695cd368713e92a60a3a1d78055081ff74655c19a704a9303f79d4f66d41b38e

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe /onboot"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	cleanmgr.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setuperr.log	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagerr.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagwrn.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setupact.log	cleanmgr.exe
File opened for modification	C:\Windows\System32\ras\SSTPProxy\ProxyConfig.xml	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Download Manager\idmantypeinfo.tlb	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ptbr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_az.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_bg.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_iw.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\downlWithIDM.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_cht.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_chn2.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_iw.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_cz.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmfc.dat	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMSetup2.log	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\tips.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_ar.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmfsa.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_fa.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMNetMon.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_fa.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_chn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_vn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_es.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_fr.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_largeHot_3.bmp	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMNetMon64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_src.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_kr.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_vn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_cht.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_mm.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_nl.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_kr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_gr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_hi.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi.cat	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_smallHot_3.bmp	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IEGetVL.htm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp32.sys	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi32.sys	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_mn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfpAA.sys	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idman.chm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_tr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_be.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_fr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_it.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_bg.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc7_64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_jp.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_fi.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmftype.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ua.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_cz.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_hu.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmvs.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_id.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.json	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_sk.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_hu.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_gu.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_sw.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_large_3.bmp	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IEGetVL2.htm	IDM1.tmp

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SETLANG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SETLANG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SETLANG.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SETLANG.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SETLANG.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SETLANG.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SETLANG.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	SETLANG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	SETLANG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SETLANG.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	SETLANG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	SETLANG.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\MenuExt\تحميل بواسطة Internet Download Manager\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEExt.htm"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\MenuExt\تحميل بواسطة Internet Download Manager\contexts = "243"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDM1.tmp
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\MenuExt\تحميل بواسطة Internet Download Manager	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDM1.tmp
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppName = "IDMan.exe"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\MenuExt\تحميل بواسطة Internet Download Manager	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\Policy = "3"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppName = "idmBroker.exe"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDM1.tmp

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ = "IDMEFSAgent Class"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID\ = "DownlWithIDM.VLinkProcessor.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC.dll"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1\CLSID	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\0\win32	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID\ = "DownlWithIDM.V2LinkProcessor"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CurVer\ = "DownlWithIDM.IDMDwnlMgr.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version\ = "1.0"	IDMan.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\CLSID\ = "{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\ = "LinkProcessor Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\ProgID	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\NumMethods	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib\Version = "1.0"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ = "IDMDwnlMgr Class"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CurVer\ = "DownlWithIDM.IDMDwnlMgr.1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\NumMethods	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CLSID	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID\ = "Idmfsa.IDMEFSAgent.1"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\ = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\TypeLib	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor.1\CLSID\ = "{CDD67718-A430-4AB9-A939-83D9074B0038}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ProgID\ = "IDMGetAll.IDMAllLinksProcessor.1"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ = "IDMEFSAgent Class"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\VersionIndependentProgID	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\Programmable	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib\Version = "1.0"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ = "IV2LinkProcessor"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID\ = "IDMIECC.IDMIEHlprObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1\ = "IDMEFSAgent Class"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\ = "IIDMHelperLinksStorage"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ = "LinkProcessor Class"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\TypeLib	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\Programmable	IDMan.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\idman642build7.exe:Zone.Identifier	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3548	IDM1.tmp
3548	IDM1.tmp
3548	IDM1.tmp
3548	IDM1.tmp
3548	IDM1.tmp
3548	IDM1.tmp
3548	IDM1.tmp
3548	IDM1.tmp
3548	IDM1.tmp
3548	IDM1.tmp
5068	IDMan.exe
5068	IDMan.exe
5220	7zFM.exe
5220	7zFM.exe
5228	IDMan.exe
5228	IDMan.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5228	IDMan.exe
2116	OpenWith.exe
4968	7zFM.exe
5220	7zFM.exe

Suspicious behavior: LoadsDriver 18 IoCs

pid	Process
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
624	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
624	Process not Found

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4884	MicrosoftEdgeCP.exe
4884	MicrosoftEdgeCP.exe
4884	MicrosoftEdgeCP.exe
4884	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3552	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3552	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3552	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1144	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1144	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1144	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4228	MicrosoftEdge.exe
Token: SeDebugPrivilege	4228	MicrosoftEdge.exe
Token: SeShutdownPrivilege	1144	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1144	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1144	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1144	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1144	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1144	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1144	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1144	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1144	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1144	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1144	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1144	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2804	firefox.exe
Token: SeDebugPrivilege	2804	firefox.exe
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp
Token: SeDebugPrivilege	3548	IDM1.tmp

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
5068	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
4968	7zFM.exe
5220	7zFM.exe
5220	7zFM.exe
5220	7zFM.exe
5220	7zFM.exe
5220	7zFM.exe
5228	IDMan.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
5068	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4228	MicrosoftEdge.exe
4884	MicrosoftEdgeCP.exe
3552	MicrosoftEdgeCP.exe
4884	MicrosoftEdgeCP.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
5044	idman642build7.exe
2216	IDM1.tmp
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
4020	idman642build7.exe
3548	IDM1.tmp
1572	idmBroker.exe
5068	IDMan.exe
5068	IDMan.exe
5068	IDMan.exe
5068	IDMan.exe
4984	firefox.exe
3548	firefox.exe
5044	Uninstall.exe
5068	IDMan.exe
5068	IDMan.exe
5068	IDMan.exe
3428	MediumILStart.exe
5228	IDMan.exe
5228	IDMan.exe
3760	Uninstall.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
5624	IEMonitor.exe
5624	IEMonitor.exe
5624	IEMonitor.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
5228	IDMan.exe
5128	winrar-x64-700.exe
5128	winrar-x64-700.exe
5128	winrar-x64-700.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1144	4884	MicrosoftEdgeCP.exe	77
PID 4884 wrote to memory of 1144	4884	MicrosoftEdgeCP.exe	77
PID 4884 wrote to memory of 1144	4884	MicrosoftEdgeCP.exe	77
PID 4884 wrote to memory of 1144	4884	MicrosoftEdgeCP.exe	77
PID 4884 wrote to memory of 1144	4884	MicrosoftEdgeCP.exe	77
PID 4884 wrote to memory of 1144	4884	MicrosoftEdgeCP.exe	77
PID 4884 wrote to memory of 1144	4884	MicrosoftEdgeCP.exe	77
PID 4884 wrote to memory of 1144	4884	MicrosoftEdgeCP.exe	77
PID 592 wrote to memory of 2804	592	firefox.exe	83
PID 592 wrote to memory of 2804	592	firefox.exe	83
PID 592 wrote to memory of 2804	592	firefox.exe	83
PID 592 wrote to memory of 2804	592	firefox.exe	83
PID 592 wrote to memory of 2804	592	firefox.exe	83
PID 592 wrote to memory of 2804	592	firefox.exe	83
PID 592 wrote to memory of 2804	592	firefox.exe	83
PID 592 wrote to memory of 2804	592	firefox.exe	83
PID 592 wrote to memory of 2804	592	firefox.exe	83
PID 592 wrote to memory of 2804	592	firefox.exe	83
PID 592 wrote to memory of 2804	592	firefox.exe	83
PID 2804 wrote to memory of 4496	2804	firefox.exe	84
PID 2804 wrote to memory of 4496	2804	firefox.exe	84
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85
PID 2804 wrote to memory of 5036	2804	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "C:\Users\Admin\AppData\Local\Temp\eg-en.html"
1⤵
PID:4628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:592
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.0.670051917\138107749" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 1668 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10e5d892-95e5-4d4b-9f8c-70558e36d573} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 1760 1532c4bde58 gpu
    3⤵
    PID:4496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.1.1667804551\1735960573" -parentBuildID 20221007134813 -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6da6fd18-6a37-4e12-80fa-0ffa884d6604} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 2116 15321470758 socket
    3⤵
    - Checks processor information in registry
    PID:5036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.2.2097837711\1818129289" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {265339ab-aebb-48ba-a737-5a36b256f137} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 2888 153306c0b58 tab
    3⤵
    PID:4788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.3.1117320499\1180667586" -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3476 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fed62d85-b6a7-44e4-88b6-446d677db8aa} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 3528 1532ee22458 tab
    3⤵
    PID:4728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.4.1203753334\1920225645" -childID 3 -isForBrowser -prefsHandle 4112 -prefMapHandle 4108 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d524d9a-b2c5-4a3f-81b4-ac24e359314e} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4132 1533270b858 tab
    3⤵
    PID:4536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.5.1761598912\1508121118" -childID 4 -isForBrowser -prefsHandle 4868 -prefMapHandle 4796 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f99b8fbf-172b-429e-8701-1b1e408585f8} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4876 15330637f58 tab
    3⤵
    PID:3732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.6.1944213214\2080961137" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33c526e2-84a7-4548-95d4-aa943757c0bf} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4780 15330638e58 tab
    3⤵
    PID:4240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.7.963199634\1887980282" -childID 6 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15805b75-33dd-4d2b-8f0e-2a58a7fc710d} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 5180 15332332358 tab
    3⤵
    PID:592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.8.1680984212\11186730" -childID 7 -isForBrowser -prefsHandle 5036 -prefMapHandle 5056 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {937c95f0-cf28-4031-af16-9f5b089ddcba} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4796 15333d41258 tab
    3⤵
    PID:4248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.9.2029442751\1318688018" -childID 8 -isForBrowser -prefsHandle 5532 -prefMapHandle 5572 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {01d6e8d6-99b5-4119-9c62-ac0f5f1073fb} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4888 15332835e58 tab
    3⤵
    PID:740
- - C:\Users\Admin\Downloads\idman642build7.exe
    "C:\Users\Admin\Downloads\idman642build7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
      "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.10.1305770234\377060407" -childID 9 -isForBrowser -prefsHandle 5380 -prefMapHandle 5412 -prefsLen 26785 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bf94a8c-105f-4019-9e67-57403f60e51a} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 5392 15330635b58 tab
    3⤵
    PID:1336
- - C:\Users\Admin\Downloads\idman642build7.exe
    "C:\Users\Admin\Downloads\idman642build7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
      "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3548
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
        5⤵
        Loads dropped DLL
        
        PID:3848
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
        6⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3732
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
        5⤵
        Loads dropped DLL
        
        PID:4020
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
        6⤵
        Loads dropped DLL
        Registers COM server for autorun
        
        PID:2420
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
        5⤵
        Loads dropped DLL
        
        PID:4032
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
        6⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4172
    - - C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
        
        "C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer
        5⤵
        Executes dropped EXE
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1572
    - - C:\Program Files (x86)\Internet Download Manager\IDMan.exe
        
        "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr /setlngid 1 /fulllngfile idm_ar.lng
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5068
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4984
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        7⤵
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:3548
      - C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
        
        "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5044
        
        C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
        7⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:748
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        Checks processor information in registry
        
        PID:4676
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        7⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        8⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        7⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        8⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        7⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        8⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        7⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        8⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        7⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        8⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        7⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        8⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        7⤵
        Loads dropped DLL
        
        PID:5932
        
        C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        8⤵
        Loads dropped DLL
        Registers COM server for autorun
        
        PID:5948
      - C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe
        
        "C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.11.108397874\918040696" -childID 10 -isForBrowser -prefsHandle 4508 -prefMapHandle 4512 -prefsLen 26785 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75be4ec1-ee9e-45b7-80a1-9b1ae22055ef} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 5364 15333ed7258 tab
    3⤵
    PID:1572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.12.668045778\1472403916" -childID 11 -isForBrowser -prefsHandle 2680 -prefMapHandle 4848 -prefsLen 26785 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {edf7f4f6-70d0-43d1-9779-da685ca5faed} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 5688 1532f5bc558 tab
    3⤵
    PID:5276
- - C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe
    "C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe" "C:\Program Files (x86)\Internet Download Manager\IDMMsgHostMoz.json" [email protected]
    3⤵
    - Executes dropped EXE
    PID:1056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.13.2138548936\20330514" -childID 12 -isForBrowser -prefsHandle 6636 -prefMapHandle 4936 -prefsLen 27202 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c12f8c3d-b689-4e1d-80f0-d5d23232efc1} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4968 15333eacc58 tab
    3⤵
    PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.14.1648562351\242810935" -childID 13 -isForBrowser -prefsHandle 6900 -prefMapHandle 6996 -prefsLen 27202 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44e90997-cbe7-496b-90f1-3de3a619f92e} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 7000 15321462e58 tab
    3⤵
    PID:4624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.15.167052316\794486164" -childID 14 -isForBrowser -prefsHandle 6864 -prefMapHandle 6920 -prefsLen 27202 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6f84efb-3190-48ef-8d2a-37561bf63609} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 6948 15337378e58 tab
    3⤵
    PID:5592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.16.119568743\637077313" -childID 15 -isForBrowser -prefsHandle 7040 -prefMapHandle 6920 -prefsLen 27202 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {993ba06f-a4bf-4068-8759-815d3dfefdd7} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 7140 15334480558 tab
    3⤵
    PID:6060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.17.1932650302\1327975399" -childID 16 -isForBrowser -prefsHandle 6564 -prefMapHandle 6580 -prefsLen 27202 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba72554a-9144-4b6c-9a38-7100e7ecb91b} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 6552 1532146d958 tab
    3⤵
    PID:5448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.18.427741634\164988614" -childID 17 -isForBrowser -prefsHandle 4104 -prefMapHandle 6640 -prefsLen 27202 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc73fad3-a72c-4691-b03b-16861cf00ef0} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 2500 153341e6a58 tab
    3⤵
    PID:5260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.19.882848826\547912838" -childID 18 -isForBrowser -prefsHandle 7400 -prefMapHandle 7388 -prefsLen 27202 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc947d9-a17e-4ac7-9816-4ee4e93ea02c} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 7484 15321462e58 tab
    3⤵
    PID:6108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.20.615006520\514017118" -childID 19 -isForBrowser -prefsHandle 1556 -prefMapHandle 6868 -prefsLen 27202 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c9485c6-646e-45a7-8f2c-9aebea3d7594} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 7316 153377cdd58 tab
    3⤵
    PID:1148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.21.1178838993\621904585" -childID 20 -isForBrowser -prefsHandle 7144 -prefMapHandle 6976 -prefsLen 27202 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e668748d-75fd-4536-bd86-ffe17913773b} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 5224 153379bb558 tab
    3⤵
    PID:1004

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5228
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  PID:776
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    PID:4296
- C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
  "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3760
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    PID:5504
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      PID:5620
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:5680
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:4456
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:5948
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:1352
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:2184
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:6056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:6092
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:5152
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:5232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:4224
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:5460
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:5140
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    PID:5432
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      PID:3616
- C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
  "C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5624
- C:\Users\Admin\Downloads\Programs\winrar-x64-700.exe
  "C:\Users\Admin\Downloads\Programs\winrar-x64-700.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5128

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4624
- C:\Windows\system32\werfault.exe
  werfault.exe /h /shared Global\e9296255c97544b08c070e35da8fdd8b /t 1132 /p 5128
  2⤵
  PID:5888

C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE
"C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1436

C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE
"C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4288

C:\Windows\System32\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe" /D F
1⤵
- Enumerates connected drives
- Drops file in System32 directory
PID:3524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2116

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "F:\Supermarket.Simulator[wifi4games.com].rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4968

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "F:\Supermarket.Simulator[wifi4games.com].rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5220
- C:\Users\Admin\AppData\Local\Temp\7zO464890AF\Supermarket Simulator.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO464890AF\Supermarket Simulator.exe"
  2⤵
  - Executes dropped EXE
  PID:5284

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:4492

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:1004

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
- Drops file in System32 directory
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4828

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
PID:3564

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
PID:5484

F:\Supermarket.Simulator.v0.1.2.2\Supermarket Simulator.exe
"F:\Supermarket.Simulator.v0.1.2.2\Supermarket Simulator.exe"
1⤵
PID:2436
- F:\Supermarket.Simulator.v0.1.2.2\UnityCrashHandler64.exe
  "F:\Supermarket.Simulator.v0.1.2.2\UnityCrashHandler64.exe" --attach 2436 2194102358016
  2⤵
  PID:4084
- - F:\Supermarket.Simulator.v0.1.2.2\UnityCrashHandler64.exe
    "F:\Supermarket.Simulator.v0.1.2.2\UnityCrashHandler64.exe" "2436" "2194102358016"
    3⤵
    PID:4440

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e0
1⤵
PID:3616

F:\Supermarket.Simulator.v0.1.2.2\Supermarket Simulator.exe
"F:\Supermarket.Simulator.v0.1.2.2\Supermarket Simulator.exe"
1⤵
PID:5784
- F:\Supermarket.Simulator.v0.1.2.2\UnityCrashHandler64.exe
  "F:\Supermarket.Simulator.v0.1.2.2\UnityCrashHandler64.exe" --attach 5784 1583866449920
  2⤵
  PID:5692
- - F:\Supermarket.Simulator.v0.1.2.2\UnityCrashHandler64.exe
    "F:\Supermarket.Simulator.v0.1.2.2\UnityCrashHandler64.exe" "5784" "1583866449920"
    3⤵
    PID:1852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9c055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery