Malware Analysis Report

2025-01-18 21:16

Sample ID 240323-tk2l3ahd76
Target checking_v15.exe
SHA256 7fbacb03769bbe4bd800c97f330682ef7cb43d63a31a370da2a93f579d0831cf
Tags
pyinstaller adware discovery persistence spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7fbacb03769bbe4bd800c97f330682ef7cb43d63a31a370da2a93f579d0831cf

Threat Level: Likely malicious

The file checking_v15.exe was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller adware discovery persistence spyware stealer upx

Drops file in Drivers directory

UPX packed file

Loads dropped DLL

Registers COM server for autorun

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Detects Pyinstaller

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Modifies registry class

Runs net.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 16:07

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 16:07

Reported

2024-03-23 16:10

Platform

win11-20240221-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\checking_v15.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\idmwfp.sys C:\Windows\system32\DrvInst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\RUNDLL32.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe /onboot" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\SETE0DA.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\idmwfp64.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\SETE0DB.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\SETE0DC.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\SETE0DB.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\idmwfp.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\SETE0DA.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\idmwfp.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\SETE0DC.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\Recovery\ReAgent.xml C:\Windows\SYSTEM32\Reagentc.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys C:\Windows\system32\DrvInst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Download Manager\IDMGrHlp.exe C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMShellExt.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_hi.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMOpExt.nex C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmfc.dat C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_large_3.bmp C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_nl.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_it.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMVMPrs64.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_ro.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_dk.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_iw.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMSetup2.log C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File opened for modification C:\Program Files (x86)\Internet Download Manager\IDMSetup2.log C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_ru.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_gr.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_chn.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_pt.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_small_3.bmp C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmtdi64.sys C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_ge.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_iw.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmnmcl.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmfsa.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmcchandler7_64.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_chn2.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_lao.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_mm.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_jp.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_ba.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_id.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\grabber.chm C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_ru.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_pl.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_ar.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_large_3_hdpi15.bmp C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_vn.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\openssl-license.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_largeHot_3.bmp C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_be.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_no.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_fa.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\scheduler.chm C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_gr.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_jp.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_my.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_sr.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Brotli-license.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_cz.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_pl.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmmzcc3.xpi C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_kr.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_ge.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_be.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_ptbr.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\oldjsproxy.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMFType.dat C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.json C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_sk.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\SYSTEM32\Reagentc.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log C:\Windows\SYSTEM32\Reagentc.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\SYSTEM32\Reagentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\SYSTEM32\Reagentc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B} C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEExt.htm" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppName = "idmBroker.exe" C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppName = "IDMan.exe" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\ = "V2LinkProcessor Class" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\Programmable C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\ = "VLinkProcessor Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\CLSID\ = "{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ = "IIDMEFSAgent7" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\1\ = "131473" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader\CurVer\ = "idmBroker.OptionsReader.1" C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\TypeLib\ = "{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}" C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Control C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\AppId = "{0F947660-8606-420A-BAC6-51B84DD22A47}" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ = "IDMDwnlMgr Class" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CurVer\ = "IDMGetAll.IDMAllLinksProcessor.1" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll.dll" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\ = "LinkProcessor Class" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\1\ = "131473" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ = "IDM Elevated FS Assistant" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC.dll" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ = "ICIDMLinkTransmitter2" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj.1\CLSID\ = "{0055C089-8582-441B-A0BF-17B458C2A3A8}" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDManTypeInfo.tlb" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\CurVer\ = "DownlWithIDM.LinkProcessor.1" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID\ = "DownlWithIDM.VLinkProcessor.1" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\VersionIndependentProgID C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID\ = "DownlWithIDM.IDMDwnlMgr.1" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\ = "LinkProcessor Class" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\NumMethods\ = "16" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\ = "IDMAllLinksProcessor Class" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\ = "IDMAllLinksProcessor Class" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\ = "IIDMIEHlprObj" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID C:\Windows\system32\regsvr32.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SYSTEM32\Reagentc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Users\Admin\AppData\Local\Temp\checking_v15.exe
PID 1348 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Users\Admin\AppData\Local\Temp\checking_v15.exe
PID 960 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Users\Admin\AppData\Local\Temp\idm_setup.exe
PID 960 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Users\Admin\AppData\Local\Temp\idm_setup.exe
PID 960 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Users\Admin\AppData\Local\Temp\idm_setup.exe
PID 3748 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\idm_setup.exe C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
PID 3748 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\idm_setup.exe C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
PID 3748 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\idm_setup.exe C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
PID 960 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Windows\system32\cmd.exe
PID 960 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Windows\system32\cmd.exe
PID 960 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 960 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 960 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Windows\system32\cmd.exe
PID 960 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 4352 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 4352 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 4352 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 4352 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 4352 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 4352 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 4352 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 4352 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2820 wrote to memory of 4864 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2820 wrote to memory of 4864 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 560 wrote to memory of 5028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 560 wrote to memory of 5028 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4352 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
PID 4352 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
PID 4352 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
PID 1944 wrote to memory of 984 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1944 wrote to memory of 984 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4352 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Program Files (x86)\Internet Download Manager\IDMan.exe
PID 4352 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Program Files (x86)\Internet Download Manager\IDMan.exe
PID 4352 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp C:\Program Files (x86)\Internet Download Manager\IDMan.exe
PID 960 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Windows\system32\cmd.exe
PID 960 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\checking_v15.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 4816 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3060 wrote to memory of 4816 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3060 wrote to memory of 4816 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4816 wrote to memory of 4868 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4816 wrote to memory of 4868 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3060 wrote to memory of 2772 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3060 wrote to memory of 2772 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3060 wrote to memory of 2772 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2772 wrote to memory of 112 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2772 wrote to memory of 112 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3060 wrote to memory of 3884 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3060 wrote to memory of 3884 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3060 wrote to memory of 3884 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3060 wrote to memory of 5064 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3060 wrote to memory of 5064 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3060 wrote to memory of 5064 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3884 wrote to memory of 4012 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3884 wrote to memory of 4012 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 5064 wrote to memory of 1940 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 5064 wrote to memory of 1940 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3060 wrote to memory of 4664 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
PID 3060 wrote to memory of 4664 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
PID 3060 wrote to memory of 4664 N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe C:\Program Files (x86)\Internet Download Manager\Uninstall.exe

Processes

C:\Users\Admin\AppData\Local\Temp\checking_v15.exe

"C:\Users\Admin\AppData\Local\Temp\checking_v15.exe"

C:\Users\Admin\AppData\Local\Temp\checking_v15.exe

"C:\Users\Admin\AppData\Local\Temp\checking_v15.exe"

C:\Users\Admin\AppData\Local\Temp\idm_setup.exe

idm_setup.exe /skipdlgs /D=None

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\" -skdlgs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo %USERNAME%"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Get-LocalUser -Name 'Admin' | Select-Object -ExpandProperty PrincipalSource"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell "Get-Tpm | Select-Object TpmPresent, TpmReady, TpmEnabled, TpmActivated, TpmOwned, RestartPending | Format-List""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Get-Tpm | Select-Object TpmPresent, TpmReady, TpmEnabled, TpmActivated, TpmOwned, RestartPending | Format-List"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Program Files (x86)\Internet Download Manager\idmBroker.exe

"C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Program Files (x86)\Internet Download Manager\IDMan.exe

"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr /onsilentsetup

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell "Confirm-SecureBootUEFI""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Confirm-SecureBootUEFI"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe

"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv

C:\Windows\system32\RUNDLL32.EXE

"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{c320f17b-2fd0-7d41-ae31-42c2b177b580}\idmwfp.inf" "9" "4fc2928b3" "00000000000000BC" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\Internet Download Manager"

C:\Windows\SYSTEM32\Reagentc.exe

Reagentc /Enable

C:\Windows\system32\DrvInst.exe

DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "0000000000000158" "WinSta0\Default"

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" start IDMWFP

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start IDMWFP

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" start IDMWFP

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start IDMWFP

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" start IDMWFP

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start IDMWFP

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" start IDMWFP

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start IDMWFP

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" start IDMWFP

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start IDMWFP

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" start IDMWFP

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start IDMWFP

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 133.27.61.169.in-addr.arpa udp
US 174.127.113.77:443 mirror2.internetdownloadmanager.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI13482\python311.dll

MD5 116796874ac4a22bea5fc863a625b02e
SHA1 696cb1a9cd2298451d78d4e18ab0385dcc9089ae
SHA256 117876187d8b73d8c172d0fb8d70219695e798ff1acc9319e5dd62651739ce30
SHA512 8b7d6a4f3f953f2cce2c475c55f7e83f14bb0df7f4cc3c08535566e132ca565b93839aaee935fd133ab06e58710ffb03f1e13e35bab1119140d0c6efe75adbaf

C:\Users\Admin\AppData\Local\Temp\_MEI13482\python311.dll

MD5 5f6fd64ec2d7d73ae49c34dd12cedb23
SHA1 c6e0385a868f3153a6e8879527749db52dce4125
SHA256 ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967
SHA512 c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

C:\Users\Admin\AppData\Local\Temp\_MEI13482\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

memory/960-74-0x00007FF9B73F0000-0x00007FF9B79D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13482\base_library.zip

MD5 32ede00817b1d74ce945dcd1e8505ad0
SHA1 51b5390db339feeed89bffca925896aff49c63fb
SHA256 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a
SHA512 a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

C:\Users\Admin\AppData\Local\Temp\_MEI13482\_ctypes.pyd

MD5 00f75daaa7f8a897f2a330e00fad78ac
SHA1 44aec43e5f8f1282989b14c4e3bd238c45d6e334
SHA256 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f
SHA512 f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

C:\Users\Admin\AppData\Local\Temp\_MEI13482\python3.DLL

MD5 0e105f62fdd1ff4157560fe38512220b
SHA1 99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c
SHA256 803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423
SHA512 59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

C:\Users\Admin\AppData\Local\Temp\_MEI13482\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI13482\_bz2.pyd

MD5 c413931b63def8c71374d7826fbf3ab4
SHA1 8b93087be080734db3399dc415cc5c875de857e2
SHA256 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293
SHA512 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

memory/960-84-0x00007FF9D2CE0000-0x00007FF9D2CEF000-memory.dmp

memory/960-82-0x00007FF9C9BD0000-0x00007FF9C9BF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13482\_lzma.pyd

MD5 542eab18252d569c8abef7c58d303547
SHA1 05eff580466553f4687ae43acba8db3757c08151
SHA256 d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9
SHA512 b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

memory/960-87-0x00007FF9C9A90000-0x00007FF9C9AA9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13482\_ssl.pyd

MD5 f9cc7385b4617df1ddf030f594f37323
SHA1 ebceec12e43bee669f586919a928a1fd93e23a97
SHA256 b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6
SHA512 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

C:\Users\Admin\AppData\Local\Temp\_MEI13482\_queue.pyd

MD5 347d6a8c2d48003301032546c140c145
SHA1 1a3eb60ad4f3da882a3fd1e4248662f21bd34193
SHA256 e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192
SHA512 b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

C:\Users\Admin\AppData\Local\Temp\_MEI13482\_socket.pyd

MD5 1a34253aa7c77f9534561dc66ac5cf49
SHA1 fcd5e952f8038a16da6c3092183188d997e32fb9
SHA256 dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f
SHA512 ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

C:\Users\Admin\AppData\Local\Temp\_MEI13482\_multiprocessing.pyd

MD5 e3e3f86cc4c41edbaa5d30769d743d09
SHA1 c8df3eaf3e30b6cfb9891a5fbd595a03f831cfc7
SHA256 0d8203dba58573e4bf1ff3c3e89c331085ce25df11f2860d8d59203dd8b3faf8
SHA512 eedff332f82e1635d4d1f091061389612476612daf4cd9c1dcdbcb76a4cde45c84879bfa6b3b505b6bb4ce6030102999d6830573095fa1dc637fbdb8b02e37a4

C:\Users\Admin\AppData\Local\Temp\_MEI13482\select.pyd

MD5 45d5a749e3cd3c2de26a855b582373f6
SHA1 90bb8ac4495f239c07ec2090b935628a320b31fc
SHA256 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876
SHA512 c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

C:\Users\Admin\AppData\Local\Temp\_MEI13482\_elementtree.pyd

MD5 f7f00d7a8c8f9532b58360deb55f7fa0
SHA1 be5ba44bac538d892579b27f4cb8a5af054720d7
SHA256 f752a6e47532582a6469d65d774c358f575bba0ecffb2c268dca04f99f1548cd
SHA512 3cf9d2ae0dc5034add460efe1e687a75d31d4d46d37b13c1d800781f280a8f2b7be17416a102efff4e562e2877fa0aa728f3ef8b55124b43a6029fe92c24d02d

C:\Users\Admin\AppData\Local\Temp\_MEI13482\_hashlib.pyd

MD5 b227bf5d9fec25e2b36d416ccd943ca3
SHA1 4fae06f24a1b61e6594747ec934cbf06e7ec3773
SHA256 d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7
SHA512 c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

memory/960-107-0x00007FF9C8D40000-0x00007FF9C8D6D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13482\pyexpat.pyd

MD5 07c481d3ecdc06b1c5fd15c503490298
SHA1 656c79384d418de31b84c7b68b30a7e37251a475
SHA256 40672a3fc0931133fd74802ec34edc4a91fccf432d8fc1b63e693f64912f8284
SHA512 c7ed37aa552e72106d590206d77836f9e32f2285bc767e55579b17dd97d6e48a5201fb53fff4641a9a84c261343e8b00ec3899c16ccf50c707af858f4bf4e501

memory/960-108-0x00007FF9D2C40000-0x00007FF9D2C4D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13482\unicodedata.pyd

MD5 8c42fcc013a1820f82667188e77be22d
SHA1 fba7e4e0f86619aaf2868cedd72149e56a5a87d4
SHA256 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2
SHA512 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

C:\Users\Admin\AppData\Local\Temp\_MEI13482\_decimal.pyd

MD5 e3fb8bf23d857b1eb860923ccc47baa5
SHA1 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0
SHA256 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3
SHA512 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

memory/960-110-0x00007FF9C8CA0000-0x00007FF9C8CC4000-memory.dmp

memory/960-113-0x00007FF9C9A70000-0x00007FF9C9A89000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13482\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 1c52efd6568c7d95b83b885632ec7798
SHA1 cae9e800292cb7f328105495dd53fc20749741f8
SHA256 2b2cad68bec8979fd577d692013a7981fdbc80a5a6e8f517c2467fdcee5d8939
SHA512 35e619f996e823f59455b531f1872d7658b299c41e14d91cd13dcef20072971a437884fde4424fd9a10b67a39ea40f48df416ed8b0633aea00022b31709541f2

C:\Users\Admin\AppData\Local\Temp\_MEI13482\charset_normalizer\md.cp311-win_amd64.pyd

MD5 32062fd1796553acac7aa3d62ce4c4a5
SHA1 0c5e7deb9c11eeaf4799f1a677880fbaf930079c
SHA256 4910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae
SHA512 18c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758

memory/960-116-0x00007FF9B63B0000-0x00007FF9B64CC000-memory.dmp

memory/960-111-0x00007FF9C8B60000-0x00007FF9C8B96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13482\_brotli.cp311-win_amd64.pyd

MD5 f7fa546c602ec2c0f1b9fcaf51237b45
SHA1 2756cdb4b454577b198831697af1bb7ef9652f3d
SHA256 88901438672fc2b46a8b3541ef3a443d1fa587a34a4fa1b4147d625c7aa86b0b
SHA512 b2606dfa20a61a34be84000da1342e6daa5fe2e0fda3fd51c150fcb7afac4fac1af7f109d7808f5dec2c30cf3972d2b8df16e797647e9a26e3a3ed2f08aa271f

C:\Users\Admin\AppData\Local\Temp\_MEI13482\libcrypto-3.dll

MD5 78ebd9cb6709d939e4e0f2a6bbb80da9
SHA1 ea5d7307e781bc1fa0a2d098472e6ea639d87b73
SHA256 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e
SHA512 b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

memory/960-120-0x00007FF9C8B30000-0x00007FF9C8B56000-memory.dmp

memory/960-121-0x00007FF9C99F0000-0x00007FF9C9A04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13482\libssl-3.dll

MD5 bf4a722ae2eae985bacc9d2117d90a6f
SHA1 3e29de32176d695d49c6b227ffd19b54abb521ef
SHA256 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147
SHA512 dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

memory/960-122-0x00007FF9B5E90000-0x00007FF9B63B0000-memory.dmp

memory/960-123-0x00007FF9CD4E0000-0x00007FF9CD4EB000-memory.dmp

memory/960-125-0x00007FF9D20D0000-0x00007FF9D20DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13482\bcj\_bcj.cp311-win_amd64.pyd

MD5 4f88245c7d91a5540a465a48c47e6053
SHA1 a219a723685141f07d178ad43c89f319271d17ff
SHA256 d46c010fa06943ac8837d77b7a3efbb9f4af63f27b35f3a5be248c264e1f8917
SHA512 65f4ad5dea93db1348ab587da4af6975a9d337c2ab1d6c6ffe76505b2ff891719e7ad942f35e62352cc6e61875113f8dc14f1c8e4ccfe79ca5b4e9e3fe99d777

memory/960-129-0x00007FF9C9B40000-0x00007FF9C9B4F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13482\pyzstd\c\_zstd.cp311-win_amd64.pyd

MD5 0d42be4aa156fde8a92ed0b31fc38a5a
SHA1 e1367cdb59b61b130c6c0a1c411d672343720dbe
SHA256 7214ff6a0f29726466f10670815005b57a6cb800166d457192419cb1ccac9657
SHA512 3f14a858e37badb15a9e69081aec4645056f98ee715bf00c3343a26dff8668421e262f226ce198501f3acd7ef98b02a0c3afcd5eebb6a7d4170f9174eafbfbb6

C:\Users\Admin\AppData\Local\Temp\_MEI13482\Cryptodome\Cipher\_raw_ecb.pyd

MD5 b47c542168546fb875e74e49c84325b6
SHA1 2aecab080cc0507f9380756478eadad2d3697503
SHA256 55657830c9ab79875af923b5a92e7ee30e0560affc3baa236c38039b4ef987f2
SHA512 fc25087c859c76dff1126bbfe956ea6811dc3ca79e9bbfd237893144db8b7ce3cae3aeb0923f69e0bfffa5575b5442ad1891d7088dd3857b62be12b5326be50d

memory/960-136-0x00007FF9C9810000-0x00007FF9C9824000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13482\Cryptodome\Cipher\_raw_cbc.pyd

MD5 f2bf3f3cdce0e6a8a29bd7fad094736b
SHA1 7eb4af31b93ee38219eb31c2a867959bb7a3ec53
SHA256 d8a9edff4c8cbbd02cc89541cd1a9f8b1ba8381f000a86f910b4d6831bb9a034
SHA512 ea3dcdd0218f51bedafe9fb995d84a820d244673086f42276d7cb6c398c67f0e4f79ec343dd0a6fc0af03ae605aabbbd93c8c612cbfd7ddf641b9f8a8db13c83

C:\Users\Admin\AppData\Local\Temp\_MEI13482\Cryptodome\Cipher\_raw_ofb.pyd

MD5 6315a891ea3f996fc4b5ec384841f10c
SHA1 ed76ef57517e35b7b721a8b1a3e1ffa7873aec57
SHA256 087c238e1aa9038f53f8c92e7255f7adc9cd9a60a895256962dc39a73d596382
SHA512 083859a84ff84e865cfc255ff1674134940c5a64cc703c4ae7815501d586005b6b6cabc28e52239ae24cd38a1253d634d8de87d98a4a65f45df2b34bc24c2483

C:\Users\Admin\AppData\Local\Temp\_MEI13482\Cryptodome\Cipher\_raw_ctr.pyd

MD5 0a47ae20f5c45144eaa5c6af1ba33757
SHA1 dad050ea948c1e327369a3644c7cc65e7927bf10
SHA256 77d5d375fa405f83fba90ff51bda86c2233146a3aa768367f8ef582aba453aab
SHA512 a8eb40ae7a390d2d13deb0df6e753a3d3fd1f02597271020ee46c1326578908e402f3a527d8bc69fe9638cc1960330c7e81578a3dbdc0e93636b90d506ed5cae

C:\Users\Admin\AppData\Local\Temp\_MEI13482\Cryptodome\Util\_strxor.pyd

MD5 5514407ec9a5f75b9fe72a4dcea9ca1a
SHA1 96f0e027bbfd35f817aeb6b5991d89ea8cc8c10f
SHA256 ffea9f021df4e5dc728feabdb3de15a94cbcbb736fd0301f7772b2046a3b0070
SHA512 5326bc489e106906306fce2b890c992a114f217d1001afdad16061e1e61d71b34dbda5b0fa4a38f31f77756b1adc8501effb662e028fabe361d064e63056fa83

C:\Users\Admin\AppData\Local\Temp\_MEI13482\Cryptodome\Hash\_SHA1.pyd

MD5 24611153e8f1b08d045209d461a54d42
SHA1 9d7d9119f80a0e6df72b8f55db638d6107c7aa61
SHA256 d76b2dc836f8ef43eeacc97e799cb1c3a1736a4f26e5c0d1f6c7031bcb06b78e
SHA512 db3dd23d94c6ca715b3e48babba35c16447a843b1f8f17316d340f0903434373be2fe1b2460a57ace84802656fceb6ddae183b74d62ee1ef9a928d1d2f8eef70

C:\Users\Admin\AppData\Local\Temp\_MEI13482\Cryptodome\Hash\_BLAKE2s.pyd

MD5 526078b253e0bccd1da0deb45dd05c4c
SHA1 c43198e7822dee397b27b20605ea2e78f95e1d41
SHA256 1478f02374bcdda6b4e736c47501c6aedcef273de84240ff06e1797aa4941e84
SHA512 b91686f08551a13e8f1ba6098d9c7538751fbe29900afe1233b63bdfb4882a20b3772cf3c284db5473fbed48aaac7d7a5641e33f3bb326b3de56deb5ab2af8f4

C:\Users\Admin\AppData\Local\Temp\_MEI13482\Cryptodome\Cipher\_raw_cfb.pyd

MD5 4d651469eff9f0a3f904fcac9b1a41d2
SHA1 f9eb0d3ae58b8195e2485c6c378ce84f95c9ee54
SHA256 1b835a8c05dcc24c77fcf21ae0091ce34aca3b6b3d153415e3f0cf0142c53f9b
SHA512 0c10c6a52e2fa9bdf89229ad9964cfff6f3621eaad6f3aacebbbc8da6ff742e087c79af2d2d152c433160f25a9e45a2c41e13349cba758640163832569d37cfd

C:\Users\Admin\AppData\Local\Temp\_MEI13482\pyzstd\c\_zstd.cp311-win_amd64.pyd

MD5 e2edccf1f68dd463833cf123dcea4867
SHA1 3b9b8c17924fa0f6d652f481e067d55a6452f8cd
SHA256 53e85452d139182689fd968ca8e999e35b13e5bae9b293bab52da3853164917f
SHA512 f04dde466b5f6a0dcaaa890a7a23c7e51647230ddfddeaeb1a5674500d6a7ccd165013b42b3e0fe4a39d2a76a326b539050d25dfba6805c8e31d028519374132

C:\Users\Admin\AppData\Local\Temp\_MEI13482\pyppmd\c\_ppmd.cp311-win_amd64.pyd

MD5 b26289878055dd886e86661ef4d428ba
SHA1 38ebadd85e5fb988834d6795033ce61a3218b875
SHA256 9ef74ad38d7daaab40f20ecb7bd7c550491c5e44069796dd98e423e2160069c7
SHA512 039de4161017778833b77631a185d68cbf9e1b98742d23f64a25c225cf0368e01c0c5dd15b3e2b4b04e82ed2828b2a88981465c493de712cd38cb853e49ad374

C:\Users\Admin\AppData\Local\Temp\_MEI13482\inflate64\_inflate64.cp311-win_amd64.pyd

MD5 88ca6f171b6d091073c66a6cad7799e9
SHA1 2cc5f4747bd7ace38cd917f0b40820ffd4b7df25
SHA256 e8ee3c599ae8ad8b6d35afa4f4d6a077aede929d26b41a107ba52381952e2147
SHA512 51a95c4a5bd66f54284be04479d41dd058174c6874b5b6c59a37b0e1c145f7fa6c67335b57c9be280b4bd36d321399f0c352e79ad625d5aed83a6624b7487242

memory/960-134-0x00007FF9C93D0000-0x00007FF9C93E6000-memory.dmp

memory/960-152-0x00007FF9B73F0000-0x00007FF9B79D9000-memory.dmp

memory/960-153-0x00007FF9C9BD0000-0x00007FF9C9BF3000-memory.dmp

memory/960-154-0x00007FF9B5DF0000-0x00007FF9B5E8A000-memory.dmp

memory/960-156-0x00007FF9C8D20000-0x00007FF9C8D2C000-memory.dmp

memory/960-155-0x00007FF9C8D30000-0x00007FF9C8D3B000-memory.dmp

memory/960-157-0x00007FF9C8C90000-0x00007FF9C8C9B000-memory.dmp

memory/960-158-0x00007FF9C8C80000-0x00007FF9C8C8C000-memory.dmp

memory/960-159-0x00007FF9C8AA0000-0x00007FF9C8AAB000-memory.dmp

memory/960-160-0x00007FF9C8A90000-0x00007FF9C8A9C000-memory.dmp

memory/960-161-0x00007FF9C8A80000-0x00007FF9C8A8C000-memory.dmp

memory/960-162-0x00007FF9C89E0000-0x00007FF9C89EE000-memory.dmp

memory/960-163-0x00007FF9C89D0000-0x00007FF9C89DC000-memory.dmp

memory/960-164-0x00007FF9C89A0000-0x00007FF9C89AB000-memory.dmp

memory/960-165-0x00007FF9C83B0000-0x00007FF9C83BB000-memory.dmp

memory/960-166-0x00007FF9C83A0000-0x00007FF9C83AC000-memory.dmp

memory/960-167-0x00007FF9C1F20000-0x00007FF9C1F2C000-memory.dmp

memory/960-168-0x00007FF9BEDB0000-0x00007FF9BEDBD000-memory.dmp

memory/960-169-0x00007FF9BED90000-0x00007FF9BEDA2000-memory.dmp

memory/960-170-0x00007FF9B5D20000-0x00007FF9B5DEF000-memory.dmp

memory/960-171-0x00007FF9B5C50000-0x00007FF9B5D1D000-memory.dmp

memory/960-172-0x00007FF9C9800000-0x00007FF9C980B000-memory.dmp

memory/960-173-0x00007FF9BED80000-0x00007FF9BED8C000-memory.dmp

memory/960-174-0x00007FF9BDBC0000-0x00007FF9BDBF3000-memory.dmp

memory/960-175-0x00007FF9C9A90000-0x00007FF9C9AA9000-memory.dmp

memory/960-176-0x00007FF9B73F0000-0x00007FF9B79D9000-memory.dmp

memory/960-177-0x00007FF9C9BD0000-0x00007FF9C9BF3000-memory.dmp

memory/960-181-0x00007FF9C9A70000-0x00007FF9C9A89000-memory.dmp

memory/960-188-0x00007FF9C99F0000-0x00007FF9C9A04000-memory.dmp

memory/960-189-0x00007FF9B5E90000-0x00007FF9B63B0000-memory.dmp

memory/3748-218-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4352-219-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3748-220-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctond3hc.nw2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3728-238-0x0000021CBB0E0000-0x0000021CBB102000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDMSetup2.log

MD5 f54e9699d17fc8a08da141e2dccc77a3
SHA1 ac9a19806f5647c9f48d5898acfcc3d3d36bee4f
SHA256 4bc9e2a38bba554b336780839ef4c88c4f1a0dc31e1ce83e81e4ebd9315af859
SHA512 fdd4024df47cd0efd66416ca9f35541326fdfbca0a368d2c998faac3cdf466069e79ff283ecd56f91e55f9650dfd7a84172008c7f5966446956c8489f78fd6c9

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDMSetup2.log

MD5 bb0ff7af49bf67f8c438aa7cfcc621e4
SHA1 45fdc4c861de54859ea555cb198d6bd48de06ffd
SHA256 11fe14785ab857ecde9157059b748a02ba11707154347b71833f1aa13f982c31
SHA512 042162c9029666dd1cd94ba47e89fe8117b2ed496ad733d34ff375ad3141447da6dca7ceedd3f694ca7131dd5fbd332cdf1c7240a3dd913daab87b96fa357a0b

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDMSetup2.log

MD5 13cefd601bf223f38066f456623837e3
SHA1 8cb005d315433370e4025c61a963265a5648b9e1
SHA256 de4fbb7faf133842a2f4cc409e5a7dbc0f875ffc92cbd79b60921d8b2187b616
SHA512 9db436d2518eb211ccf3d0ebf05908af4a17519410c7d4a81ec4a5dfac75691b0b14500592642d4762bde0c4383a90a76e5af1dbb0e419b088c716e2aedb2143

memory/3728-309-0x00007FF9B6550000-0x00007FF9B7012000-memory.dmp

memory/960-406-0x00007FF9B73F0000-0x00007FF9B79D9000-memory.dmp

memory/3728-668-0x0000021CBB170000-0x0000021CBB18C000-memory.dmp

memory/3728-684-0x00007FF9B6550000-0x00007FF9B7012000-memory.dmp

memory/4040-694-0x0000028576560000-0x0000028576570000-memory.dmp

memory/4040-703-0x00007FF9B6550000-0x00007FF9B7012000-memory.dmp

memory/4040-704-0x0000028576560000-0x0000028576570000-memory.dmp

memory/4040-705-0x0000028576560000-0x0000028576570000-memory.dmp

memory/4352-706-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4040-710-0x00007FF9B6550000-0x00007FF9B7012000-memory.dmp

memory/3008-711-0x00007FF9B6550000-0x00007FF9B7012000-memory.dmp

memory/3008-712-0x000001956DBC0000-0x000001956DBD0000-memory.dmp

memory/3008-721-0x000001956DBC0000-0x000001956DBD0000-memory.dmp

memory/4664-751-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3008-762-0x00007FF9B6550000-0x00007FF9B7012000-memory.dmp

C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\SETE0DC.tmp

MD5 f8f346d967dcb225c417c4cf3ab217a0
SHA1 daca3954f2a882f220b862993b0d5ddf0f207e34
SHA256 a54e0ac05254a464180e30f21a6b26651e7495427353bba9c246ba1d2388e7cc
SHA512 760c2914f3e937a2a3443a032cf74b68b6d24d082d0f50d65058a0fd87d8eeab229fb8d3105e442f0b3b0b2f3824439981951266425512e51e7ff36669a652fa

C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\SETE0DB.tmp

MD5 d5e0819228c5c2fbee1130b39f5908f3
SHA1 ce83de8e675bfbca775a45030518c2cf6315e175
SHA256 52818c67be219bc3b05c58b40e51b99a65c2f4bcafe38a995610b4ec10928def
SHA512 bb397004f2256db781385de3e7e7b7993be8fbb2cb701ead99a7878c2bcca6c9ae4a7aa61c329aeeb6711c8c74081e971e85af38af6b32b58888c932fd51d218

C:\Windows\System32\DriverStore\Temp\{6fd0bb68-3e61-a347-8d39-5833245f582c}\SETE0DA.tmp

MD5 7d55ad6b428320f191ed8529701ac2fa
SHA1 515c36115e6eba2699afbf196ae929f56dc8fe4c
SHA256 753a1386e7b37ee313db908183afe7238f1a2aec5e6c1e59e9c11d471b6aaa8d
SHA512 a260aae4ff4f064b10388d88bb0cb9ea547ed0bc02c88dc1770935207e0429471d8cd60fcc5f9ee51ecd34767bf7d44c75ea6fbe427c39cc4114aad25100f40d

C:\Windows\System32\Recovery\ReAgent.xml

MD5 ed58a9857657895ce285de6ccd83c3e1
SHA1 021fd85a905b7f5f26158cc0a20e60c1d99eefdb
SHA256 ce6a5fdebab5a83f917e848e6a61d1031d7ba6fce086c9c5de46bb889123c94e
SHA512 c4f9fef2c6fe93a10f58060265adb0a874a49f8f84d5534bead2c081727d126cd6d392e8006aba4b52ac35bb1957b4cea3d1bb6dcb719b4a7939378070dc3b86

memory/4664-866-0x0000000000400000-0x000000000042B000-memory.dmp