Analysis Overview
SHA256
b7d0ef1e51b79cddffbca307f864c6d8bae4afbc1b8ba338989d5af6727ce95d
Threat Level: Likely benign
The file b7d0ef1e51b79cddffbca307f864c6d8bae4afbc1b8ba338989d5af6727ce95d was found to be: Likely benign.
Malicious Activity Summary
One or more HTTP URLs in qr code identified
Kills process with taskkill
Runs .reg file with regedit
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-25 06:43
Signatures
One or more HTTP URLs in qr code identified
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 06:43
Reported
2024-06-25 06:46
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IDM\!)__.bat"
C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
C:\Windows\system32\taskkill.exe
taskkill /F /IM "IDM*" /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM "IEMonitor.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM "IDMMsgHost.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM "MediumILStart.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM "IDMIntegrator64.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\findstr.exe
findstr "5\.[0-9]\.[0-9][0-9]*"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\DownloadManager" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Download Manager" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\DownloadManager" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Download Manager" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Internet Download Manager" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Internet Download Manager" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan" /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Idmfsa.IDMEFSAgent" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\AppID\idmBroker.EXE" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\idmBroker.OptionsReader" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\idmBroker.OptionsReader.1" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\AppID\{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.tonec.idm" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Tracing\IDMan_RASAPI32" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Tracing\IDMan_RASAPI32" /f /reg:32
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\PolicyApplicationState" /f /v "PolicyState" /t REG_DWORD /d "2"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /reg:32 /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Classes\CLSID\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\CocCoc\Browser\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\CocCoc\Browser\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Edge\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Edge\Extensions\llbjbkhnmlidjebalopleeepgdfgcpec" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:32
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪╚½▓┐┴┤╜╙" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Mozilla\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f /reg:32
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic userAccount where "Name='Admin'" get SID /value
C:\Windows\System32\Wbem\WMIC.exe
wmic userAccount where "Name='Admin'" get SID /value
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer" /f /v "DownloadUI"
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:32
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪╚½▓┐┴┤╜╙" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\CocCoc\Browser\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\CocCoc\Browser\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Edge\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Edge\Extensions\llbjbkhnmlidjebalopleeepgdfgcpec" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Mozilla\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "MData"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "LName"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "FName"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "Email"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "Serial"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "vCOUFP"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "scansk"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "tvfrdt"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "radxcnt"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "idmvers"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "ExePath"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "TempPath"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "LstCheck"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "ptrk_scdt"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "LastCheckQU"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "CheckUpdtVM"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "TipTimeStamp"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "AppDataIDMFolder"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "CommonAppDataIDMFolder"
C:\Windows\regedit.exe
regedit /e "!)╤í╧ε┼Σ╓├.reg" HKEY_CURRENT_USER\Software\DownloadManager
C:\Windows\system32\choice.exe
CHOICE /C 12 /N
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 06:43
Reported
2024-06-25 06:45
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\IDM\!)__.bat"
C:\Windows\system32\reg.exe
REG QUERY "HKU\S-1-5-19"
C:\Windows\system32\taskkill.exe
taskkill /F /IM "IDM*" /T
C:\Windows\system32\taskkill.exe
taskkill /F /IM "IEMonitor.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM "IDMMsgHost.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM "MediumILStart.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM "IDMIntegrator64.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\findstr.exe
findstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver"
C:\Windows\system32\findstr.exe
findstr "5\.[0-9]\.[0-9][0-9]*"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\DownloadManager" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Download Manager" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\DownloadManager" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Download Manager" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Internet Download Manager" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Internet Download Manager" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan" /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Idmfsa.IDMEFSAgent" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\AppID\idmBroker.EXE" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\idmBroker.OptionsReader" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\idmBroker.OptionsReader.1" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\AppID\{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.tonec.idm" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI"
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Tracing\IDMan_RASAPI32" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Tracing\IDMan_RASAPI32" /f /reg:32
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\PolicyApplicationState" /f /v "PolicyState" /t REG_DWORD /d "2"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /reg:32 /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Classes\CLSID\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\CocCoc\Browser\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\CocCoc\Browser\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Edge\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Edge\Extensions\llbjbkhnmlidjebalopleeepgdfgcpec" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:32
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪╚½▓┐┴┤╜╙" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Mozilla\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f /reg:32
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic userAccount where "Name='Admin'" get SID /value
C:\Windows\System32\Wbem\WMIC.exe
wmic userAccount where "Name='Admin'" get SID /value
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer" /f /v "DownloadUI"
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:32
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪╚½▓┐┴┤╜╙" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\CocCoc\Browser\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\CocCoc\Browser\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Edge\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Edge\Extensions\llbjbkhnmlidjebalopleeepgdfgcpec" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Mozilla\NativeMessagingHosts\com.tonec.idm" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f /reg:32
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}" /f
C:\Windows\system32\reg.exe
reg delete "HKU\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "MData"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "LName"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "FName"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "Email"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "Serial"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "vCOUFP"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "scansk"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "tvfrdt"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "radxcnt"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "idmvers"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "ExePath"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "TempPath"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "LstCheck"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "ptrk_scdt"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "LastCheckQU"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "CheckUpdtVM"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "TipTimeStamp"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "AppDataIDMFolder"
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\DownloadManager" /f /v "CommonAppDataIDMFolder"
C:\Windows\regedit.exe
regedit /e "!)╤í╧ε┼Σ╓├.reg" HKEY_CURRENT_USER\Software\DownloadManager
C:\Windows\system32\choice.exe
CHOICE /C 12 /N