Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 06:43
Behavioral task
behavioral1
Sample
IDM/!)??.bat
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
IDM/!)??.bat
Resource
win10v2004-20240508-en
4 signatures
150 seconds
General
-
Target
IDM/!)??.bat
-
Size
15KB
-
MD5
8977acec22d71c30c123e01243728b28
-
SHA1
ef3d08cb61cf091505b3b2c2b689556bc327ecaa
-
SHA256
7091a1fcc99bc61213ae109dcde8c6a044718351b4bb5bfa80cec692e78e8e5e
-
SHA512
de859ca413924f4a5a61ab4a847bf4cd8de58ea9616fb7cc63369ab4f3bdd4b16d21884e6efdccb445d9ae8068ecaabdd9c93c575e4be6b807059bbfa19ab6a4
-
SSDEEP
384:MCFmoOfgEBLkHr5kkBQUsnLow8j/GkAyF+uVF+uS:Hr5kkBQxLow8jukAF
Score
1/10
Malware Config
Signatures
-
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2364 taskkill.exe 2220 taskkill.exe 4616 taskkill.exe 3012 taskkill.exe 3588 taskkill.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 2844 regedit.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2364 taskkill.exe Token: SeDebugPrivilege 2220 taskkill.exe Token: SeDebugPrivilege 4616 taskkill.exe Token: SeDebugPrivilege 3012 taskkill.exe Token: SeDebugPrivilege 3588 taskkill.exe Token: SeIncreaseQuotaPrivilege 4604 WMIC.exe Token: SeSecurityPrivilege 4604 WMIC.exe Token: SeTakeOwnershipPrivilege 4604 WMIC.exe Token: SeLoadDriverPrivilege 4604 WMIC.exe Token: SeSystemProfilePrivilege 4604 WMIC.exe Token: SeSystemtimePrivilege 4604 WMIC.exe Token: SeProfSingleProcessPrivilege 4604 WMIC.exe Token: SeIncBasePriorityPrivilege 4604 WMIC.exe Token: SeCreatePagefilePrivilege 4604 WMIC.exe Token: SeBackupPrivilege 4604 WMIC.exe Token: SeRestorePrivilege 4604 WMIC.exe Token: SeShutdownPrivilege 4604 WMIC.exe Token: SeDebugPrivilege 4604 WMIC.exe Token: SeSystemEnvironmentPrivilege 4604 WMIC.exe Token: SeRemoteShutdownPrivilege 4604 WMIC.exe Token: SeUndockPrivilege 4604 WMIC.exe Token: SeManageVolumePrivilege 4604 WMIC.exe Token: 33 4604 WMIC.exe Token: 34 4604 WMIC.exe Token: 35 4604 WMIC.exe Token: 36 4604 WMIC.exe Token: SeIncreaseQuotaPrivilege 4604 WMIC.exe Token: SeSecurityPrivilege 4604 WMIC.exe Token: SeTakeOwnershipPrivilege 4604 WMIC.exe Token: SeLoadDriverPrivilege 4604 WMIC.exe Token: SeSystemProfilePrivilege 4604 WMIC.exe Token: SeSystemtimePrivilege 4604 WMIC.exe Token: SeProfSingleProcessPrivilege 4604 WMIC.exe Token: SeIncBasePriorityPrivilege 4604 WMIC.exe Token: SeCreatePagefilePrivilege 4604 WMIC.exe Token: SeBackupPrivilege 4604 WMIC.exe Token: SeRestorePrivilege 4604 WMIC.exe Token: SeShutdownPrivilege 4604 WMIC.exe Token: SeDebugPrivilege 4604 WMIC.exe Token: SeSystemEnvironmentPrivilege 4604 WMIC.exe Token: SeRemoteShutdownPrivilege 4604 WMIC.exe Token: SeUndockPrivilege 4604 WMIC.exe Token: SeManageVolumePrivilege 4604 WMIC.exe Token: 33 4604 WMIC.exe Token: 34 4604 WMIC.exe Token: 35 4604 WMIC.exe Token: 36 4604 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exedescription pid process target process PID 968 wrote to memory of 4592 968 cmd.exe reg.exe PID 968 wrote to memory of 4592 968 cmd.exe reg.exe PID 968 wrote to memory of 2364 968 cmd.exe taskkill.exe PID 968 wrote to memory of 2364 968 cmd.exe taskkill.exe PID 968 wrote to memory of 2220 968 cmd.exe taskkill.exe PID 968 wrote to memory of 2220 968 cmd.exe taskkill.exe PID 968 wrote to memory of 4616 968 cmd.exe taskkill.exe PID 968 wrote to memory of 4616 968 cmd.exe taskkill.exe PID 968 wrote to memory of 3012 968 cmd.exe taskkill.exe PID 968 wrote to memory of 3012 968 cmd.exe taskkill.exe PID 968 wrote to memory of 3588 968 cmd.exe taskkill.exe PID 968 wrote to memory of 3588 968 cmd.exe taskkill.exe PID 968 wrote to memory of 412 968 cmd.exe cmd.exe PID 968 wrote to memory of 412 968 cmd.exe cmd.exe PID 968 wrote to memory of 4396 968 cmd.exe findstr.exe PID 968 wrote to memory of 4396 968 cmd.exe findstr.exe PID 968 wrote to memory of 3432 968 cmd.exe cmd.exe PID 968 wrote to memory of 3432 968 cmd.exe cmd.exe PID 968 wrote to memory of 2868 968 cmd.exe findstr.exe PID 968 wrote to memory of 2868 968 cmd.exe findstr.exe PID 968 wrote to memory of 4100 968 cmd.exe reg.exe PID 968 wrote to memory of 4100 968 cmd.exe reg.exe PID 968 wrote to memory of 2828 968 cmd.exe reg.exe PID 968 wrote to memory of 2828 968 cmd.exe reg.exe PID 968 wrote to memory of 392 968 cmd.exe reg.exe PID 968 wrote to memory of 392 968 cmd.exe reg.exe PID 968 wrote to memory of 3252 968 cmd.exe reg.exe PID 968 wrote to memory of 3252 968 cmd.exe reg.exe PID 968 wrote to memory of 1468 968 cmd.exe reg.exe PID 968 wrote to memory of 1468 968 cmd.exe reg.exe PID 968 wrote to memory of 1008 968 cmd.exe reg.exe PID 968 wrote to memory of 1008 968 cmd.exe reg.exe PID 968 wrote to memory of 2584 968 cmd.exe reg.exe PID 968 wrote to memory of 2584 968 cmd.exe reg.exe PID 968 wrote to memory of 2304 968 cmd.exe reg.exe PID 968 wrote to memory of 2304 968 cmd.exe reg.exe PID 968 wrote to memory of 3936 968 cmd.exe reg.exe PID 968 wrote to memory of 3936 968 cmd.exe reg.exe PID 968 wrote to memory of 2460 968 cmd.exe reg.exe PID 968 wrote to memory of 2460 968 cmd.exe reg.exe PID 968 wrote to memory of 2832 968 cmd.exe reg.exe PID 968 wrote to memory of 2832 968 cmd.exe reg.exe PID 968 wrote to memory of 2784 968 cmd.exe reg.exe PID 968 wrote to memory of 2784 968 cmd.exe reg.exe PID 968 wrote to memory of 2524 968 cmd.exe reg.exe PID 968 wrote to memory of 2524 968 cmd.exe reg.exe PID 968 wrote to memory of 2272 968 cmd.exe reg.exe PID 968 wrote to memory of 2272 968 cmd.exe reg.exe PID 968 wrote to memory of 2904 968 cmd.exe reg.exe PID 968 wrote to memory of 2904 968 cmd.exe reg.exe PID 968 wrote to memory of 2884 968 cmd.exe reg.exe PID 968 wrote to memory of 2884 968 cmd.exe reg.exe PID 968 wrote to memory of 4104 968 cmd.exe reg.exe PID 968 wrote to memory of 4104 968 cmd.exe reg.exe PID 968 wrote to memory of 4644 968 cmd.exe reg.exe PID 968 wrote to memory of 4644 968 cmd.exe reg.exe PID 968 wrote to memory of 2844 968 cmd.exe reg.exe PID 968 wrote to memory of 2844 968 cmd.exe reg.exe PID 968 wrote to memory of 4948 968 cmd.exe reg.exe PID 968 wrote to memory of 4948 968 cmd.exe reg.exe PID 968 wrote to memory of 3284 968 cmd.exe reg.exe PID 968 wrote to memory of 3284 968 cmd.exe reg.exe PID 968 wrote to memory of 5060 968 cmd.exe reg.exe PID 968 wrote to memory of 5060 968 cmd.exe reg.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IDM\!)__.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\reg.exeREG QUERY "HKU\S-1-5-19"2⤵PID:4592
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "IDM*" /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\system32\taskkill.exetaskkill /F /IM "IEMonitor.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\system32\taskkill.exetaskkill /F /IM "IDMMsgHost.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4616 -
C:\Windows\system32\taskkill.exetaskkill /F /IM "MediumILStart.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3012 -
C:\Windows\system32\taskkill.exetaskkill /F /IM "IDMIntegrator64.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3588 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver"2⤵PID:412
-
C:\Windows\system32\findstr.exefindstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"2⤵PID:4396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver"2⤵PID:3432
-
C:\Windows\system32\findstr.exefindstr "5\.[0-9]\.[0-9][0-9]*"2⤵PID:2868
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager" /f2⤵PID:4100
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager" /f /reg:322⤵PID:2828
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\DownloadManager" /f2⤵PID:392
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Download Manager" /f2⤵PID:3252
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\DownloadManager" /f /reg:322⤵PID:1468
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Download Manager" /f /reg:322⤵PID:1008
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Internet Download Manager" /f2⤵PID:2584
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Internet Download Manager" /f /reg:322⤵PID:2304
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"2⤵PID:3936
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan" /reg:322⤵PID:2460
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter" /f2⤵PID:2832
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Idmfsa.IDMEFSAgent" /f2⤵PID:2784
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1" /f2⤵PID:2524
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\idmBroker.EXE" /f2⤵PID:2272
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\idmBroker.OptionsReader" /f2⤵PID:2904
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\idmBroker.OptionsReader.1" /f2⤵PID:2884
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f2⤵PID:4104
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}" /f2⤵PID:4644
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f2⤵PID:2844
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f2⤵PID:4948
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f2⤵PID:3284
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f2⤵PID:5060
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f2⤵PID:2340
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" /f2⤵PID:4044
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}" /f2⤵PID:3564
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}" /f2⤵PID:2200
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}" /f2⤵PID:312
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}" /f2⤵PID:4212
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}" /f2⤵PID:1912
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f2⤵PID:4944
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}" /f2⤵PID:1980
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}" /f2⤵PID:2708
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}" /f2⤵PID:1996
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f2⤵PID:3896
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f /reg:322⤵PID:4732
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f /reg:322⤵PID:4048
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f /reg:322⤵PID:4804
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f /reg:322⤵PID:4308
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f /reg:322⤵PID:1576
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}" /f /reg:322⤵PID:3980
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}" /f /reg:322⤵PID:1872
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}" /f /reg:322⤵PID:4568
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f /reg:322⤵PID:2860
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}" /f /reg:322⤵PID:1944
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}" /f /reg:322⤵PID:1240
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}" /f /reg:322⤵PID:2000
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f /reg:322⤵PID:100
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:916
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f2⤵PID:1412
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.tonec.idm" /f /reg:322⤵PID:3264
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f /reg:322⤵PID:1824
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4" /f2⤵PID:1112
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI"2⤵PID:1088
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}" /f2⤵PID:1276
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f2⤵PID:4132
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f2⤵PID:1060
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:322⤵PID:2608
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}" /f /reg:322⤵PID:208
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f /reg:322⤵PID:4736
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f /reg:322⤵PID:3920
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Tracing\IDMan_RASAPI32" /f2⤵PID:8
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Tracing\IDMan_RASAPI32" /f /reg:322⤵PID:2656
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\PolicyApplicationState" /f /v "PolicyState" /t REG_DWORD /d "2"2⤵PID:4344
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"2⤵PID:2240
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵PID:4536
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /reg:32 /f2⤵PID:3604
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Classes\CLSID\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f2⤵PID:4412
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\CocCoc\Browser\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:4768
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\CocCoc\Browser\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f2⤵PID:2768
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Edge\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:4032
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Edge\Extensions\llbjbkhnmlidjebalopleeepgdfgcpec" /f2⤵PID:5076
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI"2⤵PID:4404
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:322⤵PID:1520
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪" /f2⤵PID:4064
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪╚½▓┐┴┤╜╙" /f2⤵PID:2360
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Mozilla\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:3628
-
C:\Windows\system32\reg.exePID:3556
-
C:\Windows\system32\reg.exePID:1340
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}" /f2⤵PID:2232
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}" /f2⤵PID:4496
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}" /f2⤵PID:3156
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f2⤵PID:4208
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f2⤵PID:1536
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f /reg:322⤵PID:1900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic userAccount where "Name='Admin'" get SID /value2⤵PID:3852
-
C:\Windows\System32\Wbem\WMIC.exewmic userAccount where "Name='Admin'" get SID /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604 -
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"2⤵PID:1708
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer" /f /v "DownloadUI"2⤵PID:4832
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:322⤵PID:2864
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪" /f2⤵PID:2024
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪╚½▓┐┴┤╜╙" /f2⤵PID:4460
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\CocCoc\Browser\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:4436
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\CocCoc\Browser\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f2⤵PID:4592
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Edge\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:4216
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Edge\Extensions\llbjbkhnmlidjebalopleeepgdfgcpec" /f2⤵PID:948
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Mozilla\NativeMessagingHosts\com.tonec.idm" /f2⤵PID:368
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"2⤵PID:3836
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"2⤵PID:3448
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵PID:964
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f /reg:322⤵PID:936
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}" /f2⤵PID:3012
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}" /f2⤵PID:4300
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}" /f2⤵PID:4320
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f2⤵PID:412
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "MData"2⤵PID:2236
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "LName"2⤵PID:4004
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "FName"2⤵PID:1408
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "Email"2⤵PID:2068
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "Serial"2⤵PID:880
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "vCOUFP"2⤵PID:392
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "scansk"2⤵PID:3252
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "tvfrdt"2⤵PID:1468
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "radxcnt"2⤵PID:1008
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "idmvers"2⤵PID:3356
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "ExePath"2⤵PID:1560
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "TempPath"2⤵PID:3080
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "LstCheck"2⤵PID:1544
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "ptrk_scdt"2⤵PID:2788
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "LastCheckQU"2⤵PID:2528
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "CheckUpdtVM"2⤵PID:1364
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "TipTimeStamp"2⤵PID:884
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "AppDataIDMFolder"2⤵PID:2904
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "CommonAppDataIDMFolder"2⤵PID:3132
-
C:\Windows\regedit.exeregedit /e "!)╤í╧ε┼Σ╓├.reg" HKEY_CURRENT_USER\Software\DownloadManager2⤵
- Runs .reg file with regedit
PID:2844 -
C:\Windows\system32\choice.exeCHOICE /C 12 /N2⤵PID:2060