Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
01-10-2024 12:30
General
-
Target
IDM/!)卸载.bat
-
Size
14KB
-
MD5
3decac4cda3e2c761b6c25a7c6afc8d6
-
SHA1
857bac5e36b567021c39c90b0590aef558ae3f24
-
SHA256
a058383a79b829bceeac7f183968adba2a38824c41f6d0bd3741ad9d753cf4d0
-
SHA512
258efc5a8eca2d28a257783753a5c7242c8c5ea85e7d9c88515610d2e7c50eaa89164dc6fa3109fa3829604a67f88fa7ae2d63c11dbea0aca41cd19da6b4727a
-
SSDEEP
384:4CFmoOfgEpLkHr5kkBQUsnLow8jS32AIF+uVF+uS:9r5kkBQxLow8jo2AL
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 7 IoCs
-
Modifies registry class 64 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\IDM\!)卸载.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY "HKU\S-1-5-19"2⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "IDM*" /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "IEMonitor.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "MediumILStart.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IDM\idmBroker.exe"C:\Users\Admin\AppData\Local\Temp\IDM\idmBroker.exe" -RegServer2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Local\Temp\IDM\Uninstall.exe"C:\Users\Admin\AppData\Local\Temp\IDM\Uninstall.exe" -uninstdriv2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RUNDLL32.EXE"C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultUninstall 128 C:\Users\Admin\AppData\Local\Temp\IDM\idmwfp.inf3⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o5⤵
-
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s /u IDMIECC.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s /u IDMIECC.dll3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s /u IDMIECC64.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s /u IDMGetAll.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s /u IDMGetAll.dll3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s /u IDMGetAll64.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s /u IDMShellExt.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\regsvr32.exe/s /u IDMShellExt.dll3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s /u IDMShellExt64.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s /u downlWithIDM.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\regsvr32.exe/s /u downlWithIDM.dll3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s /u downlWithIDM64.dll2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver"2⤵
-
-
C:\Windows\system32\findstr.exefindstr "\<6\.[0-9]\.[0-9][0-9]*\> \<10\.[0-9]\.[0-9][0-9]*\>"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver"2⤵
-
-
C:\Windows\system32\findstr.exefindstr "5\.[0-9]\.[0-9][0-9]*"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Download Manager" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\DownloadManager" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Download Manager" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\DownloadManager" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Download Manager" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Internet Download Manager" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Internet Download Manager" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan" /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Idmfsa.IDMEFSAgent" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Idmfsa.IDMEFSAgent.1" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\idmBroker.EXE" /f2⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\idmBroker.OptionsReader" /f2⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\idmBroker.OptionsReader.1" /f2⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\{3C085E26-7DF6-4A34-ADA6-877D06BAE9A8}" /f2⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}" /f2⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}" /f2⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}" /f /reg:322⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{2223E76A-0894-4502-841F-0CF7517A713B}" /f /reg:322⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.tonec.idm" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.tonec.idm" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Tracing\IDMan_RASAPI32" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Tracing\IDMan_RASAPI32" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\PolicyApplicationState" /f /v "PolicyState" /t REG_DWORD /d "2"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /reg:32 /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Classes\CLSID\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\CocCoc\Browser\NativeMessagingHosts\com.tonec.idm" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\CocCoc\Browser\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Edge\NativeMessagingHosts\com.tonec.idm" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Edge\Extensions\llbjbkhnmlidjebalopleeepgdfgcpec" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪╚½▓┐┴┤╜╙" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Mozilla\NativeMessagingHosts\com.tonec.idm" /f2⤵
-
-
C:\Windows\system32\reg.exe
-
-
C:\Windows\system32\reg.exe
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}" /f2⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f /reg:322⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic userAccount where "Name='Admin'" get SID /value2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic userAccount where "Name='Admin'" get SID /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "IDMan"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer" /f /v "DownloadUI"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer" /f /v "DownloadUI" /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MenuExt\╩╣╙├ IDM ╧┬╘╪╚½▓┐┴┤╜╙" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\CocCoc\Browser\NativeMessagingHosts\com.tonec.idm" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\CocCoc\Browser\Extensions\ngpampappnmepgilojfohadhhmbhlaek" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Edge\NativeMessagingHosts\com.tonec.idm" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Edge\Extensions\llbjbkhnmlidjebalopleeepgdfgcpec" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Mozilla\NativeMessagingHosts\com.tonec.idm" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Mozilla\SeaMonkey\Extensions" /f /v "[email protected]"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f /reg:322⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}" /f2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "MData"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "Email"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "LName"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "FName"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "Serial"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "tvfrdt"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "scansk"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "idmvers"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "ExePath"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "TempPath"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "LstCheck"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "CheckUpdtVM"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "AppDataIDMFolder"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\DownloadManager" /f /v "CommonAppDataIDMFolder"2⤵
-
-
C:\Windows\regedit.exeregedit /e "!)╤í╧ε┼Σ╓├.reg" HKEY_CURRENT_USER\Software\DownloadManager2⤵
- Runs .reg file with regedit
-
-
C:\Windows\system32\choice.exeCHOICE /C 12 /N2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
-
Filesize
64KB
-
Filesize
164KB