1a82cb0d112d563a348197d54874540cfe505f0f32955aa90e80c24c31b2d79d

Analysis

max time kernel
101s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-08-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

idman642build17.exe
Size

11.6MB
MD5

1101cdcc8cae6e79f117cd26e25bcd39
SHA1

1fd046eb58d09caaafb128ee2596690a14763283
SHA256

6fb3984acc4c678d8b6c1b3c4826dff677f4ca48f1ce1b799432e613d90a9731
SHA512

17fc4c0ad587c1c6e20092a9d57449f1935a83fc28dc58601bc5b28e538c9c17988e879a111497459207e32f4b7988208fe50f0e334bb67476984bbef2cfc222
SSDEEP

196608:En5pmdpmRFqnCsnyHkUCRMUWZNvOgrGUKoqUQ2rwJfbNxNDZ4VePWD2peZAqv4F:K2sRF0CkyEU62uJknw3xpZeKpeXv2

Score

8^/10

adware discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\idmwfp.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\idmwfp.sys	DrvInst.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe /onboot"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}\SETD00D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}\SETD00E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}\SETD00D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}\SETD00E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}\SETD01E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}\SETD01E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}\idmwfp.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}	DrvInst.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_al.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMMsgHostMoz.json	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_cz.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMEdgeExt.crx	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_fi.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMNetMon64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_tr.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_bg.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_id.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_jp.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_hi.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi.cat	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmfsa.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMFType.dat	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_it.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_sk.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMVMPrs64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_mn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_nl.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp.inf	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_iw.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMFType64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ru.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_kr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_es.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.json	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_fr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_nl.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmvs.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_largeHot_3_hdpi15.bmp	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMGCExt59.crx	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmnmcl.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ar.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_th.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\template.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_ar.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_kr.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_iw.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ge.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\tutor.chm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfpAA.sys	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_cht.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmvconv.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_gr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmcchandler7.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_mm.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_jp.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMShellExt.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmindex.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ua.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_tr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_hu.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\libcrypto.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ug.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_sr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_largeHot_3.bmp	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_pl.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_de.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc7.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ge.lng	IDM1.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Executes dropped EXE 7 IoCs

pid	Process
5084	IDM1.tmp
3368	idmBroker.exe
1976	IDMan.exe
4136	Uninstall.exe
1428	MediumILStart.exe
3436	IDMan.exe
1248	Uninstall.exe

Loads dropped DLL 37 IoCs

pid	Process
5084	IDM1.tmp
5084	IDM1.tmp
5084	IDM1.tmp
5084	IDM1.tmp
3604	regsvr32.exe
4816	regsvr32.exe
2904	regsvr32.exe
1932	regsvr32.exe
4020	regsvr32.exe
3088	regsvr32.exe
1976	IDMan.exe
1976	IDMan.exe
1976	IDMan.exe
1976	IDMan.exe
1976	IDMan.exe
1500	regsvr32.exe
3556	regsvr32.exe
2916	regsvr32.exe
1972	regsvr32.exe
1228	regsvr32.exe
3468	regsvr32.exe
3112	regsvr32.exe
4716	regsvr32.exe
3408	Process not Found
3408	Process not Found
2208	regsvr32.exe
572	regsvr32.exe
3436	IDMan.exe
3436	IDMan.exe
3436	IDMan.exe
3436	IDMan.exe
3436	IDMan.exe
2544	regsvr32.exe
2344	regsvr32.exe
384	regsvr32.exe
5012	regsvr32.exe
3436	IDMan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idmBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDMan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediumILStart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idman642build17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDMan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3"	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppName = "IDMan.exe"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}	idmBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEExt.htm"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights	idmBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDM1.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\Policy = "3"	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppName = "idmBroker.exe"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib\ = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage.1\ = "IDMHelperLinksStorage Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\NumMethods	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\ = "IDMAllLinksProcessor Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM.dll, 101"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32\ThreadingModel = "Apartment"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\CLSID	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Programmable	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\CurVer\ = "DownlWithIDM.VLinkProcessor.1"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent\CLSID\ = "{0F947660-8606-420A-BAC6-51B84DD22A47}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\ = "IIDMIEHlprObj"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\0	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\CurVer\ = "IDMIECC.IDMIEHlprObj.1"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\FLAGS\ = "0"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ = "IV2LinkProcessor"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\idmfsa.dll"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Idmfsa.IDMEFSAgent	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idmBroker.OptionsReader.1\CLSID	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMHelperLinksStorage\CLSID\ = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\VersionIndependentProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ = "IDM Elevated FS Assistant"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\FLAGS	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\ = "IDMHelperLinksStorage Class"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ = "ILinkProcessor"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ = "IIDMEFSAgent"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\0\win32	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\VersionIndependentProgID\ = "IDMIECC.IDMHelperLinksStorage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ = "IOptionsReader"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\NumMethods\ = "16"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ = "IIDMEFSAgent"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor.1\ = "VLinkProcessor Class"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}	IDM1.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\VersionIndependentProgID	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\ = "IDM Shell Extension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID\ = "DownlWithIDM.LinkProcessor.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32\ = "{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ProgID\ = "IDMGetAll.IDMAllLinksProcessor.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\TypeLib\ = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMIECC.IDMIEHlprObj\CLSID\ = "{0055C089-8582-441B-A0BF-17B458C2A3A8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib	IDMan.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5084	IDM1.tmp
5084	IDM1.tmp
5084	IDM1.tmp
5084	IDM1.tmp
5084	IDM1.tmp
5084	IDM1.tmp
5084	IDM1.tmp
5084	IDM1.tmp
5084	IDM1.tmp
5084	IDM1.tmp
1976	IDMan.exe
1976	IDMan.exe

Suspicious behavior: LoadsDriver 12 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5084	IDM1.tmp
Token: SeRestorePrivilege	1976	IDMan.exe
Token: SeAuditPrivilege	3008	svchost.exe
Token: SeSecurityPrivilege	3008	svchost.exe
Token: SeDebugPrivilege	772	firefox.exe
Token: SeDebugPrivilege	772	firefox.exe
Token: SeRestorePrivilege	5088	DrvInst.exe
Token: SeBackupPrivilege	5088	DrvInst.exe
Token: SeBackupPrivilege	1976	IDMan.exe
Token: SeDebugPrivilege	2344	regsvr32.exe
Token: SeDebugPrivilege	2344	regsvr32.exe
Token: SeRestorePrivilege	4412	DrvInst.exe
Token: SeBackupPrivilege	4412	DrvInst.exe
Token: SeDebugPrivilege	1420	RUNDLL32.EXE
Token: SeDebugPrivilege	1420	RUNDLL32.EXE
Token: SeDebugPrivilege	5012	regsvr32.exe
Token: SeDebugPrivilege	5012	regsvr32.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
772	firefox.exe
1976	IDMan.exe
3436	IDMan.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1976	IDMan.exe
3436	IDMan.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1976	IDMan.exe
1976	IDMan.exe
4136	Uninstall.exe
772	firefox.exe
1976	IDMan.exe
1976	IDMan.exe
3436	IDMan.exe
3436	IDMan.exe
1248	Uninstall.exe
3436	IDMan.exe
3436	IDMan.exe
3436	IDMan.exe
3436	IDMan.exe
3436	IDMan.exe
3436	IDMan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 5084	2380	idman642build17.exe	81
PID 2380 wrote to memory of 5084	2380	idman642build17.exe	81
PID 2380 wrote to memory of 5084	2380	idman642build17.exe	81
PID 5084 wrote to memory of 4816	5084	IDM1.tmp	83
PID 5084 wrote to memory of 4816	5084	IDM1.tmp	83
PID 5084 wrote to memory of 4816	5084	IDM1.tmp	83
PID 5084 wrote to memory of 3604	5084	IDM1.tmp	84
PID 5084 wrote to memory of 3604	5084	IDM1.tmp	84
PID 5084 wrote to memory of 3604	5084	IDM1.tmp	84
PID 5084 wrote to memory of 2904	5084	IDM1.tmp	85
PID 5084 wrote to memory of 2904	5084	IDM1.tmp	85
PID 5084 wrote to memory of 2904	5084	IDM1.tmp	85
PID 4816 wrote to memory of 1932	4816	regsvr32.exe	87
PID 4816 wrote to memory of 1932	4816	regsvr32.exe	87
PID 3604 wrote to memory of 4020	3604	regsvr32.exe	86
PID 3604 wrote to memory of 4020	3604	regsvr32.exe	86
PID 5084 wrote to memory of 3368	5084	IDM1.tmp	88
PID 5084 wrote to memory of 3368	5084	IDM1.tmp	88
PID 5084 wrote to memory of 3368	5084	IDM1.tmp	88
PID 2904 wrote to memory of 3088	2904	regsvr32.exe	89
PID 2904 wrote to memory of 3088	2904	regsvr32.exe	89
PID 5084 wrote to memory of 1976	5084	IDM1.tmp	92
PID 5084 wrote to memory of 1976	5084	IDM1.tmp	92
PID 5084 wrote to memory of 1976	5084	IDM1.tmp	92
PID 1976 wrote to memory of 1500	1976	IDMan.exe	93
PID 1976 wrote to memory of 1500	1976	IDMan.exe	93
PID 1976 wrote to memory of 1500	1976	IDMan.exe	93
PID 1976 wrote to memory of 3556	1976	IDMan.exe	94
PID 1976 wrote to memory of 3556	1976	IDMan.exe	94
PID 1976 wrote to memory of 3556	1976	IDMan.exe	94
PID 1976 wrote to memory of 2916	1976	IDMan.exe	95
PID 1976 wrote to memory of 2916	1976	IDMan.exe	95
PID 1976 wrote to memory of 2916	1976	IDMan.exe	95
PID 1500 wrote to memory of 1972	1500	regsvr32.exe	96
PID 1500 wrote to memory of 1972	1500	regsvr32.exe	96
PID 1976 wrote to memory of 1228	1976	IDMan.exe	97
PID 1976 wrote to memory of 1228	1976	IDMan.exe	97
PID 1976 wrote to memory of 1228	1976	IDMan.exe	97
PID 3556 wrote to memory of 3112	3556	regsvr32.exe	98
PID 3556 wrote to memory of 3112	3556	regsvr32.exe	98
PID 2916 wrote to memory of 3468	2916	regsvr32.exe	99
PID 2916 wrote to memory of 3468	2916	regsvr32.exe	99
PID 1228 wrote to memory of 4716	1228	regsvr32.exe	100
PID 1228 wrote to memory of 4716	1228	regsvr32.exe	100
PID 1976 wrote to memory of 2508	1976	IDMan.exe	102
PID 1976 wrote to memory of 2508	1976	IDMan.exe	102
PID 2508 wrote to memory of 772	2508	firefox.exe	103
PID 2508 wrote to memory of 772	2508	firefox.exe	103
PID 2508 wrote to memory of 772	2508	firefox.exe	103
PID 2508 wrote to memory of 772	2508	firefox.exe	103
PID 2508 wrote to memory of 772	2508	firefox.exe	103
PID 2508 wrote to memory of 772	2508	firefox.exe	103
PID 2508 wrote to memory of 772	2508	firefox.exe	103
PID 2508 wrote to memory of 772	2508	firefox.exe	103
PID 2508 wrote to memory of 772	2508	firefox.exe	103
PID 2508 wrote to memory of 772	2508	firefox.exe	103
PID 2508 wrote to memory of 772	2508	firefox.exe	103
PID 1976 wrote to memory of 4136	1976	IDMan.exe	104
PID 1976 wrote to memory of 4136	1976	IDMan.exe	104
PID 1976 wrote to memory of 4136	1976	IDMan.exe	104
PID 4136 wrote to memory of 4412	4136	Uninstall.exe	105
PID 4136 wrote to memory of 4412	4136	Uninstall.exe	105
PID 772 wrote to memory of 4104	772	firefox.exe	106
PID 772 wrote to memory of 4104	772	firefox.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\idman642build17.exe
"C:\Users\Admin\AppData\Local\Temp\idman642build17.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
  "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
  2⤵
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1932
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4020
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:3088
- - C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
    "C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3368
- - C:\Program Files (x86)\Internet Download Manager\IDMan.exe
    "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr
    3⤵
    - Adds Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1972
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3112
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3468
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4716
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        5⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1888 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcd74950-9d93-4276-ad67-915f355eab04} 772 "\\.\pipe\gecko-crash-server-pipe.772" gpu
        6⤵
        
        PID:4104
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22551a5c-9099-43a3-88b6-b9b00eff9250} 772 "\\.\pipe\gecko-crash-server-pipe.772" socket
        6⤵
        
        PID:1364
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -childID 1 -isForBrowser -prefsHandle 3372 -prefMapHandle 3368 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2478c29-38f5-4f1e-b9c2-e407dd54d922} 772 "\\.\pipe\gecko-crash-server-pipe.772" tab
        6⤵
        
        PID:5012
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3068 -prefMapHandle 3064 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {115e79de-8f00-42f1-89bc-d83844833f64} 772 "\\.\pipe\gecko-crash-server-pipe.772" tab
        6⤵
        
        PID:5092
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4316 -prefMapHandle 4308 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df9f86fe-cd29-40d3-9862-4162ad979042} 772 "\\.\pipe\gecko-crash-server-pipe.772" utility
        6⤵
        Checks processor information in registry
        
        PID:4736
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 3 -isForBrowser -prefsHandle 5516 -prefMapHandle 5512 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81b32e5-50d1-40fc-a695-8806e9844140} 772 "\\.\pipe\gecko-crash-server-pipe.772" tab
        6⤵
        
        PID:1272
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5528 -prefMapHandle 5524 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81c8db7d-1352-4d54-b5dc-b54bd9b4d945} 772 "\\.\pipe\gecko-crash-server-pipe.772" tab
        6⤵
        
        PID:1372
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5844 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {746ecc4f-06cc-4bc3-a699-27b771e1074b} 772 "\\.\pipe\gecko-crash-server-pipe.772" tab
        6⤵
        
        PID:988
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2868 -childID 6 -isForBrowser -prefsHandle 3168 -prefMapHandle 2912 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d926c427-4c47-43d0-97e3-0e913e3e8acb} 772 "\\.\pipe\gecko-crash-server-pipe.772" tab
        6⤵
        
        PID:4692
  - - C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
      "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Windows\system32\RUNDLL32.EXE
        
        "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:4412
      - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:2288
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:564
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2208
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        6⤵
        Loads dropped DLL
        
        PID:572
  - - C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe
      "C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3008
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{e6ea7c83-7a3f-2046-a349-5a007f449581}\idmwfp.inf" "9" "4fc2928b3" "000000000000015C" "WinSta0\Default" "00000000000000EC" "208" "C:\Program Files (x86)\Internet Download Manager"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4588
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "00000000000000EC" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "0000000000000174" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4412

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3436
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2544
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
  "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1248
- - C:\Windows\system32\RUNDLL32.EXE
    "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      PID:2832
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:1880
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:3460
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:404
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:4016
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1880
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:3628
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:4080
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:236
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:384
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll

Filesize
73KB

MD5
d04845fab1c667c04458d0a981f3898e

SHA1
f30267bb7037a11669605c614fb92734be998677

SHA256
33a8a6b9413d60a38237bafc4c331dfebf0bf64f8057abc335b4a6a6b95c9381

SHA512
ccd166dbe9aaba3795963af7d63b1a561de90153c2eaefb12f3e9f9ddebd9b1f7861ee76f45b4ef19d41ca514f3796e98b3c3660596730be8d8eb9e1048ef59e

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll

Filesize
93KB

MD5
597164da15b26114e7f1136965533d72

SHA1
9eeaa7f7de2d04415b8c435a82ee7eea7bbf5c8a

SHA256
117abaeb27451944c72ffee804e674046c58d769bd2e940c71e66edec0725bd1

SHA512
7a2d31a1342286e1164f80c6da3a9c07418ebeafb9b4d5b702c0f03065ee26949da22193eb403c8aeec012b6f1c5ff21179104943943302972492fcdccc850d9

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll

Filesize
463KB

MD5
23efcfffee040fdc1786add815ccdf0a

SHA1
0d535387c904eba74e3cb83745cb4a230c6e0944

SHA256
9a9989644213043f2cfff177b907ef2bdd496c2f65803d8f158eae9034918878

SHA512
cf69ed7af446a83c084b3bd4b0a3dbb5f013d93013cd7f2369fc8a075fe05db511cfe6b6afdef78026f551b53ad0cb7c786193c579b7f868dd0840b53dbb5e9f

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll

Filesize
656KB

MD5
e032a50d2cf9c5bf6ff602c1855d5a08

SHA1
f1292134eaad69b611a3d7e99c5a317c191468aa

SHA256
d0c6d455d067e8717efe2cfb9bdcbeae27b48830fe77e9d45c351fbfb164716d

SHA512
77099b44e4822b4a556b4ea6417cf0a131ffb5ee65c3f7537ab4cdc9939f806b15d21972ea4d14a0d95cf946013b9997a9127d798016f68bcd957bbffdab6c11

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMNetMon64.dll

Filesize
472KB

MD5
f9b6e4edc81f7c3e531ffaac269e10c9

SHA1
0a37dc5e23c040ac30608337b3e0da985efc0259

SHA256
15cb434fc12697b0170f3c8a81ad0329c16895bbfee5699d19053f819a5a2b35

SHA512
d95bd583ef44d3f1c66779445f02ae915cfa22abffcac95d5a7158f00ad0ca4496592ef69a8b62a1424af6dd42e684176320858a4d45026bdc35082bfc57ca9d

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll

Filesize
36KB

MD5
a3c44204992e307d121df09dd6a1577c

SHA1
9482d8ffda34904b1dfd0226b374d1db41ca093d

SHA256
48e5c5916f100880e68c9e667c4457eb0065c5c7ab40fb6d85028fd23d3e4838

SHA512
f700cf7accab0333bc412f68cdcfb25d68c693a27829bc38a655d52cb313552b59f9243fc51357e9dccd92863deecb529cc68adbc40387aad1437d625fd577f1

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMan.exe

Filesize
5.7MB

MD5
d89ca2568aa3f5c3492cdac4879429a6

SHA1
41a5ae7ae7b1f5ea8d2c4874bf4b1f39406ac929

SHA256
7e8e8e8706c2eb3a9a3458fae61934054966865fd4b05f260f81d618e10da0a7

SHA512
7fc8eea1725856bb721fb203da16e37333a35d4362c0b86e0b64765c0225e5fa40b515647e9ea093c14dbfcd2a3e30b44713829a53088b964636b72e8c75381f

Download Submit
C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe

Filesize
51KB

MD5
d44f8056ffd0f578d97639602db50895

SHA1
58db1b4cae795038c58291fa433d974e319b2765

SHA256
a4fda3af1c386028b46629e6f5113b36aab7e76278ea6683b82eb575dfb9be7b

SHA512
e38f4cd19f3a5a227f2a15ff4f5c360125393980812969190435420fde90b5b25ec13c4f79ae5d4bf02f4bdb043a9d9e9e59ee92ca01ce1fcb1fbf327e37996f

Download Submit
C:\Program Files (x86)\Internet Download Manager\downlWithIDM.dll

Filesize
197KB

MD5
b94d0711637b322b8aa1fb96250c86b6

SHA1
4f555862896014b856763f3d667bce14ce137c8b

SHA256
38ac192d707f3ec697dd5fe01a0c6fc424184793df729f427c0cf5dfab6705fe

SHA512
72cdb05b4f45e9053ae2d12334dae412e415aebd018568c522fa5fe0f94dd26c7fe7bb81ccd8d6c7b5b42c795b3207dffa6345b8db24ce17beb601829e37a369

Download Submit
C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll

Filesize
155KB

MD5
13c99cbf0e66d5a8003a650c5642ca30

SHA1
70f161151cd768a45509aff91996046e04e1ac2d

SHA256
8a51ece1c4c8bcb8c56ca10cb9d97bff0dfe75052412a8d8d970a5eb6933427b

SHA512
f3733ef2074f97768c196ad662565b28e9463c2c8cf768166fed95350b21c2eb6845d945778c251093c00c65d7a879186843eb334a8321b9956738d9257ce432

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmBroker.exe

Filesize
153KB

MD5
e2f17e16e2b1888a64398900999e9663

SHA1
688d39cb8700ceb724f0fe2a11b8abb4c681ad41

SHA256
97810e0b3838a7dca94d73a8b9e170107642b064713c084c231de6632cb68a9c

SHA512
8bde415db03463398e5e546a89c73fff9378f34f5c2854a7c24d7e6e58d5cdf7c52218cb3fc8f1b4052ce473bb522a2e7e2677781bcdec3216284f22d65fc40b

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmfsa.dll

Filesize
94KB

MD5
235f64226fcd9926fb3a64a4bf6f4cc8

SHA1
8f7339ca7577ff80e3df5f231c3c2c69f20a412a

SHA256
6f0ed0a7a21e73811675e8a13d35c7daa6309214477296a07fe52a3d477578ad

SHA512
9c6be540cffb43211e464656c16cb0f6f88fb7224087b690ca910acbd433eaf5479508f088b6e6b5437dd260923e26dd928a861db6a3ce76607ad9e77628262d

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmnmcl.dll

Filesize
34KB

MD5
5993d22c17df85588809ac2006c74c9a

SHA1
29d7932793b00407c8a934e3c3bf919a5cb4bb11

SHA256
d34f54f994ed5c8398e590ec537f0f2651f0aef51573d3307570917fa8f6e331

SHA512
0ee160620ee7aefee7ce7a8dd9dd6ad09c11c85e449f3c5b0a53a1de19d359794f856ee4d86af4813210c91527c5a22a780615f363e584eb0b600cfb0c172f89

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmvs.dll

Filesize
34KB

MD5
66dc84c1f289c7c5a042001b1bb6820c

SHA1
d6d9552581608b71f9b4c99820d303649791337c

SHA256
ee8bfdf475c723d71796e45e759a195219c6c957a819e68e17545e79ea13efb5

SHA512
75239ee90d2d0bd0855c7e4b1f88169c64fb9f8af6bedf223afe758e7af22139b353ecbf68a43a6ef1b98df8c9301d91f29c73fe239c56b6d9bd345d586abfdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl

Filesize
8KB

MD5
9b650c3be0348142ee949de5a0dc8601

SHA1
16bf8bd5dab47e906455b63e84929456e7a9e4bb

SHA256
a1c4a155ae357bbba23e83957311e2d0e3596f0cf330ec4f9ff25f103d90758d

SHA512
6ef9d53328e31e681734bcdfd6ae0e166781234f505b0f9ba59cb2577b1769140aeb0b5e15e1797e19f37079ee4d5d0da35091c8f1be08e07e2db4589a8302ef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
bb16411f9b1b02f08920abf8d86ebb15

SHA1
7bd9d582712dea963027662b35670711173e569f

SHA256
1c8197f64dd31c944f28170847387bf89c1e35d1263c676fab6ff3f668dae1a5

SHA512
afd5e8e0f090f7fca89155d4a718d5bf498745de88151dfe069583943151aae1675988fb505953a16f5f2a30c09c2987c82950c994f05eeaea65d950e6a91b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

Filesize
162KB

MD5
1229943ec58e8bd8cf3b1673dcbd4760

SHA1
65d8b26a4b9b5762241f7d5393101f8b43065298

SHA256
ff3ce8900cc246ab15bbf6e2b418c08de39845735f47b724a59765ffeed66643

SHA512
fc2f5d4ee2e2498b0df5bcb6cef355dc8a11e37eed58dd88b0a306648639b47a3e5a4ea758c0911f9dd8e93c51f0c90938ca64f985a5c5dd8e5f62d946df6f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDMSetup2.log

Filesize
1KB

MD5
c0516eff76a05ea8e89f517cbd1ea377

SHA1
221c58faca014a134acd8eecb0100c87713d6cd9

SHA256
45005e575d3b8f1bd3853aaa1de6874c0d82434c9cb842fe27bc3ab3ac65522a

SHA512
f32ae8ce0df663156223df4a7d1ceef4d9d8589a0257d62e31e46037b6036cdd7415aca79479a41d65bdb0c502a48a9ac2680b3e8c2ce1156f8ed8bfafcdad20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDMSetup2.log

Filesize
4KB

MD5
85828e7ff30dc917facbc3dd2371fa2a

SHA1
20a26d2675ea967a5f9f94832fb18a8ac976de96

SHA256
2a15c9016d94450381ce04646eb7407bdcff3f0435ad3d079d1c7308b6ced65b

SHA512
3bce04350a0d763a69efde0c27f009ff9f7e0cf09907d817b8f7c518256cf25f23b18141ca9f8ad20f9fe419565e16e3fd59f4e6eba08ec7db774a113751cb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-hzn.xpi

Filesize
105KB

MD5
1f64c7e6e46f22c33795aa79d6659a0e

SHA1
0091d4bc8bf9d4d39d8df685473a20382ab41777

SHA256
dbb33d00d9c9157c757cd4c223357fb7d2715c5d45c0dd6b56aef8cae4a185d4

SHA512
5c3d686692f8188189b6a23b2864fed03b0418959dbb51e039d2d841801a7d160797145db6b95e6441b91ad32e7054b776000ab2ce1de86f0cd203eacad79475

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e6ea7c83-7a3f-2046-a349-5a007f449581}\idmwfp.inf

Filesize
2KB

MD5
f8f346d967dcb225c417c4cf3ab217a0

SHA1
daca3954f2a882f220b862993b0d5ddf0f207e34

SHA256
a54e0ac05254a464180e30f21a6b26651e7495427353bba9c246ba1d2388e7cc

SHA512
760c2914f3e937a2a3443a032cf74b68b6d24d082d0f50d65058a0fd87d8eeab229fb8d3105e442f0b3b0b2f3824439981951266425512e51e7ff36669a652fa

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\Scheduler\s_1.dt

Filesize
316B

MD5
2639455c21b61de370e5e4e500a9c008

SHA1
b68a4bc7c4b521a2544459e603fbe706027f4e4e

SHA256
6d059e9c4670699aaa1b1594917d1be5fe752517d7c7e505f227e8dd181dcebb

SHA512
e7cf7fe5eebec79f70ed6b2fae0fdfe2c992fc240b0e6bc4a73e00aad01fdb1e13fd69a55b8b2a3b7a2c314c1ccbfc18284293f06ff5e875f0b64a86054db404

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\defextmap.dat

Filesize
3KB

MD5
4be225f5ed8575cb3e70847863026660

SHA1
852fbb7d2739afe764613d45dc6f2234bc50f213

SHA256
9d1f79719b84eec484602b501d3d9eab89336c25b6d0cc586957bc2e10e845a1

SHA512
82ab7efa6f900229d8dae2d72ab039651b8af853b1128b36bf172109f8456c6cd3afdfa3ebbec86624c91cf4db55181bf30befe90195b0f2b7ae782d8e090596

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\urlexclist.dat

Filesize
3KB

MD5
3cf29c53c8d733d26794661e477fb5b9

SHA1
94eae66f2a322b5a4c1a6584c036e7b3b88fd2ac

SHA256
9efd5d506f16932728de5c0fb7dc0e4b75713920bbcefb108a610c6c1ae45430

SHA512
2321fe2f6188cb2590ec2793145f75e1666c41221b29c1d18358311d378f86f2e5a6575028accfc721f9db3e2b27981d857d556bdddd32bf6ea1233af355d94c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin

Filesize
8KB

MD5
f6e10e00100226c50e04537d5cd72dc7

SHA1
19b8756841d324444199f093978b8645e7acc140

SHA256
9f7e561bc6072db586244bc14b665cdcd36eeaa11bda3309d3c6191c49841561

SHA512
6ec2dfa9809ffcf68751d675d5b7554f4bf1c2a3b95efc26a85e3bebdd39e312c8500b9eaa0269c62de6efe4a2f20e63fca0bd87f6dab819224d71d6dbae0908

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
70e51bd62ac66c01a042cae4e5cbd217

SHA1
fa555c56c91a4df69abd2ce5cbb815badb63787f

SHA256
48145d50a126c49bbcf4887cf86c3c32b236be8ce0e42e1f0030843b476bf25e

SHA512
624e9534c4f819878cf46aa912391e6cdd82a72a7180ca25d6487ed467f44fa6b91fae3f20a4092c6d18ba5da284bf2268bb0c450984857b55b08999c7823429

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
90330339cb2c0f4975d16a631cddce6f

SHA1
f81cc4921dedd4ee8fc95093abc2a196aea683f8

SHA256
3057b096946b48c2caa8f377fb29773ee7ecd8a5c2c7560968ba0bd173ae99bd

SHA512
6679059b22ad6ccf2869d491077a1e15fc13ec84b37623373a9bdc47f591eae36730986dbb9092b1450197b22083a1443a2d59a9b6d9cabc9313bd0fd8eff83f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\0a84fbf6-61cb-409c-8d10-d6e9e65e3229

Filesize
982B

MD5
5fddc163675e57ba8a0a829c989736b1

SHA1
45304e1d62b5d11683012ebd5c136d19702f9766

SHA256
004fde8831108aa220a919ae106f2574211b11bd4cb17e0ce9e4da265de5bc37

SHA512
c4d9339e9a58865fcdf525e921721f015a13802c690b466c547064071b601f116d6323dcd2d70865a5a17b94c51297fffcce9b54d26c8c86d5def103dbbecb71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\714e3514-0210-4cfd-bece-92476bf5ec2c

Filesize
671B

MD5
893a003007d075555befa0000da88a04

SHA1
f51b923fb8000ca56e29e7403761123549652a97

SHA256
6854fb1d004984d2a3b9a27120673e8a836197864ef33a5c5cf1fdc2504a5ee1

SHA512
76b783b488180aa6b95a20e06cad969a0cb34091125a9d8d57abfb82676511b6020da1ead9e1c030fc68772bdfc305e60df138358dd409cb09aa03dfa59200b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\ed66a62e-ae11-4d5c-8e51-1037ddddc21f

Filesize
27KB

MD5
aa490507cc0b972e442e2d1db3cd80d8

SHA1
c40ce701d734d086c43cc65ade4affc11f0a8a2d

SHA256
fae9ba640dc39f61f77436c2992ce86608986da5fa1761131df07baf5114d2ad

SHA512
c031eef88e761f7054651e0113cb5a20e1ce178e1f0dce6ed310d910fa595f6eb8325e8037a581cdca9f2da11511f215f76b23308f6dba3e657a1dada583a3b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs-1.js

Filesize
11KB

MD5
87fdfe071f39e6da80fab56c82dce2c7

SHA1
9314d3881d527b4000a624fb6e785781f541f942

SHA256
fc1a98864a0a8fa328a54dc16e8b97b30b92e3325557734fa20fe83c74d38e7c

SHA512
beb0def5811feefc1c85a36497c5025cceabac26cb89300de523d6b3bae0859745daf4be165a34027f0e501fdae5547e7a47d71f2c3c8f855cd6e14ecba3e387

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs-1.js

Filesize
10KB

MD5
42cf4e78ab309977291e1c9b19540bec

SHA1
653ad72505833d08ef0e07f5a4d01016cf950916

SHA256
827a8736c17367858bbc36e8e03e6e8c10722e0458f19acbc86de17d2456e929

SHA512
37be0bdc34bf1a5d18614f1925f6b89e656affc1bb9b93b3084bb94015a98954d5eec5bda29fd7fb2edc0b6305455b624fcc5ff193ab856dc619af94ba87973b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs.js

Filesize
10KB

MD5
1595758adc35e37d43235d1e8d8ee5e9

SHA1
3b67100447e1791505ac82ba3d5a94307bd5090d

SHA256
aa77f45b70c3f012eb8fa3758a3b63be81434b68f11b6f9f288488855b13676d

SHA512
2563246297ef2672a2d495432e740e67d32d13fafbeb532bacbf80806c40c1823cc1c73aefbdd70fa64ebea124a5fec223b8d5aa69b363502f1b4dab4cb08082

Download Submit
C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}\SETD00D.tmp

Filesize
169KB

MD5
7d55ad6b428320f191ed8529701ac2fa

SHA1
515c36115e6eba2699afbf196ae929f56dc8fe4c

SHA256
753a1386e7b37ee313db908183afe7238f1a2aec5e6c1e59e9c11d471b6aaa8d

SHA512
a260aae4ff4f064b10388d88bb0cb9ea547ed0bc02c88dc1770935207e0429471d8cd60fcc5f9ee51ecd34767bf7d44c75ea6fbe427c39cc4114aad25100f40d

Download Submit
C:\Windows\System32\DriverStore\Temp\{ce171f61-9a38-3443-94ed-272a35e19e00}\SETD00E.tmp

Filesize
12KB

MD5
d5e0819228c5c2fbee1130b39f5908f3

SHA1
ce83de8e675bfbca775a45030518c2cf6315e175

SHA256
52818c67be219bc3b05c58b40e51b99a65c2f4bcafe38a995610b4ec10928def

SHA512
bb397004f2256db781385de3e7e7b7993be8fbb2cb701ead99a7878c2bcca6c9ae4a7aa61c329aeeb6711c8c74081e971e85af38af6b32b58888c932fd51d218

Download Submit
memory/1248-1005-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2380-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2380-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4136-484-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5084-436-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5084-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download