Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 06:43
Behavioral task
behavioral1
Sample
IDM/!)??.bat
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
IDM/!)??.bat
Resource
win10v2004-20240508-en
4 signatures
150 seconds
General
-
Target
IDM/!)??.bat
-
Size
15KB
-
MD5
8977acec22d71c30c123e01243728b28
-
SHA1
ef3d08cb61cf091505b3b2c2b689556bc327ecaa
-
SHA256
7091a1fcc99bc61213ae109dcde8c6a044718351b4bb5bfa80cec692e78e8e5e
-
SHA512
de859ca413924f4a5a61ab4a847bf4cd8de58ea9616fb7cc63369ab4f3bdd4b16d21884e6efdccb445d9ae8068ecaabdd9c93c575e4be6b807059bbfa19ab6a4
-
SSDEEP
384:MCFmoOfgEBLkHr5kkBQUsnLow8j/GkAyF+uVF+uS:Hr5kkBQxLow8jukAF
Score
1/10
Malware Config
Signatures
-
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2100 taskkill.exe 2560 taskkill.exe 2628 taskkill.exe 2032 taskkill.exe 2492 taskkill.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 1236 regedit.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2100 taskkill.exe Token: SeDebugPrivilege 2560 taskkill.exe Token: SeDebugPrivilege 2628 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 2492 taskkill.exe Token: SeIncreaseQuotaPrivilege 596 WMIC.exe Token: SeSecurityPrivilege 596 WMIC.exe Token: SeTakeOwnershipPrivilege 596 WMIC.exe Token: SeLoadDriverPrivilege 596 WMIC.exe Token: SeSystemProfilePrivilege 596 WMIC.exe Token: SeSystemtimePrivilege 596 WMIC.exe Token: SeProfSingleProcessPrivilege 596 WMIC.exe Token: SeIncBasePriorityPrivilege 596 WMIC.exe Token: SeCreatePagefilePrivilege 596 WMIC.exe Token: SeBackupPrivilege 596 WMIC.exe Token: SeRestorePrivilege 596 WMIC.exe Token: SeShutdownPrivilege 596 WMIC.exe Token: SeDebugPrivilege 596 WMIC.exe Token: SeSystemEnvironmentPrivilege 596 WMIC.exe Token: SeRemoteShutdownPrivilege 596 WMIC.exe Token: SeUndockPrivilege 596 WMIC.exe Token: SeManageVolumePrivilege 596 WMIC.exe Token: 33 596 WMIC.exe Token: 34 596 WMIC.exe Token: 35 596 WMIC.exe Token: SeIncreaseQuotaPrivilege 596 WMIC.exe Token: SeSecurityPrivilege 596 WMIC.exe Token: SeTakeOwnershipPrivilege 596 WMIC.exe Token: SeLoadDriverPrivilege 596 WMIC.exe Token: SeSystemProfilePrivilege 596 WMIC.exe Token: SeSystemtimePrivilege 596 WMIC.exe Token: SeProfSingleProcessPrivilege 596 WMIC.exe Token: SeIncBasePriorityPrivilege 596 WMIC.exe Token: SeCreatePagefilePrivilege 596 WMIC.exe Token: SeBackupPrivilege 596 WMIC.exe Token: SeRestorePrivilege 596 WMIC.exe Token: SeShutdownPrivilege 596 WMIC.exe Token: SeDebugPrivilege 596 WMIC.exe Token: SeSystemEnvironmentPrivilege 596 WMIC.exe Token: SeRemoteShutdownPrivilege 596 WMIC.exe Token: SeUndockPrivilege 596 WMIC.exe Token: SeManageVolumePrivilege 596 WMIC.exe Token: 33 596 WMIC.exe Token: 34 596 WMIC.exe Token: 35 596 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exedescription pid process target process PID 1728 wrote to memory of 3064 1728 cmd.exe reg.exe PID 1728 wrote to memory of 3064 1728 cmd.exe reg.exe PID 1728 wrote to memory of 3064 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2100 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2100 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2100 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2560 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2560 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2560 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2628 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2628 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2628 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2032 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2032 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2032 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2492 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2492 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2492 1728 cmd.exe taskkill.exe PID 1728 wrote to memory of 2580 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 2580 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 2580 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 2576 1728 cmd.exe findstr.exe PID 1728 wrote to memory of 2576 1728 cmd.exe findstr.exe PID 1728 wrote to memory of 2576 1728 cmd.exe findstr.exe PID 1728 wrote to memory of 2572 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 2572 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 2572 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 2448 1728 cmd.exe findstr.exe PID 1728 wrote to memory of 2448 1728 cmd.exe findstr.exe PID 1728 wrote to memory of 2448 1728 cmd.exe findstr.exe PID 1728 wrote to memory of 2460 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2460 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2460 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2404 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2404 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2404 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2400 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2400 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2400 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2420 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2420 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2420 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2436 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2436 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2436 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2468 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2468 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2468 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2480 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2480 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2480 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2528 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2528 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2528 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2960 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2960 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2960 1728 cmd.exe reg.exe PID 1728 wrote to memory of 3040 1728 cmd.exe reg.exe PID 1728 wrote to memory of 3040 1728 cmd.exe reg.exe PID 1728 wrote to memory of 3040 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2716 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2716 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2716 1728 cmd.exe reg.exe PID 1728 wrote to memory of 2964 1728 cmd.exe reg.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\IDM\!)__.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\system32\reg.exeREG QUERY "HKU\S-1-5-19"2⤵PID:3064
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "IDM*" /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\system32\taskkill.exetaskkill /F /IM "IEMonitor.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Windows\system32\taskkill.exetaskkill /F /IM "IDMMsgHost.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\system32\taskkill.exetaskkill /F /IM "MediumILStart.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\system32\taskkill.exetaskkill /F /IM "IDMIntegrator64.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver"2⤵PID:2580
-
C:\Windows\system32\findstr.exefindstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"2⤵PID:2576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver"2⤵PID:2572
-
C:\Windows\system32\findstr.exefindstr "5\.[0-9]\.[0-9][0-9]*"2⤵PID:2448
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager" /f2⤵PID:2460
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager" /f /reg:322⤵PID:2404
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\DownloadManager" /f2⤵PID:2400
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Download Manager" /f2⤵PID:2420
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\DownloadManager" /f /reg:322⤵PID:2436
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Download Manager" /f /reg:322⤵PID:2468
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Internet Download Manager" /f2⤵PID:2480
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Internet Download Manager" /f /reg:322⤵PID:2528
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"2⤵PID:2960
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan" /reg:322⤵PID:3040
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter" /f2⤵PID:2716
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Idmfsa.IDMEFSAgent" /f2⤵PID:2964
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1" /f2⤵PID:2080
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\idmBroker.EXE" /f2⤵PID:3008
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\idmBroker.OptionsReader" /f2⤵PID:908
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\idmBroker.OptionsReader.1" /f2⤵PID:1588
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f2⤵PID:2380
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}" /f2⤵PID:2804
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f2⤵PID:2828
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f2⤵PID:2784
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f2⤵PID:2816
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f2⤵PID:2792
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f2⤵PID:2656
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" /f2⤵PID:2928
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}" /f2⤵PID:2944
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}" /f2⤵PID:2916
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}" /f2⤵PID:2984
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}" /f2⤵PID:3000
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}" /f2⤵PID:2940
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f2⤵PID:2956
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}" /f2⤵PID:1800
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}" /f2⤵PID:2684
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}" /f2⤵PID:2764
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f2⤵PID:1444
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f /reg:322⤵PID:1564
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f /reg:322⤵PID:328
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f /reg:322⤵PID:1528
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f /reg:322⤵PID:1544
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f /reg:322⤵PID:1684
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}" /f /reg:322⤵PID:1436
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}" /f /reg:322⤵PID:2132
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}" /f /reg:322⤵PID:2472
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f /reg:322⤵PID:2672
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}" /f /reg:322⤵PID:2688
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}" /f /reg:322⤵PID:2592
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}" /f /reg:322⤵PID:2660
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f /reg:322⤵PID:2736
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:2504
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f2⤵PID:2668
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.tonec.idm" /f /reg:322⤵PID:1900
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f /reg:322⤵PID:2464
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4" /f2⤵PID:2768
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI"2⤵PID:2760
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}" /f2⤵PID:2648
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f2⤵PID:2780
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f2⤵PID:2508
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:322⤵PID:1552
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}" /f /reg:322⤵PID:864
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f /reg:322⤵PID:2348
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f /reg:322⤵PID:1336
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Tracing\IDMan_RASAPI32" /f2⤵PID:1384
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Tracing\IDMan_RASAPI32" /f /reg:322⤵PID:1976
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\PolicyApplicationState" /f /v "PolicyState" /t REG_DWORD /d "2"2⤵PID:1192
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"2⤵PID:1264
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵PID:868
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /reg:32 /f2⤵PID:1700
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Classes\CLSID\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f2⤵PID:2212
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\CocCoc\Browser\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:2012
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\CocCoc\Browser\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f2⤵PID:2008
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Edge\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:1944
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Edge\Extensions\llbjbkhnmlidjebalopleeepgdfgcpec" /f2⤵PID:2268
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI"2⤵PID:2500
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:322⤵PID:1984
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪" /f2⤵PID:2376
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪╚½▓┐┴┤╜╙" /f2⤵PID:1660
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Mozilla\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:2204
-
C:\Windows\system32\reg.exePID:1888
-
C:\Windows\system32\reg.exePID:2884
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}" /f2⤵PID:2880
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}" /f2⤵PID:2796
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}" /f2⤵PID:1612
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f2⤵PID:1992
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f2⤵PID:1716
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f /reg:322⤵PID:2024
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic userAccount where "Name='Admin'" get SID /value2⤵PID:324
-
C:\Windows\System32\Wbem\WMIC.exewmic userAccount where "Name='Admin'" get SID /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:596 -
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"2⤵PID:584
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer" /f /v "DownloadUI"2⤵PID:612
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:322⤵PID:2236
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪" /f2⤵PID:1808
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪╚½▓┐┴┤╜╙" /f2⤵PID:852
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\CocCoc\Browser\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:832
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\CocCoc\Browser\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f2⤵PID:1908
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Edge\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:1752
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Edge\Extensions\llbjbkhnmlidjebalopleeepgdfgcpec" /f2⤵PID:1120
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Mozilla\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:1084
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"2⤵PID:1708
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"2⤵PID:108
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵PID:1108
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f /reg:322⤵PID:1920
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}" /f2⤵PID:2264
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}" /f2⤵PID:2148
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}" /f2⤵PID:808
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f2⤵PID:2364
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "MData"2⤵PID:1168
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "LName"2⤵PID:2344
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "FName"2⤵PID:1916
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "Email"2⤵PID:2096
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "Serial"2⤵PID:2044
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "vCOUFP"2⤵PID:1224
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "scansk"2⤵PID:1696
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "tvfrdt"2⤵PID:1240
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "radxcnt"2⤵PID:1720
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "idmvers"2⤵PID:1268
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "ExePath"2⤵PID:1464
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "TempPath"2⤵PID:1480
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "LstCheck"2⤵PID:1940
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "ptrk_scdt"2⤵PID:1012
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "LastCheckQU"2⤵PID:1304
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "CheckUpdtVM"2⤵PID:1536
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "TipTimeStamp"2⤵PID:1820
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "AppDataIDMFolder"2⤵PID:1028
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "CommonAppDataIDMFolder"2⤵PID:1624
-
C:\Windows\regedit.exeregedit /e "!)╤í╧ε┼Σ╓├.reg" HKEY_CURRENT_USER\Software\DownloadManager2⤵
- Runs .reg file with regedit
PID:1236 -
C:\Windows\system32\choice.exeCHOICE /C 12 /N2⤵PID:1448