ddcbe331e610f3a5cd579662826404aeff1f9ca5be2db4ca3e4e0fd923cc4b48

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe /onboot"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDM1.tmp

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	IDM1.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Uninstall.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6988630b-c3c3-954b-a367-639e7777ac5b}\SETFCC0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6988630b-c3c3-954b-a367-639e7777ac5b}\SETFCC0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6988630b-c3c3-954b-a367-639e7777ac5b}\SETFCBF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6988630b-c3c3-954b-a367-639e7777ac5b}\SETFCD1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6988630b-c3c3-954b-a367-639e7777ac5b}\idmwfp64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6988630b-c3c3-954b-a367-639e7777ac5b}\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6988630b-c3c3-954b-a367-639e7777ac5b}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6988630b-c3c3-954b-a367-639e7777ac5b}\SETFCBF.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6988630b-c3c3-954b-a367-639e7777ac5b}\SETFCD1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6988630b-c3c3-954b-a367-639e7777ac5b}\idmwfp.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_it.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc7_64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_jp.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfpAA.sys	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idman.chm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_it.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_fr.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_hu.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_id.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmfc.dat	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ug.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_be.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_nl.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IEGetVL.htm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_dk.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ge.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_bn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ge.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_largeHot_3.bmp	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\scheduler.chm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_tr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\template_inst.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_src.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_sk.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMVMPrs64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\libssl.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_jp.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_fi.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_fa.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_nl.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_es.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_ru.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMNetMon64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_pl.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMMsgHostMoz.json	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_hu.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_hu.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_chn.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmbrbtn64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmvs.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_gr.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMGrHlp.exe	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_pl.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ptbr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_chn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_id.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_cz.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_mn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_hi.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ba.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_my.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMan.exe	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmftype.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp32.sys	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_bg.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmcchandler2_64.dll	IDMan.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmantypeinfo.tlb	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IEGetVL2.htm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ru.lng	IDM1.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 7 IoCs

pid	Process
4044	IDM1.tmp
3224	idmBroker.exe
1532	IDMan.exe
3244	Uninstall.exe
5300	MediumILStart.exe
5388	IDMan.exe
5380	Uninstall.exe

Loads dropped DLL 39 IoCs

pid	Process
4044	IDM1.tmp
4044	IDM1.tmp
4044	IDM1.tmp
4044	IDM1.tmp
3628	regsvr32.exe
3212	regsvr32.exe
3004	regsvr32.exe
396	regsvr32.exe
3660	regsvr32.exe
1492	regsvr32.exe
1532	IDMan.exe
1532	IDMan.exe
1532	IDMan.exe
1532	IDMan.exe
1532	IDMan.exe
1884	regsvr32.exe
1796	regsvr32.exe
1512	regsvr32.exe
3036	regsvr32.exe
5084	regsvr32.exe
2088	regsvr32.exe
3688	regsvr32.exe
720	regsvr32.exe
3496	Process not Found
3496	Process not Found
984	regsvr32.exe
5132	regsvr32.exe
5388	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe
5436	regsvr32.exe
5336	regsvr32.exe
5100	regsvr32.exe
2700	regsvr32.exe
5388	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDMan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDMan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idmBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idman642build19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediumILStart.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppName = "idmBroker.exe"	idmBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEExt.htm"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B}\Policy = "3"	idmBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDM1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\AppName = "IDMan.exe"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}	IDM1.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}\Policy = "3"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDM1.tmp
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	idmBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\CurVer\ = "DownlWithIDM.LinkProcessor.1"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\VersionIndependentProgID	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version\ = "1.0"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\TypeLib\Version = "1.0"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\VersionIndependentProgID\ = "IDMGetAll.IDMAllLinksProcessor"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\CLSID\ = "{CDD67718-A430-4AB9-A939-83D9074B0038}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ = "IDMAllLinksProcessor Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\FLAGS	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\FLAGS\ = "0"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Elevation	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Programmable	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM.dll"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ = "IDMDwnlMgr Class"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib\Version = "1.0"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr\CLSID\ = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib\Version = "1.0"	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID\ = "DownlWithIDM.V2LinkProcessor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMGetAll64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\TypeLib	idmBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D4E387-BAB7-47E7-B3D7-3F01ABC463EA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\idmBroker.exe"	idmBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32\ThreadingModel = "Apartment"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\0\win32	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28670AE0-CAF4-4836-8418-0F456023EBF7}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32\ = "{C950922F-897A-4E13-BA38-66C8AF2E0BF7}"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Insertable	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\ProgID\ = "IDMIECC.IDMHelperLinksStorage.1"	IDM1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID\ = "DownlWithIDM.IDMDwnlMgr.1"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\HELPDIR	IDM1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32\ThreadingModel = "Apartment"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\ = "IDMAllLinksProcessor Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\VersionIndependentProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CurVer\ = "IDMGetAll.IDMAllLinksProcessor.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib	IDMan.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4044	IDM1.tmp
4044	IDM1.tmp
4044	IDM1.tmp
4044	IDM1.tmp
4044	IDM1.tmp
4044	IDM1.tmp
4044	IDM1.tmp
4044	IDM1.tmp
4044	IDM1.tmp
4044	IDM1.tmp
1532	IDMan.exe
1532	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe

Suspicious behavior: LoadsDriver 12 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4044	IDM1.tmp
Token: SeRestorePrivilege	1532	IDMan.exe
Token: SeAuditPrivilege	4768	svchost.exe
Token: SeSecurityPrivilege	4768	svchost.exe
Token: SeRestorePrivilege	632	DrvInst.exe
Token: SeBackupPrivilege	632	DrvInst.exe
Token: SeDebugPrivilege	4476	firefox.exe
Token: SeDebugPrivilege	4476	firefox.exe
Token: SeBackupPrivilege	1532	IDMan.exe
Token: SeDebugPrivilege	5336	regsvr32.exe
Token: SeDebugPrivilege	5336	regsvr32.exe
Token: SeRestorePrivilege	1408	DrvInst.exe
Token: SeBackupPrivilege	1408	DrvInst.exe
Token: SeDebugPrivilege	3940	RUNDLL32.EXE
Token: SeDebugPrivilege	3940	RUNDLL32.EXE
Token: SeDebugPrivilege	2700	regsvr32.exe
Token: SeDebugPrivilege	2700	regsvr32.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
1532	IDMan.exe
5388	IDMan.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
1532	IDMan.exe
5388	IDMan.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1532	IDMan.exe
1532	IDMan.exe
3244	Uninstall.exe
4476	firefox.exe
1532	IDMan.exe
1532	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe
5380	Uninstall.exe
5388	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe
5388	IDMan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 4044	1100	idman642build19.exe	84
PID 1100 wrote to memory of 4044	1100	idman642build19.exe	84
PID 1100 wrote to memory of 4044	1100	idman642build19.exe	84
PID 4044 wrote to memory of 3212	4044	IDM1.tmp	103
PID 4044 wrote to memory of 3212	4044	IDM1.tmp	103
PID 4044 wrote to memory of 3212	4044	IDM1.tmp	103
PID 4044 wrote to memory of 3628	4044	IDM1.tmp	104
PID 4044 wrote to memory of 3628	4044	IDM1.tmp	104
PID 4044 wrote to memory of 3628	4044	IDM1.tmp	104
PID 4044 wrote to memory of 3004	4044	IDM1.tmp	105
PID 4044 wrote to memory of 3004	4044	IDM1.tmp	105
PID 4044 wrote to memory of 3004	4044	IDM1.tmp	105
PID 3628 wrote to memory of 396	3628	regsvr32.exe	106
PID 3628 wrote to memory of 396	3628	regsvr32.exe	106
PID 3212 wrote to memory of 3660	3212	regsvr32.exe	107
PID 3212 wrote to memory of 3660	3212	regsvr32.exe	107
PID 4044 wrote to memory of 3224	4044	IDM1.tmp	108
PID 4044 wrote to memory of 3224	4044	IDM1.tmp	108
PID 4044 wrote to memory of 3224	4044	IDM1.tmp	108
PID 3004 wrote to memory of 1492	3004	regsvr32.exe	110
PID 3004 wrote to memory of 1492	3004	regsvr32.exe	110
PID 4044 wrote to memory of 1532	4044	IDM1.tmp	111
PID 4044 wrote to memory of 1532	4044	IDM1.tmp	111
PID 4044 wrote to memory of 1532	4044	IDM1.tmp	111
PID 1532 wrote to memory of 1884	1532	IDMan.exe	113
PID 1532 wrote to memory of 1884	1532	IDMan.exe	113
PID 1532 wrote to memory of 1884	1532	IDMan.exe	113
PID 1532 wrote to memory of 1512	1532	IDMan.exe	114
PID 1532 wrote to memory of 1512	1532	IDMan.exe	114
PID 1532 wrote to memory of 1512	1532	IDMan.exe	114
PID 1884 wrote to memory of 1796	1884	regsvr32.exe	115
PID 1884 wrote to memory of 1796	1884	regsvr32.exe	115
PID 1532 wrote to memory of 3036	1532	IDMan.exe	116
PID 1532 wrote to memory of 3036	1532	IDMan.exe	116
PID 1532 wrote to memory of 3036	1532	IDMan.exe	116
PID 1512 wrote to memory of 5084	1512	regsvr32.exe	117
PID 1512 wrote to memory of 5084	1512	regsvr32.exe	117
PID 1532 wrote to memory of 2088	1532	IDMan.exe	118
PID 1532 wrote to memory of 2088	1532	IDMan.exe	118
PID 1532 wrote to memory of 2088	1532	IDMan.exe	118
PID 3036 wrote to memory of 3688	3036	regsvr32.exe	119
PID 3036 wrote to memory of 3688	3036	regsvr32.exe	119
PID 2088 wrote to memory of 720	2088	regsvr32.exe	120
PID 2088 wrote to memory of 720	2088	regsvr32.exe	120
PID 1532 wrote to memory of 4300	1532	IDMan.exe	122
PID 1532 wrote to memory of 4300	1532	IDMan.exe	122
PID 4300 wrote to memory of 4476	4300	firefox.exe	123
PID 4300 wrote to memory of 4476	4300	firefox.exe	123
PID 4300 wrote to memory of 4476	4300	firefox.exe	123
PID 4300 wrote to memory of 4476	4300	firefox.exe	123
PID 4300 wrote to memory of 4476	4300	firefox.exe	123
PID 4300 wrote to memory of 4476	4300	firefox.exe	123
PID 4300 wrote to memory of 4476	4300	firefox.exe	123
PID 4300 wrote to memory of 4476	4300	firefox.exe	123
PID 4300 wrote to memory of 4476	4300	firefox.exe	123
PID 4300 wrote to memory of 4476	4300	firefox.exe	123
PID 4300 wrote to memory of 4476	4300	firefox.exe	123
PID 1532 wrote to memory of 3244	1532	IDMan.exe	124
PID 1532 wrote to memory of 3244	1532	IDMan.exe	124
PID 1532 wrote to memory of 3244	1532	IDMan.exe	124
PID 3244 wrote to memory of 3264	3244	Uninstall.exe	125
PID 3244 wrote to memory of 3264	3244	Uninstall.exe	125
PID 4476 wrote to memory of 1180	4476	firefox.exe	126
PID 4476 wrote to memory of 1180	4476	firefox.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\idm注册机激活\idman642build19.exe
"C:\Users\Admin\AppData\Local\Temp\idm注册机激活\idman642build19.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
  "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
  2⤵
  - Installs/modifies Browser Helper Object
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:3660
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:396
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1492
- - C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
    "C:\Program Files (x86)\Internet Download Manager\idmBroker.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3224
- - C:\Program Files (x86)\Internet Download Manager\IDMan.exe
    "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr
    3⤵
    - Adds Run key to start application
    - Checks computer location settings
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        
        PID:1796
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5084
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3688
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:720
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        5⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1868 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79b469d6-34e9-44de-9812-42d9a69541b0} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" gpu
        6⤵
        
        PID:1180
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f3da6f3-4d6c-4ae6-8489-4d274522b7dd} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" socket
        6⤵
        
        PID:3492
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2744 -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3232 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90f09cbf-a99f-42b8-89c1-9d08ea1f9b67} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" tab
        6⤵
        
        PID:4672
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3332 -childID 2 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1396ab0-3be8-4271-813f-970ebfa22410} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" tab
        6⤵
        
        PID:828
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4524 -prefMapHandle 4536 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48572b2f-2f7c-43e8-b3a2-7ed0ee132575} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" utility
        6⤵
        Checks processor information in registry
        
        PID:5348
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 3 -isForBrowser -prefsHandle 5244 -prefMapHandle 5240 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5143d5a1-b9d2-4285-b65b-4d1bc542c798} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" tab
        6⤵
        
        PID:5992
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 4 -isForBrowser -prefsHandle 5392 -prefMapHandle 5396 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfebcee8-5031-449e-b4ea-2c3afcb4ae06} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" tab
        6⤵
        
        PID:6004
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 5 -isForBrowser -prefsHandle 5484 -prefMapHandle 5588 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45f1f624-c564-4f85-8b5e-c727dae0c3d0} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" tab
        6⤵
        
        PID:6016
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5948 -childID 6 -isForBrowser -prefsHandle 5940 -prefMapHandle 5892 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f263bea-2536-4279-8455-3744c8e14a83} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" tab
        6⤵
        
        PID:5204
  - - C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
      "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Windows\system32\RUNDLL32.EXE
        
        "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3264
      - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:5620
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:836
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6048
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:984
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5132
  - - C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe
      "C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4768
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f92dc3c7-06a6-0a49-b5d2-298d55574e81}\idmwfp.inf" "9" "4fc2928b3" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\Internet Download Manager"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3592
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "000000000000017C" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\idmwfp.inf_amd64_8b0ebbc2b4585464\idmwfp.inf" "0" "4fc2928b3" "0000000000000164" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1408

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" -Embedding
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5388
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5436
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5336
- C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
  "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5380
- - C:\Windows\system32\RUNDLL32.EXE
    "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      PID:5556
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:5568
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:5744
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:5892
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:924
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:5908
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:4924
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:4340
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5100
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery