39d8e8864bffd66e9dfb9dbde800bab761bba47c7c7007d50a7b37d80d5cd58d

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	IDM1.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Uninstall.exe

Executes dropped EXE 14 IoCs

pid	Process
5716	idman642build3.exe
4696	IDM1.tmp
5560	idmBroker.exe
3744	IDMan.exe
2044	Uninstall.exe
4900	MediumILStart.exe
1216	IDMan.exe
5184	Uninstall.exe
5136	IDMan.exe
3820	IDMIntegrator64.exe
1320	Uninstall.exe
6064	IDMan.exe
5984	IDMan.exe
5692	Uninstall.exe

Loads dropped DLL 64 IoCs

pid	Process
4696	IDM1.tmp
4696	IDM1.tmp
4696	IDM1.tmp
4696	IDM1.tmp
5680	regsvr32.exe
5608	regsvr32.exe
316	regsvr32.exe
3600	regsvr32.exe
5396	regsvr32.exe
2316	regsvr32.exe
3744	IDMan.exe
3744	IDMan.exe
3744	IDMan.exe
3744	IDMan.exe
3744	IDMan.exe
5684	regsvr32.exe
5916	regsvr32.exe
4168	regsvr32.exe
3584	regsvr32.exe
5112	regsvr32.exe
2620	regsvr32.exe
5788	regsvr32.exe
5892	regsvr32.exe
3508	Process not Found
3508	Process not Found
872	regsvr32.exe
4020	regsvr32.exe
1216	IDMan.exe
1216	IDMan.exe
1216	IDMan.exe
1216	IDMan.exe
1216	IDMan.exe
6000	regsvr32.exe
5344	regsvr32.exe
3496	regsvr32.exe
812	regsvr32.exe
1216	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
3820	IDMIntegrator64.exe
3820	IDMIntegrator64.exe
3820	IDMIntegrator64.exe
3820	IDMIntegrator64.exe
5624	regsvr32.exe
4864	regsvr32.exe
5136	IDMan.exe
3508	Process not Found
6076	regsvr32.exe
6028	regsvr32.exe
6036	regsvr32.exe
528	regsvr32.exe
3208	regsvr32.exe
4192	regsvr32.exe
6044	regsvr32.exe
4804	regsvr32.exe
5136	IDMan.exe
6064	IDMan.exe
5984	IDMan.exe
5984	IDMan.exe
5984	IDMan.exe
5984	IDMan.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment"	IDMIntegrator64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	IDMIntegrator64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32	IDMIntegrator64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe /onboot"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IDMan.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IDMan.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDM1.tmp

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{2fd9528e-75c0-9246-b618-15ab1de3c63c}\SETB860.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2fd9528e-75c0-9246-b618-15ab1de3c63c}\SETB860.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2fd9528e-75c0-9246-b618-15ab1de3c63c}\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2fd9528e-75c0-9246-b618-15ab1de3c63c}\idmwfp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2fd9528e-75c0-9246-b618-15ab1de3c63c}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2fd9528e-75c0-9246-b618-15ab1de3c63c}\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2fd9528e-75c0-9246-b618-15ab1de3c63c}\SETB870.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2fd9528e-75c0-9246-b618-15ab1de3c63c}\SETB870.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2fd9528e-75c0-9246-b618-15ab1de3c63c}\SETB871.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2fd9528e-75c0-9246-b618-15ab1de3c63c}\SETB871.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_es.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_nl.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_fa.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_fa.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmindex.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_hu.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMVMPrs.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\libssl.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_sw.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_sr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp32.sys	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_pl.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_it.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_cz.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_gu.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmmkb.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmbrbtn64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ua.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmvs.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_pl.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmcchandler7.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_mn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\tips.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmbrbtn.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ge.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_mn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_hi.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_dk.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_fa.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_ptbr.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\grabber.chm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IEGetVL.htm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi.inf	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_fr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi.cat	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_id.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_mm.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\oldjsproxy.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\libcrypto.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_it.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_style_3.tbi	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp64.sys	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_pl.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_cht.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_bn.lng	IDM1.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\IDMSetup2.log	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMGrHlp.exe	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_tr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_chn2.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_vn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_sk.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_ar.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_tr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_th.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_al.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_id.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_id.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_jp.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_iw.txt	IDM1.tmp

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 14 IoCs

evasion

pid	Process
1768	timeout.exe
4020	timeout.exe
5992	timeout.exe
5064	timeout.exe
5380	timeout.exe
5184	timeout.exe
1976	timeout.exe
3124	timeout.exe
4652	timeout.exe
3752	timeout.exe
2252	timeout.exe
5564	timeout.exe
5500	timeout.exe
2436	timeout.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
5392	tasklist.exe
5140	tasklist.exe
5124	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4812	taskkill.exe
4136	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\Policy = "3"	IDM1.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights	idmBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEExt.htm"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDM1.tmp

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "\"C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe\""	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll.dll"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\TypeLib	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\Programmable	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CLSID\ = "{0F947660-8606-420A-BAC6-51B84DD22A47}"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\TypeLib	IDMIntegrator64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}\ProxyStubClsid32\ = "{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj.1\CLSID\ = "{0055C089-8582-441B-A0BF-17B458C2A3A8}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\TypeLib	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM integration (IDMIEHlprObj Class)"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\Programmable	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\CLSID\ = "{CDD67718-A430-4AB9-A939-83D9074B0038}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj.1\CLSID\ = "{0055C089-8582-441B-A0BF-17B458C2A3A8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CurVer\ = "DownlWithIDM.IDMDwnlMgr.1"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ProgID\ = "IDMIECC.IDMIEHlprObj.1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\Programmable	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ = "VLinkProcessor Class"	IDMIntegrator64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\TypeLib	IDM1.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Elevation	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\ = "IDMAllLinksProcessor Class"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\ = "IDMAllLinksProcessor Class"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\CurVer\ = "IDMIECC.IDMIEHlprObj.1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\ = "LinkProcessor Class"	IDMIntegrator64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID\ = "DownlWithIDM.VLinkProcessor.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32\ = "{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\ProxyStubClsid32	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\ = "V2LinkProcessor Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\InProcServer32\ThreadingModel = "Both"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib\ = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\1	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID\ = "DownlWithIDM.VLinkProcessor"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CLSID\ = "{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\CurVer\ = "DownlWithIDM.V2LinkProcessor.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj.1\ = "IDMIEHlprObj Class"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CurVer\ = "Idmfsa.IDMEFSAgent.1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\ = "ICIDMLinkTransmitter"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CurVer\ = "DownlWithIDM.IDMDwnlMgr.1"	regsvr32.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

pid	Process
5060	reg.exe
4340	reg.exe
5372	reg.exe
1604	reg.exe
3644	reg.exe
3168	reg.exe
3156	reg.exe
5800	reg.exe
5192	reg.exe
6048	reg.exe
3456	reg.exe
3764	reg.exe
2636	reg.exe
5528	reg.exe
3192	reg.exe
3764	reg.exe
2220	reg.exe
3164	reg.exe
4688	reg.exe
2032	reg.exe
3980	reg.exe
1600	reg.exe
332	reg.exe
3756	reg.exe
5188	reg.exe
5772	reg.exe
4116	reg.exe
4460	reg.exe
3980	reg.exe
5772	reg.exe
5612	reg.exe
2496	reg.exe
2292	reg.exe
840	reg.exe
5424	reg.exe
2216	reg.exe
2332	reg.exe
4036	reg.exe
2004	reg.exe
4484	reg.exe
5724	reg.exe
5500	reg.exe
1552	reg.exe
2636	reg.exe
2936	reg.exe
4320	reg.exe
5200	reg.exe
5820	reg.exe
2020	reg.exe
64	reg.exe
5488	reg.exe
5400	reg.exe
1920	reg.exe
2344	reg.exe
1548	reg.exe
5632	reg.exe
5552	reg.exe
3876	reg.exe
4568	reg.exe
4344	reg.exe
64	reg.exe
5472	reg.exe
740	reg.exe
180	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 107039.crdownload:SmartScreen	msedge.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4160	PING.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
396	msedge.exe
396	msedge.exe
4792	msedge.exe
4792	msedge.exe
5252	identity_helper.exe
5252	identity_helper.exe
3708	msedge.exe
3708	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
4320	msedge.exe
4320	msedge.exe
4696	IDM1.tmp
4696	IDM1.tmp
4696	IDM1.tmp
4696	IDM1.tmp
4696	IDM1.tmp
4696	IDM1.tmp
4696	IDM1.tmp
4696	IDM1.tmp
4696	IDM1.tmp
4696	IDM1.tmp
3744	IDMan.exe
3744	IDMan.exe
1216	IDMan.exe
1216	IDMan.exe
740	powershell.exe
740	powershell.exe
5132	powershell.exe
5132	powershell.exe
456	powershell.exe
456	powershell.exe
2692	powershell.exe
2692	powershell.exe
2084	powershell.exe
2084	powershell.exe
4668	powershell.exe
4668	powershell.exe
1956	powershell.exe
1956	powershell.exe
2424	powershell.exe
2424	powershell.exe
852	powershell.exe
852	powershell.exe
4340	powershell.exe
4340	powershell.exe
5820	powershell.exe
5820	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5984	IDMan.exe

Suspicious behavior: LoadsDriver 24 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4696	IDM1.tmp
Token: SeRestorePrivilege	3744	IDMan.exe
Token: SeAuditPrivilege	3180	svchost.exe
Token: SeSecurityPrivilege	3180	svchost.exe
Token: SeRestorePrivilege	5092	DrvInst.exe
Token: SeBackupPrivilege	5092	DrvInst.exe
Token: SeDebugPrivilege	2396	firefox.exe
Token: SeDebugPrivilege	2396	firefox.exe
Token: SeBackupPrivilege	3744	IDMan.exe
Token: SeDebugPrivilege	5344	regsvr32.exe
Token: SeDebugPrivilege	5344	regsvr32.exe
Token: SeRestorePrivilege	3028	DrvInst.exe
Token: SeBackupPrivilege	3028	DrvInst.exe
Token: SeDebugPrivilege	5412	RUNDLL32.EXE
Token: SeDebugPrivilege	5412	RUNDLL32.EXE
Token: SeDebugPrivilege	812	regsvr32.exe
Token: SeDebugPrivilege	812	regsvr32.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	5392	tasklist.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	5132	powershell.exe
Token: SeDebugPrivilege	5140	tasklist.exe
Token: SeRestorePrivilege	4568	DrvInst.exe
Token: SeBackupPrivilege	4568	DrvInst.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	5124	tasklist.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeSecurityPrivilege	2084	powershell.exe
Token: SeTakeOwnershipPrivilege	2084	powershell.exe
Token: SeBackupPrivilege	2084	powershell.exe
Token: SeRestorePrivilege	2084	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeSecurityPrivilege	4668	powershell.exe
Token: SeTakeOwnershipPrivilege	4668	powershell.exe
Token: SeBackupPrivilege	4668	powershell.exe
Token: SeRestorePrivilege	4668	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeSecurityPrivilege	1956	powershell.exe
Token: SeTakeOwnershipPrivilege	1956	powershell.exe
Token: SeBackupPrivilege	1956	powershell.exe
Token: SeRestorePrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeSecurityPrivilege	2424	powershell.exe
Token: SeTakeOwnershipPrivilege	2424	powershell.exe
Token: SeBackupPrivilege	2424	powershell.exe
Token: SeRestorePrivilege	2424	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeSecurityPrivilege	852	powershell.exe
Token: SeTakeOwnershipPrivilege	852	powershell.exe
Token: SeBackupPrivilege	852	powershell.exe
Token: SeRestorePrivilege	852	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeSecurityPrivilege	4340	powershell.exe
Token: SeTakeOwnershipPrivilege	4340	powershell.exe
Token: SeBackupPrivilege	4340	powershell.exe
Token: SeRestorePrivilege	4340	powershell.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeSecurityPrivilege	5820	powershell.exe
Token: SeTakeOwnershipPrivilege	5820	powershell.exe
Token: SeBackupPrivilege	5820	powershell.exe
Token: SeRestorePrivilege	5820	powershell.exe
Token: SeRestorePrivilege	1320	DrvInst.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
3744	IDMan.exe
1216	IDMan.exe
5136	IDMan.exe
5984	IDMan.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
3744	IDMan.exe
3744	IDMan.exe
2396	firefox.exe
3744	IDMan.exe
3744	IDMan.exe
1216	IDMan.exe
1216	IDMan.exe
5184	Uninstall.exe
1216	IDMan.exe
1216	IDMan.exe
1216	IDMan.exe
1216	IDMan.exe
1216	IDMan.exe
1216	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
3820	IDMIntegrator64.exe
3820	IDMIntegrator64.exe
1320	Uninstall.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5136	IDMan.exe
5984	IDMan.exe
5984	IDMan.exe
5984	IDMan.exe
5984	IDMan.exe
5984	IDMan.exe
5984	IDMan.exe
5984	IDMan.exe
5984	IDMan.exe
5984	IDMan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4444	4244	cmd.exe	92
PID 4244 wrote to memory of 4444	4244	cmd.exe	92
PID 4244 wrote to memory of 4360	4244	cmd.exe	93
PID 4244 wrote to memory of 4360	4244	cmd.exe	93
PID 4360 wrote to memory of 4164	4360	cmd.exe	94
PID 4360 wrote to memory of 4164	4360	cmd.exe	94
PID 4360 wrote to memory of 4664	4360	cmd.exe	95
PID 4360 wrote to memory of 4664	4360	cmd.exe	95
PID 4244 wrote to memory of 4932	4244	cmd.exe	96
PID 4244 wrote to memory of 4932	4244	cmd.exe	96
PID 4932 wrote to memory of 2332	4932	cmd.exe	97
PID 4932 wrote to memory of 2332	4932	cmd.exe	97
PID 4244 wrote to memory of 1984	4244	cmd.exe	98
PID 4244 wrote to memory of 1984	4244	cmd.exe	98
PID 4244 wrote to memory of 1412	4244	cmd.exe	99
PID 4244 wrote to memory of 1412	4244	cmd.exe	99
PID 4244 wrote to memory of 876	4244	cmd.exe	100
PID 4244 wrote to memory of 876	4244	cmd.exe	100
PID 4244 wrote to memory of 4848	4244	cmd.exe	101
PID 4244 wrote to memory of 4848	4244	cmd.exe	101
PID 4244 wrote to memory of 3260	4244	cmd.exe	102
PID 4244 wrote to memory of 3260	4244	cmd.exe	102
PID 3260 wrote to memory of 1604	3260	cmd.exe	103
PID 3260 wrote to memory of 1604	3260	cmd.exe	103
PID 4244 wrote to memory of 4336	4244	cmd.exe	104
PID 4244 wrote to memory of 4336	4244	cmd.exe	104
PID 4336 wrote to memory of 3164	4336	cmd.exe	105
PID 4336 wrote to memory of 3164	4336	cmd.exe	105
PID 4244 wrote to memory of 1744	4244	cmd.exe	106
PID 4244 wrote to memory of 1744	4244	cmd.exe	106
PID 1744 wrote to memory of 4644	1744	cmd.exe	107
PID 1744 wrote to memory of 4644	1744	cmd.exe	107
PID 4244 wrote to memory of 64	4244	cmd.exe	109
PID 4244 wrote to memory of 64	4244	cmd.exe	109
PID 4792 wrote to memory of 3088	4792	msedge.exe	120
PID 4792 wrote to memory of 3088	4792	msedge.exe	120
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121
PID 4792 wrote to memory of 4848	4792	msedge.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Activation.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:4164
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\DownloadManager" /v ExePath 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\DownloadManager" /v ExePath
    3⤵
    PID:2332
- C:\Windows\System32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:1984
- C:\Windows\System32\reg.exe
  reg query "HKLM\Hardware\Description\System\CentralProcessor\0" /v "Identifier"
  2⤵
  - Checks processor information in registry
  PID:1412
- C:\Windows\System32\find.exe
  find /i "x86"
  2⤵
  PID:876
- C:\Windows\System32\mode.com
  mode 90, 30
  2⤵
  PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall
    3⤵
    - Modifies registry key
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall
    3⤵
    - Modifies registry key
    PID:3164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall
    3⤵
    PID:4644
- C:\Windows\System32\choice.exe
  choice /C:123456 /N
  2⤵
  PID:64
- C:\Windows\System32\mode.com
  mode 93, 32
  2⤵
  PID:5920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\PING.EXE
  ping -n 1 internetdownloadmanager.com
  2⤵
  - Runs ping.exe
  PID:4160
- C:\Windows\System32\tasklist.exe
  tasklist /fi "imagename eq idman.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5392
- C:\Windows\System32\findstr.exe
  findstr /i "idman.exe"
  2⤵
  PID:3376
- C:\Windows\System32\taskkill.exe
  taskkill /f /im idman.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\System32\reg.exe
  reg query "HKCU\Software\DownloadManager" "/v" "FName"
  2⤵
  PID:2280
- C:\Windows\System32\reg.exe
  reg query "HKCU\Software\DownloadManager" "/v" "LName"
  2⤵
  PID:4988
- C:\Windows\System32\reg.exe
  reg query "HKCU\Software\DownloadManager" "/v" "Email"
  2⤵
  PID:4936
- C:\Windows\System32\reg.exe
  reg query "HKCU\Software\DownloadManager" "/v" "Serial"
  2⤵
  PID:2052
- C:\Windows\System32\reg.exe
  reg query "HKCU\Software\DownloadManager" "/v" "scansk"
  2⤵
  PID:6004
- C:\Windows\System32\reg.exe
  reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"
  2⤵
  PID:664
- C:\Windows\System32\reg.exe
  reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"
  2⤵
  PID:2616
- C:\Windows\System32\reg.exe
  reg delete "HKCU\Software\DownloadManager" "/v" "radxcnt" /f
  2⤵
  PID:1032
- C:\Windows\System32\reg.exe
  reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"
  2⤵
  PID:4520
- C:\Windows\System32\reg.exe
  reg delete "HKCU\Software\DownloadManager" "/v" "LstCheck" /f
  2⤵
  PID:440
- C:\Windows\System32\reg.exe
  reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"
  2⤵
  PID:960
- C:\Windows\System32\reg.exe
  reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"
  2⤵
  PID:3280
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"
  2⤵
  PID:4828
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /f
  2⤵
  PID:4084
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID
  2⤵
  - Modifies registry key
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "(gc C:\Windows\Temp\regdata.txt) -replace 'HKEY_CURRENT_USER', 'HKCU' | Out-File -encoding ASCII C:\Windows\Temp\regdata.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {018D5C66-4533-4307-9B53-224DE2ED1FE6}"
  2⤵
  PID:5356
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5348
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
  2⤵
  PID:4556
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}"
  2⤵
  PID:4360
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1320
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
  2⤵
  PID:1388
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {07999AC3-058B-40BF-984F-69EB1E554CA7}"
  2⤵
  PID:396
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:2664
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}
  2⤵
  PID:3144
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2304
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}
  2⤵
  - Modifies registry key
  PID:4484
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} /ve 2>nul
  2⤵
  PID:2364
- - C:\Windows\System32\reg.exe
    reg query HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} /ve
    3⤵
    - Modifies registry key
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo (Default) REG_SZ (value not set)"
  2⤵
  PID:5408
- C:\Windows\System32\findstr.exe
  findstr /r /e "[^0-9]"
  2⤵
  PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Version /ve 2>nul
  2⤵
  PID:1884
- - C:\Windows\System32\reg.exe
    reg query HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Version /ve
    3⤵
    PID:940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} 2>nul
  2⤵
  PID:5396
- - C:\Windows\System32\reg.exe
    reg query HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}
    3⤵
    - Modifies registry key
    PID:5192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Model"
  2⤵
  PID:4440
- C:\Windows\System32\findstr.exe
  findstr /i "MData Model scansk Therad"
  2⤵
  PID:4928
- C:\Windows\System32\reg.exe
  reg delete HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} /f
  2⤵
  PID:5328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}"
  2⤵
  PID:3584
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5916
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}
  2⤵
  PID:1920
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {20894375-46AE-46E2-BAFD-CB38975CDCE6}"
  2⤵
  PID:4900
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5924
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}
  2⤵
  PID:5344
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"
  2⤵
  PID:2760
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5372
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}
  2⤵
  PID:1840
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {389510b7-9e58-40d7-98bf-60b911cb0ea9}"
  2⤵
  PID:5268
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1716
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}
  2⤵
  - Modifies registry key
  PID:4688
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"
  2⤵
  PID:3480
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5596
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
  2⤵
  - Modifies registry key
  PID:5632
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}"
  2⤵
  PID:1036
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:3652
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}
  2⤵
  PID:5000
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {5999E1EE-711E-48D2-9884-851A709F543D}"
  2⤵
  PID:5952
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5296
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}
  2⤵
  PID:4308
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {5AB7172C-9C11-405C-8DD5-AF20F3606282}"
  2⤵
  PID:4100
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:3648
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}
  2⤵
  PID:3032
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}"
  2⤵
  PID:2100
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1960
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}
  2⤵
  - Modifies registry key
  PID:4460
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}"
  2⤵
  PID:5876
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:6136
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
  2⤵
  PID:5724
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {7AFDFDDB-F914-11E4-8377-6C3BE50D980C}"
  2⤵
  PID:872
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:6084
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}
  2⤵
  - Modifies registry key
  PID:6048
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:6056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {7B37E4E2-C62F-4914-9620-8FB5062718CC}"
  2⤵
  PID:2292
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1184
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}
  2⤵
  - Modifies registry key
  PID:4320
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}"
  2⤵
  PID:2396
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5456
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}
  2⤵
  - Modifies registry key
  PID:5200
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {917E8742-AA3B-7318-FA12-10485FB322A2}"
  2⤵
  PID:812
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5904
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}
  2⤵
  PID:4436
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {94269C4E-071A-4116-90E6-52E557067E4E}"
  2⤵
  PID:2388
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4148
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
  2⤵
  - Modifies registry key
  PID:5060
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {9489FEB2-1925-4D01-B788-6D912C70F7F2}"
  2⤵
  PID:5640
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4644
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
  2⤵
  PID:2448
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {9AA2F32D-362A-42D9-9328-24A483E2CCC3}"
  2⤵
  PID:5864
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5884
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}
  2⤵
  PID:3836
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
  2⤵
  PID:4032
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1684
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}
  2⤵
  PID:5920
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}"
  2⤵
  PID:1628
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1744
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}
  2⤵
  PID:3060
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A78ED123-AB77-406B-9962-2A5D9D2F7F30}"
  2⤵
  PID:1544
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4596
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}
  2⤵
  - Modifies registry key
  PID:3456
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A926714B-7BFC-4D08-A035-80021395FFA8}"
  2⤵
  PID:5064
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1004
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
  2⤵
  - Modifies registry key
  PID:1600
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {AB807329-7324-431B-8B36-DBD581F56E0B}"
  2⤵
  PID:4228
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:840
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}
  2⤵
  PID:2060
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {BBACC218-34EA-4666-9D7A-C78F2274A524}"
  2⤵
  PID:2796
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:2632
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}
  2⤵
  - Modifies registry key
  PID:4340
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}"
  2⤵
  PID:5280
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:180
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}
  2⤵
  - Modifies registry key
  PID:5552
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"
  2⤵
  PID:3468
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1780
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}
  2⤵
  PID:3076
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
  2⤵
  PID:3280
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5104
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}
  2⤵
  PID:876
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4828
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f
  2⤵
  PID:5524
- C:\Windows\System32\reg.exe
  reg add HKCU\SOFTWARE\DownloadManager /v FName /t REG_SZ /d "Soft98.iR [ SalaR ]"
  2⤵
  PID:5460
- C:\Windows\System32\reg.exe
  reg add HKCU\SOFTWARE\DownloadManager /v LName /t REG_SZ /d ""
  2⤵
  - Modifies registry key
  PID:3764
- C:\Windows\System32\reg.exe
  reg add HKCU\SOFTWARE\DownloadManager /v Email /t REG_SZ /d "[email protected]"
  2⤵
  PID:2344
- C:\Windows\System32\reg.exe
  reg add HKCU\SOFTWARE\DownloadManager /v Serial /t REG_SZ /d "FOX6H-3KWH4-7TSIN-Q4US7"
  2⤵
  - Modifies registry key
  PID:3980
- C:\Windows\System32\tasklist.exe
  tasklist /fi "imagename eq idman.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5140
- C:\Windows\System32\findstr.exe
  findstr /i "idman.exe"
  2⤵
  PID:5152
- C:\Program Files (x86)\Internet Download Manager\IDMan.exe
  "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/images/idm_box_min.png" /p "C:\Windows\Temp" /f temp.png
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5136
- - C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe
    "C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe" -runcm
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3820
- - C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
    "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1320
  - - C:\Windows\system32\RUNDLL32.EXE
      "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      PID:5648
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        
        PID:2304
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:2340
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:5400
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:3668
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:5388
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:1824
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:5372
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:5268
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:4712
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:5596
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:5096
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:1620
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:3960
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:3648
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      PID:5624
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        Registers COM server for autorun
        
        PID:4864
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    PID:6076
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:528
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
    3⤵
    - Loads dropped DLL
    PID:6028
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      PID:4192
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
    3⤵
    - Loads dropped DLL
    PID:6036
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      PID:6044
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
    3⤵
    - Loads dropped DLL
    PID:3208
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:4804
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5380
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1976
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2252
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3124
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1768
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4652
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4020
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5564
- C:\Program Files (x86)\Internet Download Manager\IDMan.exe
  "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/register/IDMlib/images/idman_logos.png" /p "C:\Windows\Temp" /f temp.png
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6064
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5992
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5500
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5064
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2436
- C:\Windows\System32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3752
- C:\Windows\System32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:5184
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID
  2⤵
  - Modifies registry key
  PID:5772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "(gc C:\Windows\Temp\regdata.txt) -replace 'HKEY_CURRENT_USER', 'HKCU' | Out-File -encoding ASCII C:\Windows\Temp\regdata.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {018D5C66-4533-4307-9B53-224DE2ED1FE6}"
  2⤵
  PID:3724
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:3468
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
  2⤵
  PID:3076
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}"
  2⤵
  PID:3280
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5104
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
  2⤵
  PID:4456
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {117d8d8c-f3c5-78eb-fdd0-2e12e282ce38}"
  2⤵
  PID:3596
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5460
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{117d8d8c-f3c5-78eb-fdd0-2e12e282ce38}
  2⤵
  - Modifies registry key
  PID:5820
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2344
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{117d8d8c-f3c5-78eb-fdd0-2e12e282ce38}
  2⤵
  PID:5828
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:5148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {1a1cd5b8-87c0-8f72-c626-fe56aa45cf0e}"
  2⤵
  PID:5540
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5152
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1a1cd5b8-87c0-8f72-c626-fe56aa45cf0e}
  2⤵
  PID:4756
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5380
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1a1cd5b8-87c0-8f72-c626-fe56aa45cf0e}
  2⤵
  PID:536
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}"
  2⤵
  PID:1384
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4484
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}
  2⤵
  PID:2304
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {1d445b43-8fa0-91d2-e11d-c75224b492c1}"
  2⤵
  PID:1980
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5288
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1d445b43-8fa0-91d2-e11d-c75224b492c1}
  2⤵
  - Modifies registry key
  PID:5612
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5340
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1d445b43-8fa0-91d2-e11d-c75224b492c1}
  2⤵
  - Modifies registry key
  PID:3644
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:5328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1d445b43-8fa0-91d2-e11d-c75224b492c1} /ve 2>nul
  2⤵
  PID:4040
- - C:\Windows\System32\reg.exe
    reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1d445b43-8fa0-91d2-e11d-c75224b492c1} /ve
    3⤵
    - Modifies registry key
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo (Default) REG_SZ 23"
  2⤵
  PID:3020
- C:\Windows\System32\findstr.exe
  findstr /r /e "[^0-9]"
  2⤵
  PID:5788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {20894375-46AE-46E2-BAFD-CB38975CDCE6}"
  2⤵
  PID:2908
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5020
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}
  2⤵
  PID:2004
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"
  2⤵
  PID:1824
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:944
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}
  2⤵
  PID:5416
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {389510b7-9e58-40d7-98bf-60b911cb0ea9}"
  2⤵
  PID:3756
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:2472
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}
  2⤵
  - Modifies registry key
  PID:5372
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"
  2⤵
  PID:3124
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5776
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
  2⤵
  PID:5888
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}"
  2⤵
  PID:1036
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5544
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}
  2⤵
  PID:2300
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {5999E1EE-711E-48D2-9884-851A709F543D}"
  2⤵
  PID:400
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5096
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}
  2⤵
  PID:5352
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {5AB7172C-9C11-405C-8DD5-AF20F3606282}"
  2⤵
  PID:6140
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1624
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}
  2⤵
  - Modifies registry key
  PID:3876
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}"
  2⤵
  PID:5648
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5716
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}
  2⤵
  PID:4864
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {6df1156a-4e9a-0112-58b5-f725cb396858}"
  2⤵
  PID:3624
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1144
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{6df1156a-4e9a-0112-58b5-f725cb396858}
  2⤵
  PID:5296
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5488
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{6df1156a-4e9a-0112-58b5-f725cb396858}
  2⤵
  PID:6092
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}"
  2⤵
  PID:4284
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:6080
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
  2⤵
  - Modifies registry key
  PID:2636
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:6096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:6048
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4980
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}
  2⤵
  - Modifies registry key
  PID:2292
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:6088
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}
  2⤵
  - Modifies registry key
  PID:5724
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:5940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} /ve 2>nul
  2⤵
  PID:5200
- - C:\Windows\System32\reg.exe
    reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} /ve
    3⤵
    - Modifies registry key
    PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo (Default) REG_SZ (value not set)"
  2⤵
  PID:952
- C:\Windows\System32\findstr.exe
  findstr /r /e "[^0-9]"
  2⤵
  PID:696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Version /ve 2>nul
  2⤵
  PID:3616
- - C:\Windows\System32\reg.exe
    reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Version /ve
    3⤵
    - Modifies registry key
    PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} 2>nul
  2⤵
  PID:4148
- - C:\Windows\System32\reg.exe
    reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}
    3⤵
    PID:608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Model"
  2⤵
  PID:3904
- C:\Windows\System32\findstr.exe
  findstr /i "MData Model scansk Therad"
  2⤵
  PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {7AFDFDDB-F914-11E4-8377-6C3BE50D980C}"
  2⤵
  PID:5640
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:3140
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}
  2⤵
  - Modifies registry key
  PID:4116
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {7B37E4E2-C62F-4914-9620-8FB5062718CC}"
  2⤵
  PID:5864
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:2964
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}
  2⤵
  PID:5256
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}"
  2⤵
  PID:2660
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:692
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}
  2⤵
  PID:2296
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {917E8742-AA3B-7318-FA12-10485FB322A2}"
  2⤵
  PID:3156
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4408
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}
  2⤵
  PID:4808
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {94269C4E-071A-4116-90E6-52E557067E4E}"
  2⤵
  PID:3836
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1100
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
  2⤵
  - Modifies registry key
  PID:740
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {9489FEB2-1925-4D01-B788-6D912C70F7F2}"
  2⤵
  PID:4160
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1912
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
  2⤵
  - Modifies registry key
  PID:5500
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {9AA2F32D-362A-42D9-9328-24A483E2CCC3}"
  2⤵
  PID:5392
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4812
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}
  2⤵
  - Modifies registry key
  PID:840
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
  2⤵
  PID:1392
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5832
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}
  2⤵
  PID:3752
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:6000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}"
  2⤵
  PID:2380
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:6004
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}
  2⤵
  - Modifies registry key
  PID:180
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A78ED123-AB77-406B-9962-2A5D9D2F7F30}"
  2⤵
  PID:4340
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4908
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}
  2⤵
  PID:1300
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A926714B-7BFC-4D08-A035-80021395FFA8}"
  2⤵
  PID:2796
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1780
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
  2⤵
  PID:3468
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {AB807329-7324-431B-8B36-DBD581F56E0B}"
  2⤵
  PID:3228
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5216
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}
  2⤵
  PID:5104
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {BBACC218-34EA-4666-9D7A-C78F2274A524}"
  2⤵
  PID:5084
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:2732
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}
  2⤵
  - Modifies registry key
  PID:3764
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}"
  2⤵
  PID:5960
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:2188
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}
  2⤵
  PID:880
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"
  2⤵
  PID:4516
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5152
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}
  2⤵
  - Modifies registry key
  PID:4568
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:4884
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1548
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}
  2⤵
  PID:2220
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4484
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}
  2⤵
  - Modifies registry key
  PID:4344
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {e8db64d1-a324-8243-5b3e-0b07b841e613}"
  2⤵
  PID:676
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:3668
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{e8db64d1-a324-8243-5b3e-0b07b841e613}
  2⤵
  - Modifies registry key
  PID:5528
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5616
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{e8db64d1-a324-8243-5b3e-0b07b841e613}
  2⤵
  PID:5408
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
  2⤵
  PID:4264
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:2496
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}
  2⤵
  - Modifies registry key
  PID:1920
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3020
- C:\Windows\System32\tasklist.exe
  tasklist /fi "imagename eq idman.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5124
- C:\Windows\System32\findstr.exe
  findstr /i "idman.exe"
  2⤵
  PID:1904
- C:\Windows\System32\taskkill.exe
  taskkill /f /im idman.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID
  2⤵
  PID:6068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "(gc C:\Windows\Temp\regdata.txt) -replace 'HKEY_CURRENT_USER', 'HKCU' | Out-File -encoding ASCII C:\Windows\Temp\regdata.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {018D5C66-4533-4307-9B53-224DE2ED1FE6}"
  2⤵
  PID:1036
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5544
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
  2⤵
  PID:5000
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}"
  2⤵
  PID:1620
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5520
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
  2⤵
  PID:5512
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {117d8d8c-f3c5-78eb-fdd0-2e12e282ce38}"
  2⤵
  PID:2488
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5088
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{117d8d8c-f3c5-78eb-fdd0-2e12e282ce38}
  2⤵
  - Modifies registry key
  PID:1552
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2100
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{117d8d8c-f3c5-78eb-fdd0-2e12e282ce38}
  2⤵
  PID:2900
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $A='HKCU\Software\Classes\Wow6432Node\CLSID\{117d8d8c-f3c5-78eb-fdd0-2e12e282ce38}','','S-1-1-0','S-1-0-0','Deny','FullControl';iex(([io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Activation.cmd')-split':Own1\:.*')[1])
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\reg.exe
  reg delete HKCU\Software\Classes\Wow6432Node\CLSID\{117d8d8c-f3c5-78eb-fdd0-2e12e282ce38} /f
  2⤵
  - Modifies registry key
  PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {1a1cd5b8-87c0-8f72-c626-fe56aa45cf0e}"
  2⤵
  PID:5964
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:6048
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1a1cd5b8-87c0-8f72-c626-fe56aa45cf0e}
  2⤵
  PID:636
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2292
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1a1cd5b8-87c0-8f72-c626-fe56aa45cf0e}
  2⤵
  - Modifies registry key
  PID:2936
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:5944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $A='HKCU\Software\Classes\Wow6432Node\CLSID\{1a1cd5b8-87c0-8f72-c626-fe56aa45cf0e}','','S-1-1-0','S-1-0-0','Deny','FullControl';iex(([io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Activation.cmd')-split':Own1\:.*')[1])
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\System32\reg.exe
  reg delete HKCU\Software\Classes\Wow6432Node\CLSID\{1a1cd5b8-87c0-8f72-c626-fe56aa45cf0e} /f
  2⤵
  PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}"
  2⤵
  PID:5640
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5484
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}
  2⤵
  PID:932
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {1d445b43-8fa0-91d2-e11d-c75224b492c1}"
  2⤵
  PID:5904
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5884
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1d445b43-8fa0-91d2-e11d-c75224b492c1}
  2⤵
  - Modifies registry key
  PID:64
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4132
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1d445b43-8fa0-91d2-e11d-c75224b492c1}
  2⤵
  - Modifies registry key
  PID:5424
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:5176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1d445b43-8fa0-91d2-e11d-c75224b492c1} /ve 2>nul
  2⤵
  PID:1628
- - C:\Windows\System32\reg.exe
    reg query HKCU\Software\Classes\Wow6432Node\CLSID\{1d445b43-8fa0-91d2-e11d-c75224b492c1} /ve
    3⤵
    PID:5572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo (Default) REG_SZ 23"
  2⤵
  PID:3060
- C:\Windows\System32\findstr.exe
  findstr /r /e "[^0-9]"
  2⤵
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $A='HKCU\Software\Classes\Wow6432Node\CLSID\{1d445b43-8fa0-91d2-e11d-c75224b492c1}','','S-1-1-0','S-1-0-0','Deny','FullControl';iex(([io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Activation.cmd')-split':Own1\:.*')[1])
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\reg.exe
  reg delete HKCU\Software\Classes\Wow6432Node\CLSID\{1d445b43-8fa0-91d2-e11d-c75224b492c1} /f
  2⤵
  - Modifies registry key
  PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {20894375-46AE-46E2-BAFD-CB38975CDCE6}"
  2⤵
  PID:4812
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4872
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}
  2⤵
  - Modifies registry key
  PID:2032
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"
  2⤵
  PID:5832
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5880
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}
  2⤵
  PID:5052
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {389510b7-9e58-40d7-98bf-60b911cb0ea9}"
  2⤵
  PID:6004
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:6060
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}
  2⤵
  - Modifies registry key
  PID:5772
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"
  2⤵
  PID:4908
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1704
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
  2⤵
  - Modifies registry key
  PID:5188
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}"
  2⤵
  PID:1780
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:2872
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}
  2⤵
  PID:4972
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {5999E1EE-711E-48D2-9884-851A709F543D}"
  2⤵
  PID:5216
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4456
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}
  2⤵
  PID:5792
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {5AB7172C-9C11-405C-8DD5-AF20F3606282}"
  2⤵
  PID:5840
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:3764
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}
  2⤵
  - Modifies registry key
  PID:3980
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}"
  2⤵
  PID:5140
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5540
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}
  2⤵
  PID:5356
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {6df1156a-4e9a-0112-58b5-f725cb396858}"
  2⤵
  PID:316
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:536
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{6df1156a-4e9a-0112-58b5-f725cb396858}
  2⤵
  PID:2368
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:1384
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{6df1156a-4e9a-0112-58b5-f725cb396858}
  2⤵
  - Modifies registry key
  PID:332
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $A='HKCU\Software\Classes\Wow6432Node\CLSID\{6df1156a-4e9a-0112-58b5-f725cb396858}','','S-1-1-0','S-1-0-0','Deny','FullControl';iex(([io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Activation.cmd')-split':Own1\:.*')[1])
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\reg.exe
  reg delete HKCU\Software\Classes\Wow6432Node\CLSID\{6df1156a-4e9a-0112-58b5-f725cb396858} /f
  2⤵
  PID:5984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}"
  2⤵
  PID:5924
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:3020
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
  2⤵
  - Modifies registry key
  PID:2004
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {79873CC5-3951-43ED-BDF9-D8759474B6FD}"
  2⤵
  PID:1412
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5348
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}
  2⤵
  - Modifies registry key
  PID:2020
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:1320
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}
  2⤵
  PID:6036
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:5712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} /ve 2>nul
  2⤵
  PID:5416
- - C:\Windows\System32\reg.exe
    reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} /ve
    3⤵
    PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo (Default) REG_SZ (value not set)"
  2⤵
  PID:1296
- C:\Windows\System32\findstr.exe
  findstr /r /e "[^0-9]"
  2⤵
  PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Version /ve 2>nul
  2⤵
  PID:1792
- - C:\Windows\System32\reg.exe
    reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Version /ve
    3⤵
    PID:5888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} 2>nul
  2⤵
  PID:3696
- - C:\Windows\System32\reg.exe
    reg query HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}
    3⤵
    - Modifies registry key
    PID:3756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Model"
  2⤵
  PID:3124
- C:\Windows\System32\findstr.exe
  findstr /i "MData Model scansk Therad"
  2⤵
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $A='HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}','','S-1-1-0','S-1-0-0','Deny','FullControl';iex(([io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Activation.cmd')-split':Own1\:.*')[1])
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\System32\reg.exe
  reg delete HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} /f
  2⤵
  - Modifies registry key
  PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {7AFDFDDB-F914-11E4-8377-6C3BE50D980C}"
  2⤵
  PID:5932
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:3240
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}
  2⤵
  PID:1552
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {7B37E4E2-C62F-4914-9620-8FB5062718CC}"
  2⤵
  PID:5808
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1960
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}
  2⤵
  - Modifies registry key
  PID:5488
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}"
  2⤵
  PID:4284
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4508
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}
  2⤵
  PID:5860
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {917E8742-AA3B-7318-FA12-10485FB322A2}"
  2⤵
  PID:1304
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5324
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}
  2⤵
  PID:2084
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:6096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {94269C4E-071A-4116-90E6-52E557067E4E}"
  2⤵
  PID:5964
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4980
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
  2⤵
  - Modifies registry key
  PID:5472
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {9489FEB2-1925-4D01-B788-6D912C70F7F2}"
  2⤵
  PID:5724
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4020
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
  2⤵
  PID:4664
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {9AA2F32D-362A-42D9-9328-24A483E2CCC3}"
  2⤵
  PID:5680
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4660
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}
  2⤵
  PID:4420
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
  2⤵
  PID:5600
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4148
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}
  2⤵
  PID:4668
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:6108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}"
  2⤵
  PID:5220
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4116
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}
  2⤵
  PID:932
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A78ED123-AB77-406B-9962-2A5D9D2F7F30}"
  2⤵
  PID:2336
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:5256
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}
  2⤵
  - Modifies registry key
  PID:64
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {A926714B-7BFC-4D08-A035-80021395FFA8}"
  2⤵
  PID:2296
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:692
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
  2⤵
  - Modifies registry key
  PID:3156
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {AB807329-7324-431B-8B36-DBD581F56E0B}"
  2⤵
  PID:2840
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:3060
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}
  2⤵
  PID:5848
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {BBACC218-34EA-4666-9D7A-C78F2274A524}"
  2⤵
  PID:4364
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:2436
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}
  2⤵
  PID:5992
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}"
  2⤵
  PID:3024
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1600
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}
  2⤵
  - Modifies registry key
  PID:4036
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"
  2⤵
  PID:5812
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:4872
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}
  2⤵
  PID:2032
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:5244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {E6871B76-C3C8-44DD-B947-ABFFE144860D}"
  2⤵
  PID:5832
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1396
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}
  2⤵
  PID:5052
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:2380
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}
  2⤵
  PID:180
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $A='HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}','','S-1-1-0','S-1-0-0','Deny','FullControl';iex(([io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Activation.cmd')-split':Own1\:.*')[1])
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\System32\reg.exe
  reg delete HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} /f
  2⤵
  PID:5156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {e8db64d1-a324-8243-5b3e-0b07b841e613}"
  2⤵
  PID:3228
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:1972
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{e8db64d1-a324-8243-5b3e-0b07b841e613}
  2⤵
  - Modifies registry key
  PID:5800
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:4828
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{e8db64d1-a324-8243-5b3e-0b07b841e613}
  2⤵
  PID:5084
- C:\Windows\System32\find.exe
  find /i "H"
  2⤵
  PID:5144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $A='HKCU\Software\Classes\Wow6432Node\CLSID\{e8db64d1-a324-8243-5b3e-0b07b841e613}','','S-1-1-0','S-1-0-0','Deny','FullControl';iex(([io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\Activation.cmd')-split':Own1\:.*')[1])
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5820
- C:\Windows\System32\reg.exe
  reg delete HKCU\Software\Classes\Wow6432Node\CLSID\{e8db64d1-a324-8243-5b3e-0b07b841e613} /f
  2⤵
  PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo {F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
  2⤵
  PID:4676
- C:\Windows\System32\findstr.exe
  findstr /r "{.*-.*-.*-.*-.*}"
  2⤵
  PID:3700
- C:\Windows\System32\reg.exe
  reg query HKCU\Software\Classes\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}
  2⤵
  - Modifies registry key
  PID:2220
- C:\Windows\System32\findstr.exe
  findstr /i "LocalServer32 InProcServer32 InProcHandler32"
  2⤵
  PID:396
- C:\Windows\System32\mode.com
  mode 90, 30
  2⤵
  PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall 2>nul
  2⤵
  PID:5328
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall
    3⤵
    PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall 2>nul
  2⤵
  PID:676
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile /v EnableFirewall
    3⤵
    - Modifies registry key
    PID:5400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall 2>nul
  2⤵
  PID:5528
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall
    3⤵
    PID:3744
- C:\Windows\System32\choice.exe
  choice /C:123456 /N
  2⤵
  PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb70e46f8,0x7ffdb70e4708,0x7ffdb70e4718
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4036 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5912 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1332 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Users\Admin\Downloads\idman642build3.exe
  "C:\Users\Admin\Downloads\idman642build3.exe"
  2⤵
  - Executes dropped EXE
  PID:5716
- - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
    "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      4⤵
      Loads dropped DLL
      PID:5680
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
        5⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:316
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      4⤵
      Loads dropped DLL
      PID:5608
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
        5⤵
        Loads dropped DLL
        Registers COM server for autorun
        
        PID:3600
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      4⤵
      Loads dropped DLL
      PID:5396
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
        5⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2316
  - - C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
      "C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Modifies registry class
      PID:5560
  - - C:\Program Files (x86)\Internet Download Manager\IDMan.exe
      "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:3744
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        
        PID:5684
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        6⤵
        Loads dropped DLL
        Registers COM server for autorun
        
        PID:4168
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
        5⤵
        Loads dropped DLL
        
        PID:5916
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
        6⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5112
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
        5⤵
        Loads dropped DLL
        
        PID:3584
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
        6⤵
        Loads dropped DLL
        Registers COM server for autorun
        
        PID:2620
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
        5⤵
        Loads dropped DLL
        
        PID:5788
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
        6⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5892
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        5⤵
        
        PID:5548
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        6⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.0.1579913087\1700644260" -parentBuildID 20221007134813 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b95832a-23f2-485f-a7e3-75a4e298f086} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 1968 202a1eda758 gpu
        7⤵
        
        PID:2060
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.1.1209925919\983810522" -parentBuildID 20221007134813 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3c5ae0d-0dc9-40ee-bddb-ec70d00a69e1} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 2432 202a1bfd858 socket
        7⤵
        Checks processor information in registry
        
        PID:5616
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.2.1862584100\340910993" -childID 1 -isForBrowser -prefsHandle 3232 -prefMapHandle 3228 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1124 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {691c7624-dec5-4139-b612-1357243f2334} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 3244 2029542d858 tab
        7⤵
        
        PID:5632
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.3.1183442599\1306555870" -childID 2 -isForBrowser -prefsHandle 3460 -prefMapHandle 3464 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1124 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73e826db-df98-40aa-8c60-b08292013ce7} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 3084 202a6d6e858 tab
        7⤵
        
        PID:1808
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.4.1659740431\423626227" -childID 3 -isForBrowser -prefsHandle 4868 -prefMapHandle 4860 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1124 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51c99ffd-f1a8-4896-b768-cbbe57b3f14a} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 4596 20295465358 tab
        7⤵
        
        PID:3152
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.5.1021163250\10374432" -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1124 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07034cfc-5793-453c-b472-5f9b3fbb96d7} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 5156 202a809de58 tab
        7⤵
        
        PID:3080
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.6.922485931\713005101" -childID 5 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1124 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac32eaa5-042f-469c-9cf2-798f258efd7c} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 5352 202a809fc58 tab
        7⤵
        
        PID:2976
    - - C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
        
        "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2044
      - C:\Windows\system32\RUNDLL32.EXE
        
        "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
        6⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:5868
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        7⤵
        Checks processor information in registry
        
        PID:5932
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        8⤵
        
        PID:6136
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        6⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        7⤵
        
        PID:1920
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        6⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        7⤵
        
        PID:3984
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        6⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        7⤵
        
        PID:4364
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        6⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        7⤵
        
        PID:2488
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        6⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        7⤵
        
        PID:184
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        6⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        7⤵
        
        PID:2900
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        6⤵
        Loads dropped DLL
        
        PID:872
        
        C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        
        PID:4020
    - - C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe
        
        "C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe"
        5⤵
        Executes dropped EXE
        
        PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:8
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3112 /prefetch:8
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,6505511628693179266,12422464601888933617,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:4028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3180
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{10bf8880-7fb7-9a4e-86de-70f2c1e2e243}\idmwfp.inf" "9" "4fc2928b3" "000000000000015C" "WinSta0\Default" "000000000000016C" "208" "C:\Program Files (x86)\Internet Download Manager"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5392
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "0000000000000178" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "000000000000015C" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "00000000000000E8" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "00000000000000B8" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1320

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" -Embedding
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1216
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  PID:6000
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5344
- C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
  "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5184
- - C:\Windows\system32\RUNDLL32.EXE
    "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5412
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      PID:4688
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:4700
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:4572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:5476
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:6140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:5520
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:3656
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:5724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:6136
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:4284
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:6072
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:6080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:4192
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    PID:3496
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Suspicious use of AdjustPrivilegeToken
      PID:812

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5984
- C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
  "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5692
- - C:\Windows\system32\RUNDLL32.EXE
    "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:6028
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      PID:5920
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:2944
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:4712
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:5512
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:5088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:2900
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:4460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:4284
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:5860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:5324
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:4044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:5508
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    PID:2396
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      PID:3768
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
  2⤵
  PID:608
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Registers COM server for autorun
    PID:4420
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
  2⤵
  PID:6124
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:2392
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
  2⤵
  PID:696
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:5368
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
  2⤵
  PID:3140
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery