Malware Analysis Report

2025-01-18 21:22

Sample ID 240323-nh1n4aff36
Target 2024-03-23_6e484a2aac47900be56cf520a4952345_icedid
SHA256 fb8496c17eb5056d56eec2bb4f3f4ecde53b7b483a98c7073e8276a46764d9e8
Tags
adware evasion persistence stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fb8496c17eb5056d56eec2bb4f3f4ecde53b7b483a98c7073e8276a46764d9e8

Threat Level: Shows suspicious behavior

The file 2024-03-23_6e484a2aac47900be56cf520a4952345_icedid was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware evasion persistence stealer trojan

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Installs/modifies Browser Helper Object

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 11:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 11:24

Reported

2024-03-23 11:27

Platform

win7-20240221-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe /onboot" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af60000000002000000000010660000000100002000000086aa6118ec0172c69770b93f9201c80e6909fb5f5b0a98ca7821941a8009397a000000000e80000000020000200000009f48dc05a979af7326e6829661f88652f7048cd0bbef08583d7d4f0bacf64fc4900000002c489e69418b8cbcad6e0cf66a797bdb27aa07d9b113d99f5e3246d893f77fe541120a93436a01a72d9bbaa8a7c1e797bf5da28b8c5eb214bbd3fa0383e069531a6a7b029efa82d9aecc88bd76b66f88fa689eba92dc98bcb89d6858654174c83084e2f9d1e012985436456dcfd0d4ef7942733d708d2505b298c4f6ead7add02a348e07d13cae52ad98758f59e650d040000000d214c807a0e83139ee44a0982d705fea9d9360202c667d1e2b1bcf092de6241e6c860d1e8568747ce86bcc550d3477c9cc0873ef22b09e0ae86e494810c751f4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 301832d1147dda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417354964" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\ C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetAll.htm" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8A0E181-E907-11EE-804E-6E6327E9C5D7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af6000000000200000000001066000000010000200000002153e82866556f0921de2f9142e34fd02b393d86b17ef1c8152b5d5044fe74e2000000000e80000000020000200000005d81d79c843deaed1fdc7f42d0724d4c725ab647c24679b552dfe30ba50410ce200000002359f4a3bdf7934674d76d9843098c02104e15061b2a1c4a9aa0a4a35f1627234000000082aefecdb99a7af9bd039dd2317972263d52e5eba0ef6fc8acd6e037b6863aa92dc405d86ee4459c9a0208a794f5a2f2c8576151c8bf7eec2483ed1b5a67f4ab C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\ftp\ C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "82" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\http\ C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\https\ C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1692 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1692 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1692 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1692 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2712 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2628 wrote to memory of 2712 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2628 wrote to memory of 2712 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2628 wrote to memory of 2712 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.internetdownloadmanager.com/welcome.html?v=617

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 169.61.27.133:80 www.internetdownloadmanager.com tcp
US 169.61.27.133:80 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 169.61.27.133:80 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar8FD8.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e1cda69145b99158107eb7d071d0051
SHA1 443fa5b191ff40942c251952ca041f76892ee24c
SHA256 8ccd4f2e9eaadb2cb6f83e22039f22ff5ee314b6cb3f030afe14893775e4baec
SHA512 a8a7234a4c026712d91b5c4895e93de25b7a39da7875c653d94e72230b288b0ae3502e9aad32290e2e52c7817c573c860fa1f058c2ca4b34fc887d411faaa363

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c65b9272e83313b636a9c35af467096f
SHA1 bef9d0d960c1e4276d36acccb8cd89e8245cfb2a
SHA256 f12e8190d705e2ef490faf3b42b64832f0ef434fa5e6fac49de40f08af7fabf4
SHA512 7573c1bf73c0fe786cde6f7b431209b7589c1ee78e89faa59458dd8fab19429e00644fea703b2edfb818c84cac6604af76877df354fa06ee1b10ea91b8b5c9d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0da6b9bb91d28b68df6a062ec382dc54
SHA1 29e3b289ac9fefe37bf77fa1392f6292574e2ffa
SHA256 3e0f5710dd3a6766558b693dc10638ad7b36dca0287a9facbe6bb364501cd708
SHA512 da743681105020aee0a53158fae888cba2c019fff11e921bdfac2bc80e6e70a7fdfd929b5085298189c00c6747fc9147c6f3ad9e7b4b47feced6460005f11689

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac38be41fdc1135fb6dd62441b227121
SHA1 da7b0ac0ebec9a9cf26f1468260c3976af52c7fa
SHA256 09aa12c7379d18aef87bd799235eceef14921c3a03bed25d1af8be9f71a5e843
SHA512 d179f5e36046b89371adda32f92700f8509a6c062324dae0399d1d8c1b1bb4e4d6b0a7e32039bd91b76692538e03734ec4bff1ac152b06edbd487718f3cf0c08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b384c46021242f5ac36a1bde02f6320
SHA1 a11923816a60d4f999a37966f97037da0d89f201
SHA256 215012957b7ee12e6969880eeb3e8f9a6d2642ad78a5a444b01bc9eb50666cc7
SHA512 f6b7e6652e43c7faa52c740d621f7680189d061e3359c6c55c88ce0907a3fbf9ac23e366fca5e87bdda4de2642cb76fc0a20995a387263d3fcbd66a65d9ffc36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 451d5ab242e0bcf63e602d66df2efd72
SHA1 a974a01c1c315289c8542f5856172c0e3f31e133
SHA256 da2696b73af49d56fd56e00c391846eebede89839055acdbd2a897f83f24c001
SHA512 8bbed50e14b13b04960e8349e341f64cec8c05b7feca08946e498aab4fec9448c29331d4ff9da81e31494f7b09ad28e0d8ce751ed838a046780cc0c64f51e985

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50d3a7059faa6e45eec8dfc7721da73f
SHA1 9bfb98e200bf99c2d5e297d5a49e4cdb0b90a305
SHA256 5ac3f263bc69b41e20c9dda786f28e26fd309bbf0e98234efa9da4b926f4c7bf
SHA512 b559d3d4f612a8b06aee8fcd8cc8884f3febae85a398fb25d32d8a0fbf47ea2c2553ff47e8eab243f1cbc1a0b1581066c97b61243a03754f5c3eb443775f838c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c930fbcd2b4411d8e1c8e3c7cf703da1
SHA1 4822836f51902e2c54a60b91a1fa5cdefee9c00d
SHA256 c0bbb7f706436a970ad01dc8b43fceda769c74f44e09e3e457d0d3159d253219
SHA512 82a3cbd441f024f314822ba068dbc064ffa60cd1f6fa8e5c058ad20b8cd9cc80ea152f6fe7cddb180f79aa7d34f1af944d35db417836a8349c7dc9d6966748ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c30de0fe245c8f920bdecc960372661
SHA1 ad1552c9c3ebfd5fc8bd760e4f9072e962c05d12
SHA256 a9348d5826deb56e4ad1e119156a919a1c1ed227852faa537bbfd8bdb819f017
SHA512 128134cc61b300d55a79fa1f5081ac6b467f065e21ca62a7a1cf6f26b95e7f9fcd8b05e82aa3457714f3b80ccb35bf7aff587021e54a63b0ec5df6f4eea18aaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72d23933203a7d05e3c6e4146f36deed
SHA1 9ee21b7370bafcc218a876580f2f8343dd002af1
SHA256 52801ad5b3c9c84621d87779e5ea8b2ac64fc53e252cf5e2754d9e82f5ef4601
SHA512 665cff90fea5853014b85532fe64fc6fcaf25226e7909f743b450a7c04dfc87c391ca5eb7773b4c18b2f2ae16a6c24392accaa54655967e171f5f0cf1c0ade91

C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\www_internetdownloadmanager_com_1\log_1.log

MD5 3eb4f213228acbb1c39a972713b612f0
SHA1 683302152b3a695be634f3cd208bd40081e0c1db
SHA256 1ec590a7ba4a8416c89e1e45cbd2bea65d5f4b56751b847456e39ea465750380
SHA512 af3f061364ef665e6c094ca8a8a57aa4fddf7b88bb0dea07071d400a7665b1dfd1113fcc33db17f5a3391a7c09aa90a746364087d8bc740df9448b5800786b68

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R4C1TSJU.txt

MD5 9d007d939bd2ed52cf1da2194013707a
SHA1 0c2c9e597f8c1b4cd20e43723db840d83ed301c9
SHA256 d97dcc3849801d1e40efd5aa2d6bee8900d16121bf2e5d7fa77973f53323457a
SHA512 09620031e586cb62cf1b7151ec5a07a0ad98c85091357aae4ec2e6902ad3e1b94667f8343604e14d9e971caa0926c0e5a9e1a4bd1c9314fc5dc798a19b170a32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adf8dc765ad929334b03fa3c7d5631a0
SHA1 e9bbaf975cc77fa8789763c3fe3548c406ca8d8e
SHA256 8bd12aa52a62bbd874a974b53e0a91138cf7decdcb7004ff13eabd22433b9aea
SHA512 01c1ecc402614b3377f17327d306c1adec749bda62e17a96c87a7c9e77e310930d1a079467752dc670031f5fba86792e0e3ca8d98e8a36c009d3fe77a45b817d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fb5f27d783012566a703e4b3b215655
SHA1 7d775bc41f62f91427c3a835c8139788954c2cb8
SHA256 6cab4da03452c94dade21c1f820620e2826ca85f9b490690d8d2f23bf7429895
SHA512 3ea6cc49d7170e0a8cf3937ce3d6cd15aa43abe714f7ae980f289aeab93dbcf6571edd83e4a91712e82ce062ebaee99de7b2e0034084e4726e564e492c79571f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e209dcd2ea480567dac94c39233fdf8
SHA1 769781ce2c6b41d348d3327170e9e84092dc4321
SHA256 e5bbad835827dd9c421d220922b6b130771da53d2a72354c07a5e0ec7ea7186c
SHA512 ad1b08c0d98611dd9a214e3e845a8a7a46438ba4096236fdf75f34bf3a7f01f99262b70a39f5b25db0f4b20798e75623f5ff7298d4d5e7fa49cc6b640f850d00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85d73ef062746e22507c08275afc710e
SHA1 acfe5aa58fe68ae095dbd250ff177edfe07641ed
SHA256 b6e8200567b07cff043daf4dabdf5b334632bfb31d6e5430797e278395f8b5cc
SHA512 acbf73f2a8c75c6d772e45908627ac6849da178454ddf1edaf683111839dc67f7a695dbd3eb2885623fbfe412e9a68739d2d55c9cf91b83b0745778dbaa624fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9da2a3ca821433559db17a15f8f0f1ef
SHA1 087833677ec62092a076d92cfdda72e27a1e4f0e
SHA256 2598998651419ef828dcd71109a5e207288046571b70f46e2e512c3b67fc2d91
SHA512 034141f9410c808e5e90ab4ab6fef993be192831856d3342d9c55937a37d95d1bf1685105e7f7fee8548fb017ea76429ec087a32d76679afb23b3b56952af9de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99448ab6c93c959f7c41a5f8b474d403
SHA1 309cac71f42744283f19d17373ba4f91c02e3e02
SHA256 e34c7caf4b2855570bfcd9aa67b337e07fd2238eb63bf277b04a15b045a64356
SHA512 5c40ca81d83ac1a6b264ec097a06836cce9e6f0fd86c4a7198507761d44c35f11745f70992cc40d3fd5670b9fa957ee5ad304579348754e2e335530db049b6eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 969718de67a37ac2080291e14e72ca43
SHA1 340d712b254861172bcb892fa90ab6b6b766d9e2
SHA256 386548a88b0d5b1a7cd7e4c61e03e01f34ec076ce449b8279cf83cf20005cfd3
SHA512 d555c3db6f865004f3475139e644a315efc4848a4a97721f5bc53da35a24f0f83ee52fb3df6d40bf2930c5b657cdc19be19112a8fa2cb17144edab6ef67c8f18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0765170c2d742837be94c03bee91f4e9
SHA1 457cd0974ac340e3a13d92692625c8c3f701f45f
SHA256 f58187c8893ee0ee87cce653b3f027c113567c6ed05a42a1c2490190bd21e7b6
SHA512 1594dfb70709f789e5eab5e7a6f82a886cdfc267c1aaeccbbcf3beb896017f14ce4ae87a9866e89c6446df59398d258596613889055acba61efafd569abbfe99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b152307cef11cd8d36c20763bdb7674f
SHA1 431f4b8e64ce3a706a74e2669aeee63b869ada63
SHA256 704e251bc17d74ce906cb23c8cad7c72cda2787684014e0001024760ce63a61a
SHA512 a05f384fd31be11844e439f249a2e365b8360ed74a3e8a16d90cb49195807a804fc5122d8950cc07a1305022de21a2737d0798b8d05fb2288c53dc88fe45dc86

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 11:24

Reported

2024-03-23 11:27

Platform

win10v2004-20240319-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe /onboot" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetAll.htm" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\http\ C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\https\ C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\ftp\ C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "82" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3680 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3680 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3680 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3680 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3680 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3680 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3680 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3680 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3680 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3680 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3680 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3680 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-23_6e484a2aac47900be56cf520a4952345_icedid.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://www.internetdownloadmanager.com/welcome.html?v=617

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5712 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:1

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3600 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5040 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5616 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5300 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4716 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6072 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 169.61.27.133:80 www.internetdownloadmanager.com tcp
US 169.61.27.133:80 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
GB 13.105.221.15:443 tcp
GB 172.166.92.12:443 nav-edge.smartscreen.microsoft.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 88.221.134.17:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:443 www.microsoft.com tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 133.27.61.169.in-addr.arpa udp
US 8.8.8.8:53 12.92.166.172.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.128.171:443 www.bing.com tcp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 171.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
GB 13.105.221.15:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 169.61.27.133:80 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\www_internetdownloadmanager_com_1\log_1.log

MD5 5dfd14bd13e801be471d26dd70e8b738
SHA1 a41bbd5f395197fee695caf15e65ba34f864d3ed
SHA256 bb7bb29e876f28ff1a42d07df3dd761dca7ec3876fb980f3719cf8a9c55b410a
SHA512 de54eee39c396a216e3c709d801e2a6092e7f4d9dfa8376aea0b86d0c57cd0f0f3adb3d235007d4a992658bde63888ba9912125b40df48730ac1c88e12d40f43

C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\www_internetdownloadmanager_com_1\log_1.log

MD5 1d3baef23f10a2640273954195fcf6c1
SHA1 1d850618dfd08bac0c588a4664fa1404b4004065
SHA256 3d40f1ef314ee969cff59db6cc846e5d8aece41efd8de1fb4a2b48c67ddd5b24
SHA512 53cfecbc90f62194276106f376c75354b7f73423b337d7106fff7cc40075754cb1aef5189cf58029140b12e189e158bd3a3c0fb4b019d1fffee6ed23b740e778