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:1648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:5036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:768

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:3520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:412

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:2140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:3532

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:4704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:4944

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:4276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:1636

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
3⤵
- Loads dropped DLL
PID:4160

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3540

C:\Windows\system32\RUNDLL32.EXE
"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
3⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:1276

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
PID:1968

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
5⤵
PID:3160

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:3104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:4188

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:4156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:4384

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:4588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:4856

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:4160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:3672

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:4540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:476

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:3628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:4804

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
3⤵
- Loads dropped DLL
PID:1488

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:2960

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
2⤵
PID:4724

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
3⤵
- Registers COM server for autorun
- Modifies registry class
PID:1336

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
2⤵
PID:4432

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
3⤵
- Registers COM server for autorun
- Modifies registry class
PID:1124

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
2⤵
PID:648

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
3⤵
- Registers COM server for autorun
- Modifies registry class
PID:3304

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
2⤵
PID:2032

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
3⤵
- Registers COM server for autorun
- Modifies registry class
PID:3856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery