Analysis Overview
SHA256
a7bc155fae90ec5b3f34a43273ac28800224d9479c634901f10f22c46e0d1841
Threat Level: Known bad
The file 98242cbb6f00c9189ebbdee83fd83310_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
UPX packed file
Loads dropped DLL
Adds Run key to start application
Enumerates connected drives
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Program Files directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: LoadsDriver
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-05 12:18
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240221-en
Max time kernel
118s
Max time network
129s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IDMan.exe /onboot" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\ | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IEExt.htm" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IEGetAll.htm" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download FLV video content with IDM | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download FLV video content with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IEGetVL.htm" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Download FLV video content with IDM\contexts = "243" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID\ = "DownlWithIDM.V2LinkProcessor" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Insertable | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CurVer\ = "IDMGetAll.IDMAllLinksProcessor.1" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\ = "LinkProcessor Class" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\ = "IDMGetAll 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ = "IIDMAllLinksProcessor" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\idmfsa.dll" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\idmfsa.dll" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\NumMethods | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Elevation\Enabled = "1" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib\ = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\AppId = "{0F947660-8606-420A-BAC6-51B84DD22A47}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\downlWithIDM.dll" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32\ = "{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ = "IIDMEFSAgent" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\ = "V2LinkProcessor Class" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\downlWithIDM.dll" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ = "IV2LinkProcessor" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1\CLSID\ = "{0F947660-8606-420A-BAC6-51B84DD22A47}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\TypeLib\ = "{ECF21EAB-3AA8-4355-82BE-F777990001DD}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1\CLSID | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CurVer\ = "Idmfsa.IDMEFSAgent.1" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe
"C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe"
Network
Files
memory/2320-0-0x0000000000400000-0x00000000006DE000-memory.dmp
memory/2320-2-0x0000000077A00000-0x0000000077A01000-memory.dmp
memory/2320-1-0x00000000779FF000-0x0000000077A00000-memory.dmp
memory/2320-6-0x0000000000400000-0x00000000006DE000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
109s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2564 wrote to memory of 4128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2564 wrote to memory of 4128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2564 wrote to memory of 4128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\NP_IDM.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\NP_IDM.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4128 -ip 4128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:23
Platform
win7-20240220-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hrl14C8.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\refzsk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\refzsk.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\refzsk.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\refzsk.exe | C:\Users\Admin\AppData\Local\Temp\hrl14C8.tmp | N/A |
| File created | C:\Windows\SysWOW64\hra33.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Windows\SysWOW64\refzsk.exe | C:\Users\Admin\AppData\Local\Temp\hrl14C8.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre7\bin\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Hearts\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Spades\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Java\jre7\bin\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Spades\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Internet Explorer\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\bin\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Checkers\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Games\FreeCell\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\7-Zip\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\DVD Maker\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Minesweeper\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Purble Place\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Checkers\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Minesweeper\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Solitaire\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\bin\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Games\SpiderSolitaire\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Chess\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Mahjong\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\uninstall\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\lpk.dll | C:\Windows\SysWOW64\refzsk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hrl14C8.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\refzsk.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hrl14C8.tmp | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\refzsk.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hrl14C8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hrl14C8.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\refzsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\refzsk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\lpk.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\lpk.dll",#1
C:\Users\Admin\AppData\Local\Temp\hrl14C8.tmp
C:\Users\Admin\AppData\Local\Temp\hrl14C8.tmp
C:\Windows\SysWOW64\refzsk.exe
C:\Windows\SysWOW64\refzsk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fei9988.3322.org | udp |
Files
\Users\Admin\AppData\Local\Temp\hrl14C8.tmp
| MD5 | ead0f910bc5b4b9986399f900d9c2491 |
| SHA1 | 9bb81a2c718e09548da9972128764888348a1a8b |
| SHA256 | 42ee3fac860b7ee954683289212a9cc851bf02fe4263eb2e5d0bd076524135d2 |
| SHA512 | 0650527090a7f676beb9f6e3af5b9ad556bf785a085ca876c45e1b0c5ca13c478fd12947e36dadf05924549d889a40d188dbccc377932ef085dcd57e5a42fd51 |
memory/2268-8-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2268-10-0x0000000077610000-0x0000000077611000-memory.dmp
memory/2268-9-0x000000007760F000-0x0000000077610000-memory.dmp
memory/2268-15-0x000000007EF90000-0x000000007EF9C000-memory.dmp
memory/2268-14-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\hra33.dll
| MD5 | 28bacfd7c4ffc16e93e364604529c753 |
| SHA1 | 9e68ea3a39c57632736c46c8b527c7953f60e9e9 |
| SHA256 | 455f67334f804d0c8e06f9d9f0736708de105ba8225cdd5b917502a79f01b2f7 |
| SHA512 | c3f96c644fd88a54c2586de3fbd9a800eaa3a20787ad0450855d996dc4768a0aa4533a2509932cb60ec4637027868a15596939238f6878ed524849859a3eeafd |
memory/2952-46-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
109s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\USB_by_veto\\USB\\upx.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe
"C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/4596-0-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4596-4-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/4596-7-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4596-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/4596-3-0x0000000077513000-0x0000000077514000-memory.dmp
memory/4596-2-0x0000000077512000-0x0000000077513000-memory.dmp
memory/4596-1-0x000000007FE40000-0x000000007FE4C000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240221-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmftype.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmftype.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 224
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2236 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2236 wrote to memory of 1732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmftype.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmftype.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1732 -ip 1732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
163s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\ = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\VersionIndependentProgID\ = "IDMGetAll.IDMAllLinksProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib\ = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ = "IIDMAllLinksProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\ = "IDMAllLinksProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CurVer\ = "IDMGetAll.IDMAllLinksProcessor.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ = "IDMAllLinksProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IDMGetAll.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\ = "IDMGetAll 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ = "IIDMAllLinksProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\ = "IDMAllLinksProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ProgID\ = "IDMGetAll.IDMAllLinksProcessor.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\ = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IDMGetAll.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4936 wrote to memory of 1544 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4936 wrote to memory of 1544 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4936 wrote to memory of 1544 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGetAll.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGetAll.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240221-en
Max time kernel
117s
Max time network
127s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\Uninstall.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\Uninstall.exe"
Network
Files
memory/2760-0-0x0000000000400000-0x0000000000424000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
134s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\AppId = "{0F947660-8606-420A-BAC6-51B84DD22A47}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\ = "idmfsa 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\NumMethods\ = "12" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\ = "IDMEFSAgent Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\VersionIndependentProgID\ = "Idmfsa.IDMEFSAgent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ = "IIDMEFSAgent2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\idmfsa.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CLSID\ = "{0F947660-8606-420A-BAC6-51B84DD22A47}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}\DllSurrogate | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ = "IIDMEFSAgent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Elevation | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1\ = "IDMEFSAgent Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Elevation\Enabled = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\LocalizedString = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\idmfsa.dll,-100" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32\ = "{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1\CLSID\ = "{0F947660-8606-420A-BAC6-51B84DD22A47}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ = "IDM Elevated FS Assistant" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\idmfsa.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1848 wrote to memory of 5016 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1848 wrote to memory of 5016 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1848 wrote to memory of 5016 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmfsa.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmfsa.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 89.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
120s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGrHlp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGrHlp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGrHlp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGrHlp.exe
"C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGrHlp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240508-en
Max time kernel
137s
Max time network
120s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idman.chm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:23
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmbrbtn.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmbrbtn.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 224
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240215-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2816 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2816 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2816 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2816 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2816 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2816 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2816 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmmkb.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmmkb.dll",#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
164s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4220 wrote to memory of 3764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4220 wrote to memory of 3764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4220 wrote to memory of 3764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmbrbtn.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmbrbtn.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3764 -ip 3764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 89.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240508-en
Max time kernel
121s
Max time network
134s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}\DllSurrogate | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\idmfsa.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ = "IIDMEFSAgent2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\AppId = "{0F947660-8606-420A-BAC6-51B84DD22A47}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1\ = "IDMEFSAgent Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\idmfsa.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32\ = "{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\ = "IDMEFSAgent Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1\CLSID\ = "{0F947660-8606-420A-BAC6-51B84DD22A47}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ = "IIDMEFSAgent2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ = "IDM Elevated FS Assistant" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\ = "idmfsa 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32\ = "{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\LocalizedString = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\idmfsa.dll,-100" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID\ = "Idmfsa.IDMEFSAgent.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Elevation\Enabled = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ = "IIDMEFSAgent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\NumMethods\ = "12" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ = "IDMEFSAgent Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmfsa.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmfsa.dll"
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240221-en
Max time kernel
121s
Max time network
132s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGrHlp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGrHlp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGrHlp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGrHlp.exe
"C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGrHlp.exe"
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240508-en
Max time kernel
122s
Max time network
134s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\compress.bat"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14060034016288874041697998012-1910565438-1536505108-483417405679775607-1650058313"
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe
upx -9 *.dll *.exe
Network
Files
memory/1144-2-0x00000000776AF000-0x00000000776B0000-memory.dmp
memory/1144-1-0x00000000776B0000-0x00000000776B1000-memory.dmp
memory/1144-0-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1144-6-0x0000000000400000-0x0000000000442000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
106s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\Uninstall.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3764-0-0x0000000000400000-0x0000000000424000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240508-en
Max time kernel
118s
Max time network
133s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IDMGetAll.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\VersionIndependentProgID\ = "IDMGetAll.IDMAllLinksProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ = "IIDMAllLinksProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib\ = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ = "IIDMAllLinksProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\ = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1\ = "IDMAllLinksProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\ = "IDMAllLinksProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\ = "IDMGetAll 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ProgID\ = "IDMGetAll.IDMAllLinksProcessor.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ = "IDMAllLinksProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib\ = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CurVer\ = "IDMGetAll.IDMAllLinksProcessor.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IDMGetAll.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1688 wrote to memory of 2908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1688 wrote to memory of 2908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1688 wrote to memory of 2908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1688 wrote to memory of 2908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1688 wrote to memory of 2908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1688 wrote to memory of 2908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1688 wrote to memory of 2908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGetAll.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMGetAll.dll"
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240221-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IEMonitor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IEMonitor.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IEMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IEMonitor.exe"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
103s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IEMonitor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IEMonitor.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IEMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IEMonitor.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:23
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\NP_IDM.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\NP_IDM.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 224
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240419-en
Max time kernel
119s
Max time network
130s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\ = "V2LinkProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\ = "downlWithIDM 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID\ = "DownlWithIDM.LinkProcessor.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\CLSID\ = "{4764030F-2733-45B9-AE62-3D1F4F6F2861}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID\ = "DownlWithIDM.V2LinkProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\CLSID\ = "{CDD67718-A430-4AB9-A939-83D9074B0038}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\CLSID\ = "{4764030F-2733-45B9-AE62-3D1F4F6F2861}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CurVer\ = "DownlWithIDM.IDMDwnlMgr.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\ = "LinkProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ = "IVLinkProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Insertable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\CurVer\ = "DownlWithIDM.LinkProcessor.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\CurVer\ = "DownlWithIDM.VLinkProcessor.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\CLSID\ = "{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\VersionIndependentProgID\ = "DownlWithIDM.LinkProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID\ = "DownlWithIDM.VLinkProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\ = "V2LinkProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ = "IV2LinkProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID\ = "DownlWithIDM.IDMDwnlMgr.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\ = "VLinkProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\Insertable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\1\ = "131473" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1044 wrote to memory of 2384 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1044 wrote to memory of 2384 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1044 wrote to memory of 2384 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1044 wrote to memory of 2384 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1044 wrote to memory of 2384 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1044 wrote to memory of 2384 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1044 wrote to memory of 2384 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\downlWithIDM.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\downlWithIDM.dll"
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
105s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IDMan.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IDMan.exe /onboot" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IEExt.htm" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Low Rights | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IEGetAll.htm" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download FLV video content with IDM\contexts = "243" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download FLV video content with IDM | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download FLV video content with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IEGetVL.htm" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}\DllSurrogate | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor.1\CLSID\ = "{CDD67718-A430-4AB9-A939-83D9074B0038}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID\ = "DownlWithIDM.V2LinkProcessor" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\TypeLib | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\CLSID\ = "{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\Programmable | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1\ = "IDMDwnlMgr Class" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CLSID\ = "{0F947660-8606-420A-BAC6-51B84DD22A47}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\ = "idmfsa 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ = "IVLinkProcessor" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\NumMethods | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID\ = "Idmfsa.IDMEFSAgent.1" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\idmfsa.dll" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\Programmable | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\IDMGetAll.dll" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\CLSID | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\downlWithIDM.dll" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\downlWithIDM.dll" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CurVer | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\downlWithIDM.dll" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor.1\CLSID | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\VersionIndependentProgID\ = "DownlWithIDM.IDMDwnlMgr" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ = "IIDMEFSAgent2" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\TypeLib\ = "{ECF21EAB-3AA8-4355-82BE-F777990001DD}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ = "IDM Elevated FS Assistant" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775} | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\CLSID\ = "{4764030F-2733-45B9-AE62-3D1F4F6F2861}" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\TypeLib | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\CurVer\ = "DownlWithIDM.VLinkProcessor.1" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\CurVer\ = "DownlWithIDM.LinkProcessor.1" | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe
"C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\IDMan.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4344 -ip 4344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 2204
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.internetdownloadmanager.com | udp |
| US | 169.61.27.133:80 | www.internetdownloadmanager.com | tcp |
| US | 169.61.27.133:80 | www.internetdownloadmanager.com | tcp |
| US | 8.8.8.8:53 | 133.27.61.169.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4344-0-0x0000000000400000-0x00000000006DE000-memory.dmp
memory/4344-4-0x0000000077433000-0x0000000077434000-memory.dmp
memory/4344-3-0x0000000077432000-0x0000000077433000-memory.dmp
memory/4344-2-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/4344-1-0x000000007FE40000-0x000000007FE4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\testing_1\testing_1.log
| MD5 | 34295994e40b4781b8eacf75eb69dd14 |
| SHA1 | 9981048fcf6bed7e2b554941d3071e02d19586f3 |
| SHA256 | f85530de280d1dcc060b8c0601167fbc0c784b447302efc488ee3c957b327f5b |
| SHA512 | 3d58b25a25fed45b2119536fed296374b1727170e701e23118d5bfe2054ce453ee0df9513171eb6dd14eb0327c032cb35a2b0442904d0e0a63dc4ebe70f82e13 |
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\testing_1\testing_1.log
| MD5 | 61be55fae83cb25155f1fa6a7da13564 |
| SHA1 | fdcec8c3b0c3cbd0bac657b744ffaff38e53e425 |
| SHA256 | 0c960b262960ff687f321d48295da28c1f58ffe2f1673083d99a3f743906ef6f |
| SHA512 | 7d42e98f09266ceb43aa6448b2501eb890c5689d9f22ca0bf37436855275d22559edd3c92bc5f1cf2ad7d76f6c3ebdcdb547153f02884640ee6ac2a0c57d54f3 |
memory/4344-67-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/4344-70-0x0000000000400000-0x00000000006DE000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240226-en
Max time kernel
135s
Max time network
165s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ff88d9a2e98,0x7ff88d9a2ea4,0x7ff88d9a2eb0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3080 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3124 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5332 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5552 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\compress.bat"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe
upx -9 *.dll *.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3680 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.239.69.13.in-addr.arpa | udp |
Files
memory/1996-0-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1996-2-0x00000000777C2000-0x00000000777C3000-memory.dmp
memory/1996-3-0x00000000777C3000-0x00000000777C4000-memory.dmp
memory/1996-1-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/1996-4-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1996-8-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/1996-10-0x0000000000400000-0x0000000000442000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
105s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrl3103.tmp:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\qsgqga.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\qsgqga.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\qsgqga.exe | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\qsgqga.exe | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
| File created | C:\Windows\SysWOW64\hra33.dll | C:\Windows\SysWOW64\qsgqga.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\qsgqga.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\qsgqga.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\qsgqga.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\qsgqga.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\qsgqga.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\lpk.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\lpk.dll",#1
C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp
C:\Users\Admin\AppData\Local\Temp\hrl3103.tmp
C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\qsgqga.exe
C:\Windows\SysWOW64\qsgqga.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3224-9-0x00000000771F3000-0x00000000771F4000-memory.dmp
memory/3224-8-0x00000000771F2000-0x00000000771F3000-memory.dmp
memory/3224-7-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/3224-6-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/3224-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/3224-4-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\qsgqga.exe
| MD5 | ead0f910bc5b4b9986399f900d9c2491 |
| SHA1 | 9bb81a2c718e09548da9972128764888348a1a8b |
| SHA256 | 42ee3fac860b7ee954683289212a9cc851bf02fe4263eb2e5d0bd076524135d2 |
| SHA512 | 0650527090a7f676beb9f6e3af5b9ad556bf785a085ca876c45e1b0c5ca13c478fd12947e36dadf05924549d889a40d188dbccc377932ef085dcd57e5a42fd51 |
memory/1220-13-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3224-16-0x000000007FE30000-0x000000007FE3C000-memory.dmp
memory/3224-15-0x000000007FE30000-0x000000007FE3C000-memory.dmp
memory/3224-14-0x000000007FE30000-0x000000007FE3C000-memory.dmp
memory/3224-17-0x000000007FE30000-0x000000007FE3C000-memory.dmp
memory/3224-24-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3224-18-0x000000007FE40000-0x000000007FE4C000-memory.dmp
memory/1220-34-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\hra33.dll
| MD5 | 7147ff24579a477a1a34696926e573f1 |
| SHA1 | 9127ea8d813ecd5788b3f97777931ec79b7760e9 |
| SHA256 | fd08dcb016611316c849d48312ba6dc7d4de75d1a81c1d475a13bb5a1ba07267 |
| SHA512 | 077b68376679c30d2dbae460ed59f5131c177bdd7574af1c2660ed97ae242b1401816d012af321c278be065b49bc9eab395e008b1b9a2447aa27b694bbed1d5d |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240220-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe
"C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\USB_by_veto\USB\upx.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15327495092059029896608600068-1704279424-499724045-312915142-1734203391-623858314"
Network
Files
memory/1936-0-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1936-1-0x0000000000400000-0x0000000000442000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3060 wrote to memory of 904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmmbc.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmmbc.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 904 -ip 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 640
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
127s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 448 wrote to memory of 3080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 448 wrote to memory of 3080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 448 wrote to memory of 3080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmmkb.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmmkb.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win10v2004-20240426-en
Max time kernel
91s
Max time network
102s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\CurVer\ = "DownlWithIDM.V2LinkProcessor.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ = "VLinkProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID\ = "DownlWithIDM.VLinkProcessor.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\ = "downlWithIDM 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ = "IVLinkProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID\ = "DownlWithIDM.IDMDwnlMgr.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\ = "V2LinkProcessor Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\CLSID\ = "{4764030F-2733-45B9-AE62-3D1F4F6F2861}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ = "IDMDwnlMgr Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ = "IVLinkProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\downlWithIDM.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID\ = "DownlWithIDM.VLinkProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\1\ = "131473" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ = "IV2LinkProcessor" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\CLSID\ = "{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\downlWithIDM.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\Insertable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDM v5.20 FULL_Portable\\IDM\\downlWithIDM.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\CLSID\ = "{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5080 wrote to memory of 3740 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5080 wrote to memory of 3740 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5080 wrote to memory of 3740 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\downlWithIDM.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\downlWithIDM.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:23
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\hh.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idman.chm"
Network
Files
memory/2880-23-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-05 12:17
Reported
2024-06-05 12:22
Platform
win7-20240508-en
Max time kernel
122s
Max time network
135s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmmbc.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\IDM v5.20 FULL_Portable\IDM\idmmbc.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 228