6959f960cf3bf083d2e24068fc1841c81245352554d4ab53b65d826284ce2688

System Information Discovery

Processes:

Uninstall.exeIDMan.exeUninstall.exeIDMan.exeUninstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Uninstall.exe

Executes dropped EXE 10 IoCs

Processes:

idmBroker.exeUninstall.exeIDMan.exeIDMIntegrator64.exeUninstall.exeIDMan.exeIDMan.exeIDMan.exeIDMan.exeUninstall.exe

pid	process
528	idmBroker.exe
2756	Uninstall.exe
1580	IDMan.exe
3796	IDMIntegrator64.exe
4880	Uninstall.exe
3564	IDMan.exe
2532	IDMan.exe
1492	IDMan.exe
3884	IDMan.exe
2840	Uninstall.exe

Loads dropped DLL 64 IoCs

Processes:

Internet.Download.Manager.v6.41.11.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeIDMan.exeIDMIntegrator64.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeIDMan.exeIDMan.exeIDMan.exeIDMan.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
1320	Internet.Download.Manager.v6.41.11.exe
1320	Internet.Download.Manager.v6.41.11.exe
1320	Internet.Download.Manager.v6.41.11.exe
1320	Internet.Download.Manager.v6.41.11.exe
3588	regsvr32.exe
2272	regsvr32.exe
1320	Internet.Download.Manager.v6.41.11.exe
4264	regsvr32.exe
3820	regsvr32.exe
1320	Internet.Download.Manager.v6.41.11.exe
2096	regsvr32.exe
4840	regsvr32.exe
1320	Internet.Download.Manager.v6.41.11.exe
1108	regsvr32.exe
1244	regsvr32.exe
1320	Internet.Download.Manager.v6.41.11.exe
1320	Internet.Download.Manager.v6.41.11.exe
3156
3156
2140	regsvr32.exe
1320	Internet.Download.Manager.v6.41.11.exe
3360	regsvr32.exe
1320	Internet.Download.Manager.v6.41.11.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
3796	IDMIntegrator64.exe
3796	IDMIntegrator64.exe
2516	regsvr32.exe
3796	IDMIntegrator64.exe
3796	IDMIntegrator64.exe
3796	IDMIntegrator64.exe
1656	regsvr32.exe
3156
4848	regsvr32.exe
428	regsvr32.exe
2400	regsvr32.exe
2004	regsvr32.exe
3948	regsvr32.exe
2132	regsvr32.exe
4840	regsvr32.exe
1036	regsvr32.exe
4984	regsvr32.exe
2580	regsvr32.exe
1580	IDMan.exe
3564	IDMan.exe
2532	IDMan.exe
1492	IDMan.exe
1320	Internet.Download.Manager.v6.41.11.exe
1320	Internet.Download.Manager.v6.41.11.exe
3884	IDMan.exe
3884	IDMan.exe
3884	IDMan.exe
3884	IDMan.exe
3884	IDMan.exe
4648	regsvr32.exe
3248	regsvr32.exe
3156
2956	regsvr32.exe
1940	regsvr32.exe
4580	regsvr32.exe
3748	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeIDMIntegrator64.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	IDMIntegrator64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	IDMIntegrator64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment"	IDMIntegrator64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment"	IDMIntegrator64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	IDMIntegrator64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32	IDMIntegrator64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	IDMIntegrator64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll"	regsvr32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

RUNDLL32.EXERUNDLL32.EXEIDMan.exeRUNDLL32.EXEIDMan.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe /onboot"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run	IDMan.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

IDMan.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IDMan.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IDMan.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

IDMan.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDMan.exe

Drops file in System32 directory 15 IoCs

Processes:

DrvInst.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\Temp\{0dc67e32-8b9e-494f-9a4f-d0b4c2bccf54}\SET984E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0dc67e32-8b9e-494f-9a4f-d0b4c2bccf54}\SET984F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dc67e32-8b9e-494f-9a4f-d0b4c2bccf54}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0dc67e32-8b9e-494f-9a4f-d0b4c2bccf54}\SET984D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dc67e32-8b9e-494f-9a4f-d0b4c2bccf54}\idmwfp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dc67e32-8b9e-494f-9a4f-d0b4c2bccf54}\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dc67e32-8b9e-494f-9a4f-d0b4c2bccf54}\SET984D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dc67e32-8b9e-494f-9a4f-d0b4c2bccf54}\SET984E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dc67e32-8b9e-494f-9a4f-d0b4c2bccf54}\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0dc67e32-8b9e-494f-9a4f-d0b4c2bccf54}\SET984F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp.inf	DrvInst.exe

Drops file in Program Files directory 64 IoCs

Processes:

Internet.Download.Manager.v6.41.11.exeIDMan.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_hi.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_bg.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\defexclist.txt	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp.inf	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\libcrypto.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_de.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ua.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_sr.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMFType64.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmcchandler2.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmmkb.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_nl.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_cht.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_hi.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_sr.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_de.txt	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMEdgeExt.crx	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMVMPrs.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\libssl.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_chn2.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_nl.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_sk.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_th.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_cz.txt	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ar.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ru.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_am.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_id.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\PureFlat\PureFlat_Larg.bmp	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\grabber_ru.chm	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ptbr.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_tr.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_pl.txt	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_cht.txt	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmbrbtn64.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp64.sys	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_be.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_fa.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_th.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ar.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_cz.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_pl.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmfsa.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmindex.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_es.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_jp.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ba.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ptbr.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_kr.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_mn.lng	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\grabber.chm	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc7.dll	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_id.txt	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_jp.txt	Internet.Download.Manager.v6.41.11.exe
File opened for modification	C:\Program Files (x86)\Internet Download Manager\idmcchandler2.dll	IDMan.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_gr.txt	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_tr.txt	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi.inf	Internet.Download.Manager.v6.41.11.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ru.chm	Internet.Download.Manager.v6.41.11.exe

Drops file in Windows directory 10 IoCs

Processes:

RUNDLL32.EXERUNDLL32.EXEDrvInst.exeDrvInst.exesvchost.exeDrvInst.exeDrvInst.exeRUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

svchost.exeDrvInst.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

reg.exerunonce.exerunonce.exerunonce.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	reg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	reg.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Delays execution with timeout.exe 25 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3736	timeout.exe
3520	timeout.exe
1656	timeout.exe
4116	timeout.exe
1744	timeout.exe
4016	timeout.exe
3012	timeout.exe
2044	timeout.exe
1328	timeout.exe
660	timeout.exe
1864	timeout.exe
616	timeout.exe
4428	timeout.exe
4800	timeout.exe
4716	timeout.exe
4100	timeout.exe
3152	timeout.exe
2536	timeout.exe
2860	timeout.exe
3248	timeout.exe
2852	timeout.exe
5004	timeout.exe
4312	timeout.exe
3188	timeout.exe
4992	timeout.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1476 tasklist.exe
3556 tasklist.exe
3780 tasklist.exe
2196 tasklist.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4904 taskkill.exe

pid	process
1476	tasklist.exe
3556	tasklist.exe
3780	tasklist.exe
2196	tasklist.exe

pid	process
4904	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

Processes:

IDMan.exeIDMan.exeidmBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppName = "idmBroker.exe"	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEExt.htm"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights	idmBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3"	idmBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

IDMan.exeIDMIntegrator64.exeIDMan.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeidmBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDManTypeInfo.tlb"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\Version = "1.0"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\NumMethods\ = "12"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\ = "IDMDwnlMgr Class"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	IDMIntegrator64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CLSID\ = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage.1\ = "IDMHelperLinksStorage Class"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Programmable	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\VersionIndependentProgID\ = "IDMIECC.IDMHelperLinksStorage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM.dll, 101"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ = "IIDMEFSAgent"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CurVer\ = "Idmfsa.IDMEFSAgent.1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID	IDMIntegrator64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Programmable	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Programmable	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\ = "V2LinkProcessor Class"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\ = "IDMHelperLinksStorage Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\TypeLib\ = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus	IDMIntegrator64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage\CLSID\ = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor.1\ = "VLinkProcessor Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\TypeLib	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\ProxyStubClsid32	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Internet Download Manager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ProgID\ = "IDMIECC.IDMIEHlprObj.1"	IDMIntegrator64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\1	IDMIntegrator64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1\CLSID\ = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment"	IDMIntegrator64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\VersionIndependentProgID\ = "Idmfsa.IDMEFSAgent"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	IDMIntegrator64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\TypeLib\ = "{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib\ = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib	regsvr32.exe

Modifies registry key 1 TTPs 33 IoCs

Modify Registry

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1588	reg.exe
3396	reg.exe
2568	reg.exe
32	reg.exe
3016	reg.exe
1860	reg.exe
4420	reg.exe
528	reg.exe
1724	reg.exe
2536	reg.exe
3188	reg.exe
4484	reg.exe
1000	reg.exe
4804	reg.exe
1596	reg.exe
2672	reg.exe
3328	reg.exe
4144	reg.exe
3644	reg.exe
3820	reg.exe
2276	reg.exe
4776	reg.exe
4540	reg.exe
532	reg.exe
1580	reg.exe
1744	reg.exe
3940	reg.exe
1348	reg.exe
1488	reg.exe
1488	reg.exe
2012	reg.exe
4880	reg.exe
4596	reg.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

IDMan.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IDMan.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	IDMan.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IDMan.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IDMan.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4248 PING.EXE

pid	process
4248	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
644	powershell.exe
644	powershell.exe
644	powershell.exe
4784	powershell.exe
4784	powershell.exe
3188	powershell.exe
3188	powershell.exe
3188	powershell.exe
4908	powershell.exe
4908	powershell.exe
4908	powershell.exe
3108	powershell.exe
3108	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

IDMan.exeIDMan.exe

pid process

1580 IDMan.exe
3884 IDMan.exe
Suspicious behavior: LoadsDriver 18 IoCs

Processes:

pid process

648
648
648
648
648
648
648
648
648
648
648
648
648
648
648
648
648
648

pid	process
648
648
648
648
648
648
648
648
648
648
648
648
648
648
648
648
648
648

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

svchost.exeDrvInst.exetasklist.exepowershell.exetasklist.exepowershell.exetasklist.exeIDMan.exeDrvInst.exepowershell.exepowershell.exetasklist.exetaskkill.exepowershell.exeDrvInst.exeIDMan.exe

description	pid	process
Token: SeAuditPrivilege	4244	svchost.exe
Token: SeSecurityPrivilege	4244	svchost.exe
Token: SeRestorePrivilege	2532	DrvInst.exe
Token: SeBackupPrivilege	2532	DrvInst.exe
Token: SeDebugPrivilege	1476	tasklist.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	3556	tasklist.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	3780	tasklist.exe
Token: SeRestorePrivilege	1580	IDMan.exe
Token: SeRestorePrivilege	2400	DrvInst.exe
Token: SeBackupPrivilege	2400	DrvInst.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	2196	tasklist.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeRestorePrivilege	4008	DrvInst.exe
Token: SeBackupPrivilege	4008	DrvInst.exe
Token: SeBackupPrivilege	3884	IDMan.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

IDMan.exeIDMan.exe

pid process

1580 IDMan.exe
1580 IDMan.exe
1580 IDMan.exe
1580 IDMan.exe
1580 IDMan.exe
3884 IDMan.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

IDMan.exeIDMan.exe

pid process

1580 IDMan.exe
3884 IDMan.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

IDMan.exeIDMIntegrator64.exeUninstall.exeIDMan.exe

pid	process
1580	IDMan.exe
1580	IDMan.exe
3796	IDMIntegrator64.exe
3796	IDMIntegrator64.exe
4880	Uninstall.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
1580	IDMan.exe
3884	IDMan.exe
3884	IDMan.exe
3884	IDMan.exe
3884	IDMan.exe
3884	IDMan.exe
3884	IDMan.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeInternet.Download.Manager.v6.41.11.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeUninstall.exesvchost.exeRUNDLL32.EXErunonce.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4496 wrote to memory of 548	4496	cmd.exe	mode.com
PID 4496 wrote to memory of 548	4496	cmd.exe	mode.com
PID 4496 wrote to memory of 1320	4496	cmd.exe	Internet.Download.Manager.v6.41.11.exe
PID 4496 wrote to memory of 1320	4496	cmd.exe	Internet.Download.Manager.v6.41.11.exe
PID 4496 wrote to memory of 1320	4496	cmd.exe	Internet.Download.Manager.v6.41.11.exe
PID 1320 wrote to memory of 3588	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 1320 wrote to memory of 3588	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 1320 wrote to memory of 3588	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 3588 wrote to memory of 2272	3588	regsvr32.exe	regsvr32.exe
PID 3588 wrote to memory of 2272	3588	regsvr32.exe	regsvr32.exe
PID 1320 wrote to memory of 4264	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 1320 wrote to memory of 4264	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 1320 wrote to memory of 4264	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 4264 wrote to memory of 3820	4264	regsvr32.exe	regsvr32.exe
PID 4264 wrote to memory of 3820	4264	regsvr32.exe	regsvr32.exe
PID 1320 wrote to memory of 2096	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 1320 wrote to memory of 2096	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 1320 wrote to memory of 2096	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 2096 wrote to memory of 4840	2096	regsvr32.exe	regsvr32.exe
PID 2096 wrote to memory of 4840	2096	regsvr32.exe	regsvr32.exe
PID 1320 wrote to memory of 1108	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 1320 wrote to memory of 1108	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 1320 wrote to memory of 1108	1320	Internet.Download.Manager.v6.41.11.exe	regsvr32.exe
PID 1108 wrote to memory of 1244	1108	regsvr32.exe	regsvr32.exe
PID 1108 wrote to memory of 1244	1108	regsvr32.exe	regsvr32.exe
PID 1320 wrote to memory of 528	1320	Internet.Download.Manager.v6.41.11.exe	idmBroker.exe
PID 1320 wrote to memory of 528	1320	Internet.Download.Manager.v6.41.11.exe	idmBroker.exe
PID 1320 wrote to memory of 528	1320	Internet.Download.Manager.v6.41.11.exe	idmBroker.exe
PID 1320 wrote to memory of 2756	1320	Internet.Download.Manager.v6.41.11.exe	Uninstall.exe
PID 1320 wrote to memory of 2756	1320	Internet.Download.Manager.v6.41.11.exe	Uninstall.exe
PID 1320 wrote to memory of 2756	1320	Internet.Download.Manager.v6.41.11.exe	Uninstall.exe
PID 2756 wrote to memory of 3396	2756	Uninstall.exe	RUNDLL32.EXE
PID 2756 wrote to memory of 3396	2756	Uninstall.exe	RUNDLL32.EXE
PID 4244 wrote to memory of 2276	4244	svchost.exe	DrvInst.exe
PID 4244 wrote to memory of 2276	4244	svchost.exe	DrvInst.exe
PID 4244 wrote to memory of 2532	4244	svchost.exe	DrvInst.exe
PID 4244 wrote to memory of 2532	4244	svchost.exe	DrvInst.exe
PID 3396 wrote to memory of 1712	3396	RUNDLL32.EXE	runonce.exe
PID 3396 wrote to memory of 1712	3396	RUNDLL32.EXE	runonce.exe
PID 1712 wrote to memory of 2824	1712	runonce.exe	grpconv.exe
PID 1712 wrote to memory of 2824	1712	runonce.exe	grpconv.exe
PID 2756 wrote to memory of 3520	2756	Uninstall.exe	net.exe
PID 2756 wrote to memory of 3520	2756	Uninstall.exe	net.exe
PID 2756 wrote to memory of 3520	2756	Uninstall.exe	net.exe
PID 3520 wrote to memory of 1744	3520	net.exe	net1.exe
PID 3520 wrote to memory of 1744	3520	net.exe	net1.exe
PID 3520 wrote to memory of 1744	3520	net.exe	net1.exe
PID 2756 wrote to memory of 1584	2756	Uninstall.exe	net.exe
PID 2756 wrote to memory of 1584	2756	Uninstall.exe	net.exe
PID 2756 wrote to memory of 1584	2756	Uninstall.exe	net.exe
PID 1584 wrote to memory of 4480	1584	net.exe	net1.exe
PID 1584 wrote to memory of 4480	1584	net.exe	net1.exe
PID 1584 wrote to memory of 4480	1584	net.exe	net1.exe
PID 2756 wrote to memory of 4580	2756	Uninstall.exe	net.exe
PID 2756 wrote to memory of 4580	2756	Uninstall.exe	net.exe
PID 2756 wrote to memory of 4580	2756	Uninstall.exe	net.exe
PID 4580 wrote to memory of 4248	4580	net.exe	net1.exe
PID 4580 wrote to memory of 4248	4580	net.exe	net1.exe
PID 4580 wrote to memory of 4248	4580	net.exe	net1.exe
PID 2756 wrote to memory of 1596	2756	Uninstall.exe	net.exe
PID 2756 wrote to memory of 1596	2756	Uninstall.exe	net.exe
PID 2756 wrote to memory of 1596	2756	Uninstall.exe	net.exe
PID 1596 wrote to memory of 3636	1596	net.exe	net1.exe
PID 1596 wrote to memory of 3636	1596	net.exe	net1.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\INSTALL ENG.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\system32\mode.com
mode con:cols=100 lines=15
2⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\Internet.Download.Manager.v6.41.11.exe
"C:\Users\Admin\AppData\Local\Temp\Internet.Download.Manager.v6.41.11.exe" /S /EN
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2272

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3820

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4840

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:1244

C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
"C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
PID:528

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\system32\RUNDLL32.EXE
"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
4⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:2824

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:1744

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:4480

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:4248

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:3636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
PID:992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:1228

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
4⤵
PID:1244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
5⤵
PID:4996

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
4⤵
- Loads dropped DLL
PID:2140

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsn76BD.tmp\Activate.cmd" /res"
3⤵
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsn76BD.tmp\Activate.cmd" /res"
4⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
5⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
5⤵
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
6⤵
PID:4336

C:\Windows\System32\cmd.exe
cmd
6⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\DownloadManager" /v ExePath 2>nul
5⤵
PID:2148

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" /v ExePath
6⤵
PID:2244

C:\Windows\System32\reg.exe
reg query HKU\S-1-5-19
5⤵
PID:2912

C:\Windows\System32\reg.exe
reg query "HKLM\Hardware\Description\System\CentralProcessor\0" /v "Identifier"
5⤵
- Checks processor information in registry
PID:2040

C:\Windows\System32\find.exe
find /i "x86"
5⤵
PID:3388

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "Serial"
5⤵
PID:3188

C:\Windows\System32\tasklist.exe
tasklist /fi "imagename eq idman.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\findstr.exe
findstr /i "idman.exe"
5⤵
PID:3788

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "FName"
5⤵
PID:2276

C:\Windows\System32\reg.exe
reg delete "HKCU\Software\DownloadManager" "/v" "FName" /f
5⤵
PID:3688

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "LName"
5⤵
PID:4848

C:\Windows\System32\reg.exe
reg delete "HKCU\Software\DownloadManager" "/v" "LName" /f
5⤵
PID:2856

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "Email"
5⤵
PID:3512

C:\Windows\System32\reg.exe
reg delete "HKCU\Software\DownloadManager" "/v" "Email" /f
5⤵
PID:2004

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "Serial"
5⤵
PID:1712

C:\Windows\System32\reg.exe
reg delete "HKCU\Software\DownloadManager" "/v" "Serial" /f
5⤵
PID:3880

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "scansk"
5⤵
PID:4312

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"
5⤵
PID:1136

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"
5⤵
PID:4424

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"
5⤵
PID:2104

C:\Windows\System32\reg.exe
reg delete "HKCU\Software\DownloadManager" "/v" "LstCheck" /f
5⤵
PID:2664

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"
5⤵
PID:4716

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"
5⤵
PID:1388

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"
5⤵
PID:4480

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /f
5⤵
PID:4828

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID
5⤵
- Modifies registry key
PID:532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "(gc C:\Windows\Temp\regdata.txt) -replace 'HKEY_CURRENT_USER', 'HKCU' | Out-File -encoding ASCII C:\Windows\Temp\regdata.txt"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {018D5C66-4533-4307-9B53-224DE2ED1FE6}"
5⤵
PID:2580

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:3636

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
5⤵
- Modifies registry key
PID:1596

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}"
5⤵
PID:2772

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:444

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
5⤵
- Modifies registry key
PID:2012

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}"
5⤵
PID:3736

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:1128

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}
5⤵
- Modifies registry key
PID:2672

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {20894375-46AE-46E2-BAFD-CB38975CDCE6}"
5⤵
PID:2956

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:3472

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}
5⤵
- Modifies registry key
PID:3328

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"
5⤵
PID:2936

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:676

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}
5⤵
- Modifies registry key
PID:2536

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {389510b7-9e58-40d7-98bf-60b911cb0ea9}"
5⤵
PID:4760

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:4172

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}
5⤵
- Modifies registry key
PID:4420

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"
5⤵
PID:5024

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:5032

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
5⤵
- Modifies registry key
PID:3644

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}"
5⤵
PID:1544

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:3780

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}
5⤵
- Modifies registry key
PID:1580

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {5999E1EE-711E-48D2-9884-851A709F543D}"
5⤵
PID:2040

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:4800

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}
5⤵
- Modifies registry key
PID:3188

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {5AB7172C-9C11-405C-8DD5-AF20F3606282}"
5⤵
PID:5088

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:3248

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}
5⤵
- Modifies registry key
PID:4484

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}"
5⤵
PID:2532

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:1360

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}
5⤵
- Modifies registry key
PID:1000

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}"
5⤵
PID:1656

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:1712

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
5⤵
- Modifies registry key
PID:2568

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {7AFDFDDB-F914-11E4-8377-6C3BE50D980C}"
5⤵
PID:1172

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:3520

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}
5⤵
- Modifies registry key
PID:1744

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {7B37E4E2-C62F-4914-9620-8FB5062718CC}"
5⤵
PID:3048

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:1388

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}
5⤵
- Modifies registry key
PID:4880

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}"
5⤵
PID:4384

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:3416

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}
5⤵
- Modifies registry key
PID:32

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {917E8742-AA3B-7318-FA12-10485FB322A2}"
5⤵
PID:216

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:1524

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}
5⤵
- Modifies registry key
PID:3016

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {94269C4E-071A-4116-90E6-52E557067E4E}"
5⤵
PID:4724

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:1364

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
5⤵
- Modifies registry key
PID:3940

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {9489FEB2-1925-4D01-B788-6D912C70F7F2}"
5⤵
PID:2584

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:4264

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
5⤵
- Modifies registry key
PID:3820

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {9AA2F32D-362A-42D9-9328-24A483E2CCC3}"
5⤵
PID:4920

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:1324

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}
5⤵
- Modifies registry key
PID:4776

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
5⤵
PID:4196

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:4240

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}
5⤵
- Modifies registry key
PID:528

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}"
5⤵
PID:3220

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:5000

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}
5⤵
- Modifies registry key
PID:3396

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {A78ED123-AB77-406B-9962-2A5D9D2F7F30}"
5⤵
PID:2060

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:848

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}
5⤵
- Modifies registry key
PID:4596

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {A926714B-7BFC-4D08-A035-80021395FFA8}"
5⤵
PID:3564

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:4144

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
5⤵
- Modifies registry key
PID:1588

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {AB807329-7324-431B-8B36-DBD581F56E0B}"
5⤵
PID:5052

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:1160

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}
5⤵
- Modifies registry key
PID:1488

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {BBACC218-34EA-4666-9D7A-C78F2274A524}"
5⤵
PID:2888

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:460

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}
5⤵
- Modifies registry key
PID:1724

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}"
5⤵
PID:2940

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:3388

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}
5⤵
- Modifies registry key
PID:4804

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"
5⤵
PID:3788

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:3964

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}
5⤵
- Modifies registry key
PID:2276

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo {F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
5⤵
PID:2856

C:\Windows\System32\findstr.exe
findstr /r "{.*-.*-.*-.*-.*}"
5⤵
PID:1476

C:\Windows\System32\reg.exe
reg query HKCU\Software\Classes\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}
5⤵
- Modifies registry key
PID:4540

C:\Windows\System32\findstr.exe
findstr /i "LocalServer32 InProcServer32 InProcHandler32"
5⤵
PID:1252

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f
5⤵
PID:3040

C:\Windows\System32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsn76BD.tmp\Activate.cmd" /act"
3⤵
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsn76BD.tmp\Activate.cmd" /act"
4⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
5⤵
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
5⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
6⤵
PID:4400

C:\Windows\System32\cmd.exe
cmd
6⤵
PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\DownloadManager" /v ExePath 2>nul
5⤵
PID:4012

C:\Windows\System32\reg.exe
reg query HKU\S-1-5-19
5⤵
PID:1672

C:\Windows\System32\reg.exe
reg query "HKLM\Hardware\Description\System\CentralProcessor\0" /v "Identifier"
5⤵
- Checks processor information in registry
PID:1696

C:\Windows\System32\find.exe
find /i "x86"
5⤵
PID:3588

C:\Windows\System32\PING.EXE
ping -n 1 internetdownloadmanager.com
5⤵
- Runs ping.exe
PID:4248

C:\Windows\System32\tasklist.exe
tasklist /fi "imagename eq idman.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\System32\findstr.exe
findstr /i "idman.exe"
5⤵
PID:1364

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "FName"
5⤵
PID:4876

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "LName"
5⤵
PID:2584

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "Email"
5⤵
PID:4852

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "Serial"
5⤵
PID:3820

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "scansk"
5⤵
PID:3348

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"
5⤵
PID:4920

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"
5⤵
PID:1796

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"
5⤵
PID:4776

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"
5⤵
PID:2700

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"
5⤵
PID:4196

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"
5⤵
PID:388

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /f
5⤵
PID:528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "(gc C:\Windows\Temp\regdata.txt) -replace 'HKEY_CURRENT_USER', 'HKCU' | Out-File -encoding ASCII C:\Windows\Temp\regdata.txt"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f
5⤵
PID:1064

C:\Windows\System32\reg.exe
reg add HKCU\SOFTWARE\DownloadManager /v FName /t REG_SZ /d "Tonec FZE"
5⤵
- Modifies registry key
PID:4144

C:\Windows\System32\reg.exe
reg add HKCU\SOFTWARE\DownloadManager /v LName /t REG_SZ /d ""
5⤵
- Modifies registry key
PID:1348

C:\Windows\System32\reg.exe
reg add HKCU\SOFTWARE\DownloadManager /v Email /t REG_SZ /d "info@tonec.com"
5⤵
- Modifies registry key
PID:1860

C:\Windows\System32\reg.exe
reg add HKCU\SOFTWARE\DownloadManager /v Serial /t REG_SZ /d "FOX6H-3KWH4-7TSIN-Q4US7"
5⤵
- Modifies registry key
PID:1488

C:\Windows\System32\findstr.exe
findstr /i "idman.exe"
5⤵
PID:1140

C:\Windows\System32\tasklist.exe
tasklist /fi "imagename eq idman.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/images/idm_box_min.png" /p "C:\Windows\Temp" /f temp.png
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
6⤵
- Loads dropped DLL
PID:2516

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
7⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:1656

C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe
"C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe" -runcm
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Windows\system32\RUNDLL32.EXE
"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
7⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:532

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
8⤵
- Checks processor information in registry
PID:1696

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
9⤵
PID:4840

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
7⤵
PID:4252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
8⤵
PID:2404

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
7⤵
PID:3728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
8⤵
PID:4904

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
7⤵
PID:3472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
8⤵
PID:3564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
7⤵
PID:1588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
8⤵
PID:4608

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
7⤵
PID:2264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
8⤵
PID:3388

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
7⤵
PID:3964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
8⤵
PID:4544

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
7⤵
- Loads dropped DLL
PID:4848

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
8⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:428

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
6⤵
- Loads dropped DLL
PID:2400

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
7⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:3948

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
6⤵
- Loads dropped DLL
PID:2004

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4840

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
6⤵
- Loads dropped DLL
PID:2132

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1036

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
6⤵
- Loads dropped DLL
PID:4984

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2580

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:4800

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:3188

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:4016

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:3012

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:3736

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:2536

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:4992

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:2044

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:3248

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:2852

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:2860

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:1328

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:3520

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:4716

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:4100

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:1656

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:5004

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:3152

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/pictures/fserial.png" /p "C:\Windows\Temp" /f temp.png
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3564

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:660

C:\Windows\System32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "(gc C:\Windows\Temp\regdata.txt) -replace 'HKEY_CURRENT_USER', 'HKCU' | Out-File -encoding ASCII C:\Windows\Temp\regdata.txt"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/pictures/idm_about.png" /p "C:\Windows\Temp" /f temp.png
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:1864

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/languages/indian.png" /p "C:\Windows\Temp" /f temp.png
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492

C:\Windows\System32\timeout.exe
timeout /t 1
5⤵
- Delays execution with timeout.exe
PID:1744

C:\Windows\System32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "(gc C:\Windows\Temp\regdata.txt) -replace 'HKEY_CURRENT_USER', 'HKCU' | Out-File -encoding ASCII C:\Windows\Temp\regdata.txt"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\System32\findstr.exe
findstr /i "idman.exe"
5⤵
PID:620

C:\Windows\System32\tasklist.exe
tasklist /fi "imagename eq idman.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\System32\taskkill.exe
taskkill /f /im idman.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "FName"
5⤵
PID:4760

C:\Windows\System32\reg.exe
reg delete "HKCU\Software\DownloadManager" "/v" "FName" /f
5⤵
PID:3736

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "LName"
5⤵
PID:676

C:\Windows\System32\reg.exe
reg delete "HKCU\Software\DownloadManager" "/v" "LName" /f
5⤵
PID:4656

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "Email"
5⤵
PID:1364

C:\Windows\System32\reg.exe
reg delete "HKCU\Software\DownloadManager" "/v" "Email" /f
5⤵
PID:3400

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "Serial"
5⤵
PID:3516

C:\Windows\System32\reg.exe
reg delete "HKCU\Software\DownloadManager" "/v" "Serial" /f
5⤵
PID:4988

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "scansk"
5⤵
PID:5000

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"
5⤵
PID:1576

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"
5⤵
PID:2676

C:\Windows\System32\reg.exe
reg delete "HKCU\Software\DownloadManager" "/v" "radxcnt" /f
5⤵
PID:5056

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"
5⤵
PID:4420

C:\Windows\System32\reg.exe
reg delete "HKCU\Software\DownloadManager" "/v" "LstCheck" /f
5⤵
PID:368

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"
5⤵
PID:3780

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"
5⤵
PID:2044

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"
5⤵
PID:2940

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /f
5⤵
PID:460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "(gc C:\Windows\Temp\regdata.txt) -replace 'HKEY_CURRENT_USER', 'HKCU' | Out-File -encoding ASCII C:\Windows\Temp\regdata.txt"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f
5⤵
PID:1712

C:\Windows\System32\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{9c4d8b15-3124-e042-8eb6-965c6f9e6029}\idmwfp.inf" "9" "4fc2928b3" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files (x86)\Internet Download Manager"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2276

C:\Windows\system32\DrvInst.exe
DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp.inf" "0" "4fc2928b3" "0000000000000160" "WinSta0\Default"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\DrvInst.exe
DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp.inf" "0" "4fc2928b3" "0000000000000180" "WinSta0\Default"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\DrvInst.exe
DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_1245af3f626dcbc0\idmwfp.inf" "0" "4fc2928b3" "0000000000000184" "WinSta0\Default"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\System32\reg.exe
reg query "HKCU\Software\DownloadManager" /v ExePath
1⤵
PID:3732

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2840

C:\Windows\system32\RUNDLL32.EXE
"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
3⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:4264

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
PID:4248

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
5⤵
PID:388

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:1252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:4852

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:1584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:1064

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:4944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:4916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:5028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:4268

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:4800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:1724

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" start IDMWFP
3⤵
PID:660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start IDMWFP
4⤵
PID:2888

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
3⤵
- Loads dropped DLL
PID:4648

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:3248

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
2⤵
- Loads dropped DLL
PID:2956

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
3⤵
PID:2664

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
2⤵
- Loads dropped DLL
PID:1940

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3748

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
2⤵
- Loads dropped DLL
PID:4580

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
3⤵
- Registers COM server for autorun
PID:1812

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
2⤵
PID:1404

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
3⤵
- Registers COM server for autorun
- Modifies registry class
PID:180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery