vjw0rm | 57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77.exe
Size

8.7MB
MD5

80add80d0def80a44a491a31f18de4f8
SHA1

519a96705528c5842291e0bc7eafabd59b0c4f57
SHA256

57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77
SHA512

4c112331d1e82e8175e82f4862919f7b1dfc62861e07187b35a6612a9b27eb4efc701936edf989887aacbd408200ed881314e3c0d3e20e646f7d023a777c2338
SSDEEP

196608:eDq9xBWOQiznaMYaaSDaJThbnFG3gOn4e11bUNhOsOqBOxda7Zy:kq96OQizaMAbThR6gC4ShPFqM87Zy

Score

10^/10

vjw0rm adware discovery evasion execution persistence privilege_escalation spyware stealer trojan upx worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Vjw0rm family
vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
10	4176	WScript.exe
28	4176	WScript.exe
47	4176	WScript.exe
50	4176	WScript.exe
56	4176	WScript.exe
57	4176	WScript.exe

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SET94C9.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\idmwfp.sys	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SET393B.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\idmwfp.sys	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\SET4F82.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\idmwfp.sys	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\SET94C9.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\SET393B.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SET4F82.tmp	RUNDLL32.EXE

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3060	netsh.exe

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023ccc-48.dat	acprotect
behavioral2/memory/4968-49-0x0000000075110000-0x0000000075119000-memory.dmp	acprotect
behavioral2/memory/4968-61-0x0000000075110000-0x0000000075119000-memory.dmp	acprotect

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	IDMan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Uninstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	IDMan.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.js	WScript.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 7 IoCs

pid	Process
4968	setup.exe
3504	Uninstall.exe
3888	IDMan.exe
4180	Uninstall.exe
3388	MediumILStart.exe
4672	IDMan.exe
1476	Uninstall.exe

Loads dropped DLL 45 IoCs

pid	Process
4968	setup.exe
4968	setup.exe
4968	setup.exe
4968	setup.exe
4968	setup.exe
4968	setup.exe
4968	setup.exe
4968	setup.exe
4968	setup.exe
1824	regsvr32.exe
4428	regsvr32.exe
4968	setup.exe
3888	IDMan.exe
3888	IDMan.exe
3888	IDMan.exe
3888	IDMan.exe
3424	Process not Found
3424	Process not Found
3888	IDMan.exe
2588	regsvr32.exe
4036	regsvr32.exe
3376	regsvr32.exe
2988	regsvr32.exe
2276	regsvr32.exe
4360	regsvr32.exe
4968	setup.exe
2892	regsvr32.exe
2424	regsvr32.exe
3100	regsvr32.exe
548	regsvr32.exe
5008	regsvr32.exe
3764	regsvr32.exe
1860	regsvr32.exe
5076	regsvr32.exe
232	regsvr32.exe
2580	regsvr32.exe
4672	IDMan.exe
4672	IDMan.exe
4672	IDMan.exe
4672	IDMan.exe
4672	IDMan.exe
5064	regsvr32.exe
244	regsvr32.exe
4496	regsvr32.exe
736	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe /onboot"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V5RI1KLY0A = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\info.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	IDMan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	IDMan.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ccc-48.dat	upx
behavioral2/memory/4968-49-0x0000000075110000-0x0000000075119000-memory.dmp	upx
behavioral2/memory/4968-61-0x0000000075110000-0x0000000075119000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_jp.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_tr.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_sk.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Uninstall-ME.exe	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi.inf	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi64.sys	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_al.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_it.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMNetMon64.dll	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idman.chm	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmbrbtn64.dll	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmcchandler2.dll	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_iw.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\PureFlat.tbi	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\PureFlat\PureFlat_Small_Hot.bmp	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_bn.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_de.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMGrHlp (YASCHIR).exe	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_cz.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_fa.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_it.txt	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_fr.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_id.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_pl.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMVMPrs.dll	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\IEExt.htm	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmfc.dat	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\PureFlat\PureFlat_Larg.bmp	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp.cat	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_th.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_pt.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_gu.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_sr.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_tr.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\template_inst.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc.xpi	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi32.sys	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmvconv.dll	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_jp.txt	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_pl.txt	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_sk.txt	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp64.sys	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_kr.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ptbr.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_gr.txt	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\libcrypto.dll	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_de.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_cht.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_hi.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMFType.dat	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmBroker.exe	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_fa.txt	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp.inf	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_hu.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_cht.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_chn.lng	setup.exe
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_dk.lng	setup.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	route.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
3448	taskkill.exe
4652	taskkill.exe
2344	taskkill.exe
2580	taskkill.exe
3632	taskkill.exe
4116	taskkill.exe
4944	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать все ссылки с помощью IDM	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать все ссылки с помощью IDM\contexts = "243"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать с помощью IDM	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать с помощью IDM\contexts = "243"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать все ссылки с помощью IDM	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать с помощью IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEExt.htm"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать все ссылки с помощью IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEGetAll.htm"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Скачать с помощью IDM	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights	IDMan.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	IDMan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	IDMan.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor.1	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\ = "V2LinkProcessor Class"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\TypeLib	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\ = "IDM Shell Extension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\ProgID\ = "DownlWithIDM.V2LinkProcessor.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\VersionIndependentProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\ = "VLinkProcessor Class"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\HELPDIR	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor.1\CLSID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Download Manager\\downlWithIDM64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\Programmable	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID\ = "DownlWithIDM.VLinkProcessor.1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\0\win32	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\TypeLib\Version = "1.0"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\ = "VLinkProcessor Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.V2LinkProcessor\CLSID\ = "{4764030F-2733-45B9-AE62-3D1F4F6F2861}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor.1\ = "LinkProcessor Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor\CLSID\ = "{5312C54E-A385-46B7-B200-ABAF81B03935}"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Programmable	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib\ = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Internet Download Manager\\"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\ = "0"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib\ = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\FLAGS\ = "0"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.LinkProcessor\CurVer\ = "DownlWithIDM.LinkProcessor.1"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ProxyStubClsid32	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID\ = "DownlWithIDM.VLinkProcessor.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\VersionIndependentProgID\ = "DownlWithIDM.IDMDwnlMgr"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\ = "IDM Shell Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\FLAGS\ = "0"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMGetAll.IDMAllLinksProcessor	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Internet Download Manager"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ = "IIDMEFSAgent"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\NumMethods	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid32	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\Programmable	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ = "IIDMEFSAgent7"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\NumMethods\ = "12"	IDMan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Control	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\TypeLib	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ThreadingModel = "Apartment"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\HELPDIR	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1\ = "IDMDwnlMgr Class"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}\ = "PSFactoryBuffer"	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Elevation	IDMan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ProgID	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.VLinkProcessor\CLSID\ = "{CDD67718-A430-4AB9-A939-83D9074B0038}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMIECC.dll"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IDMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownlWithIDM.IDMDwnlMgr.1\CLSID\ = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32	regsvr32.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3888	IDMan.exe
3888	IDMan.exe

Suspicious behavior: LoadsDriver 18 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	whoami.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeRestorePrivilege	3888	IDMan.exe
Token: SeBackupPrivilege	3888	IDMan.exe
Token: SeDebugPrivilege	244	regsvr32.exe
Token: SeDebugPrivilege	244	regsvr32.exe
Token: SeDebugPrivilege	4084	RUNDLL32.EXE
Token: SeDebugPrivilege	4084	RUNDLL32.EXE
Token: SeDebugPrivilege	736	regsvr32.exe
Token: SeDebugPrivilege	736	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3888	IDMan.exe
4672	IDMan.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3888	IDMan.exe
4672	IDMan.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4968	setup.exe
3504	Uninstall.exe
3888	IDMan.exe
3888	IDMan.exe
3888	IDMan.exe
4180	Uninstall.exe
3888	IDMan.exe
3888	IDMan.exe
3888	IDMan.exe
3888	IDMan.exe
3888	IDMan.exe
3388	MediumILStart.exe
4672	IDMan.exe
4672	IDMan.exe
1476	Uninstall.exe
4672	IDMan.exe
4672	IDMan.exe
4672	IDMan.exe
4672	IDMan.exe
4672	IDMan.exe
4672	IDMan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4176	1496	57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77.exe	83
PID 1496 wrote to memory of 4176	1496	57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77.exe	83
PID 1496 wrote to memory of 4176	1496	57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77.exe	83
PID 1496 wrote to memory of 4968	1496	57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77.exe	84
PID 1496 wrote to memory of 4968	1496	57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77.exe	84
PID 1496 wrote to memory of 4968	1496	57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77.exe	84
PID 4968 wrote to memory of 3060	4968	setup.exe	86
PID 4968 wrote to memory of 3060	4968	setup.exe	86
PID 4968 wrote to memory of 3060	4968	setup.exe	86
PID 4176 wrote to memory of 2924	4176	WScript.exe	89
PID 4176 wrote to memory of 2924	4176	WScript.exe	89
PID 4176 wrote to memory of 2924	4176	WScript.exe	89
PID 4968 wrote to memory of 1416	4968	setup.exe	91
PID 4968 wrote to memory of 1416	4968	setup.exe	91
PID 4968 wrote to memory of 1416	4968	setup.exe	91
PID 4968 wrote to memory of 3320	4968	setup.exe	105
PID 4968 wrote to memory of 3320	4968	setup.exe	105
PID 4968 wrote to memory of 3320	4968	setup.exe	105
PID 3320 wrote to memory of 372	3320	cmd.exe	107
PID 3320 wrote to memory of 372	3320	cmd.exe	107
PID 3320 wrote to memory of 372	3320	cmd.exe	107
PID 372 wrote to memory of 4932	372	cmd.exe	109
PID 372 wrote to memory of 4932	372	cmd.exe	109
PID 372 wrote to memory of 4932	372	cmd.exe	109
PID 4932 wrote to memory of 1896	4932	cmd.exe	110
PID 4932 wrote to memory of 1896	4932	cmd.exe	110
PID 4932 wrote to memory of 1896	4932	cmd.exe	110
PID 372 wrote to memory of 2892	372	cmd.exe	111
PID 372 wrote to memory of 2892	372	cmd.exe	111
PID 372 wrote to memory of 2892	372	cmd.exe	111
PID 372 wrote to memory of 4116	372	cmd.exe	112
PID 372 wrote to memory of 4116	372	cmd.exe	112
PID 372 wrote to memory of 4116	372	cmd.exe	112
PID 372 wrote to memory of 4944	372	cmd.exe	113
PID 372 wrote to memory of 4944	372	cmd.exe	113
PID 372 wrote to memory of 4944	372	cmd.exe	113
PID 372 wrote to memory of 3448	372	cmd.exe	114
PID 372 wrote to memory of 3448	372	cmd.exe	114
PID 372 wrote to memory of 3448	372	cmd.exe	114
PID 372 wrote to memory of 4652	372	cmd.exe	115
PID 372 wrote to memory of 4652	372	cmd.exe	115
PID 372 wrote to memory of 4652	372	cmd.exe	115
PID 372 wrote to memory of 2344	372	cmd.exe	116
PID 372 wrote to memory of 2344	372	cmd.exe	116
PID 372 wrote to memory of 2344	372	cmd.exe	116
PID 372 wrote to memory of 2580	372	cmd.exe	117
PID 372 wrote to memory of 2580	372	cmd.exe	117
PID 372 wrote to memory of 2580	372	cmd.exe	117
PID 372 wrote to memory of 3632	372	cmd.exe	118
PID 372 wrote to memory of 3632	372	cmd.exe	118
PID 372 wrote to memory of 3632	372	cmd.exe	118
PID 372 wrote to memory of 3488	372	cmd.exe	119
PID 372 wrote to memory of 3488	372	cmd.exe	119
PID 372 wrote to memory of 3488	372	cmd.exe	119
PID 372 wrote to memory of 4616	372	cmd.exe	120
PID 372 wrote to memory of 4616	372	cmd.exe	120
PID 372 wrote to memory of 4616	372	cmd.exe	120
PID 372 wrote to memory of 220	372	cmd.exe	121
PID 372 wrote to memory of 220	372	cmd.exe	121
PID 372 wrote to memory of 220	372	cmd.exe	121
PID 372 wrote to memory of 1204	372	cmd.exe	122
PID 372 wrote to memory of 1204	372	cmd.exe	122
PID 372 wrote to memory of 1204	372	cmd.exe	122
PID 372 wrote to memory of 4660	372	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77.exe
"C:\Users\Admin\AppData\Local\Temp\57e04b94013d53c69084e954941a47677ff80afdfd8f1c062788b6f66ac74a77.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\info.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Anydesk /tr "C:\Users\Admin\AppData\Local\Temp\info.js
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2924
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\netsh.exe
    netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3060
- - C:\Windows\SysWOW64\route.exe
    route.exe delete 95.141.193.133
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C START /WAIT /MIN CMD.EXE /C "C:\Users\Admin\AppData\Local\Temp\nsjB6BF.tmp\Cleanup.cmd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\SysWOW64\cmd.exe
      CMD.EXE /C "C:\Users\Admin\AppData\Local\Temp\nsjB6BF.tmp\Cleanup.cmd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c whoami /user /fo list
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4932
      - C:\Windows\SysWOW64\whoami.exe
        
        whoami /user /fo list
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query HKU\S-1-5-19
        5⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "IDMan.exe" /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "IEMonitor.exe" /F
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "IDMGrHlp.exe" /F
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "idmBroker.exe" /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "IDMIntegrator64.exe" /F
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "IDMMsgHost.exe" /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "MediumILStart.exe" /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        5⤵
        
        PID:3488
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        
        PID:4616
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        
        PID:220
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        
        PID:1476
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        5⤵
        
        PID:3356
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        5⤵
        
        PID:112
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        
        PID:3104
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        
        PID:3092
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:760
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        
        PID:3792
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        5⤵
        
        PID:436
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        
        PID:1908
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        5⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        
        PID:3576
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        5⤵
        
        PID:4220
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        
        PID:4856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        5⤵
        
        PID:1336
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        
        PID:1808
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        5⤵
        
        PID:3852
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        
        PID:4720
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        5⤵
        
        PID:748
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        
        PID:4452
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4044
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        5⤵
        
        PID:1352
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        
        PID:752
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        
        PID:1892
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        5⤵
        
        PID:3976
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        
        PID:4560
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        5⤵
        
        PID:4312
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        
        PID:1064
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        5⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        5⤵
        
        PID:2596
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        
        PID:5040
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        
        PID:3640
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        5⤵
        
        PID:936
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        
        PID:2660
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        5⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        
        PID:1464
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        5⤵
        
        PID:1316
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        5⤵
        
        PID:4040
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        
        PID:5076
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        5⤵
        
        PID:3456
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        
        PID:4304
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        5⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        5⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        
        PID:232
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        
        PID:4392
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        
        PID:4372
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        5⤵
        
        PID:3200
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        
        PID:4444
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        
        PID:4740
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        5⤵
        
        PID:220
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        
        PID:3388
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        
        PID:3968
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        5⤵
        
        PID:1060
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        
        PID:5064
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        5⤵
        
        PID:8
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        
        PID:3840
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        5⤵
        
        PID:4316
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        
        PID:432
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        5⤵
        
        PID:3312
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        
        PID:3472
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        
        PID:4628
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        5⤵
        
        PID:3652
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        
        PID:4032
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        
        PID:4048
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        5⤵
        
        PID:4016
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        5⤵
        
        PID:4548
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        
        PID:1372
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        
        PID:1528
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        
        PID:4872
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        5⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        
        PID:212
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        5⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        
        PID:3580
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        
        PID:3420
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        
        PID:440
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        5⤵
        
        PID:4448
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        
        PID:1472
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        5⤵
        
        PID:1316
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        
        PID:4900
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        
        PID:2028
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        
        PID:5084
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f
        5⤵
        
        PID:3052
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        
        PID:3208
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}"
        5⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}" /f
        5⤵
        
        PID:4496
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        
        PID:3468
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}"
        5⤵
        
        PID:800
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}" /f
        5⤵
        
        PID:4944
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}"
        5⤵
        
        PID:1576
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        
        PID:3804
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}"
        5⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" /f
        5⤵
        
        PID:452
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        
        PID:2580
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}"
        5⤵
        
        PID:3632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f
        5⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}"
        5⤵
        
        PID:1204
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" /f
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        
        PID:3356
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}"
        5⤵
        
        PID:4632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}" /f
        5⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        
        PID:3180
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}"
        5⤵
        
        PID:5100
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D}"
        5⤵
        
        PID:760
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Internet Download Manager" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3792
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Internet Download Manager"
        5⤵
        
        PID:5064
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Internet Download Manager"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Wow6432Node\Internet Download Manager" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\Internet Download Manager"
        5⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\Internet Download Manager"
        5⤵
        
        PID:716
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Download Manager" /f
        5⤵
        
        PID:5080
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Download Manager"
        5⤵
        
        PID:3576
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Download Manager"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Wow6432Node\Download Manager" /f
        5⤵
        
        PID:1364
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\Download Manager"
        5⤵
        
        PID:2544
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\Download Manager"
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\DownloadManager" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\DownloadManager"
        5⤵
        
        PID:864
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\DownloadManager"
        5⤵
        
        PID:4060
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\Software\Wow6432Node\DownloadManager" /f
        5⤵
        
        PID:3168
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\DownloadManager"
        5⤵
        
        PID:4732
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Wow6432Node\DownloadManager"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Download Manager" /f
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Download Manager"
        5⤵
        
        PID:3652
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Download Manager"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Wow6432Node\Download Manager" /f
        5⤵
        
        PID:1352
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Wow6432Node\Download Manager"
        5⤵
        
        PID:752
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Wow6432Node\Download Manager"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\Wow6432Node\DownloadManager" /f
        5⤵
        
        PID:4428
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Wow6432Node\DownloadManager"
        5⤵
        
        PID:4336
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKCU\Software\Wow6432Node\DownloadManager"
        5⤵
        
        PID:4560
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Download Manager" /f
        5⤵
        
        PID:4312
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Download Manager"
        5⤵
        
        PID:1064
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Download Manager"
        5⤵
        
        PID:4700
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Wow6432Node\Download Manager" /f
        5⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Wow6432Node\Download Manager"
        5⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Wow6432Node\Download Manager"
        5⤵
        
        PID:1080
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\DownloadManager" /f
        5⤵
        
        PID:4164
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\DownloadManager"
        5⤵
        
        PID:4156
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\DownloadManager"
        5⤵
        
        PID:1072
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKU\.DEFAULT\Software\Wow6432Node\DownloadManager" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Wow6432Node\DownloadManager"
        5⤵
        
        PID:376
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\.DEFAULT\Software\Wow6432Node\DownloadManager"
        5⤵
        
        PID:3184
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM" /ve /f
        5⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM" /v "MData" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM" /v "Model" /f
        5⤵
        
        PID:4448
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM" /v "Therad" /f
        5⤵
        
        PID:1464
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU" /ve /f
        5⤵
        
        PID:1472
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU" /v "MData" /f
        5⤵
        
        PID:1316
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU" /v "Model" /f
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU" /v "Therad" /f
        5⤵
        
        PID:384
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "FName" /f
        5⤵
        
        PID:4040
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "LName" /f
        5⤵
        
        PID:2028
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "Email" /f
        5⤵
        
        PID:5084
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "Serial" /f
        5⤵
        
        PID:3052
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "CheckUpdtVM" /f
        5⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "tvfrdt" /f
        5⤵
        
        PID:640
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "LstCheck" /f
        5⤵
        
        PID:4652
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKCU\Software\DownloadManager" /v "scansk" /f
        5⤵
        
        PID:1860
- - C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
    "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3504
  - - C:\Windows\system32\RUNDLL32.EXE
      "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      PID:3012
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        
        PID:3804
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:4444
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:4660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:760
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:2480
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:4436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:4880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:864
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:2436
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" start IDMWFP
      4⤵
      PID:2188
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        5⤵
        
        PID:1352
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1824
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        
        PID:4428
- - C:\Program Files (x86)\Internet Download Manager\IDMan.exe
    "C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /rtr
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3888
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      4⤵
      Loads dropped DLL
      PID:2588
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2988
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      4⤵
      Loads dropped DLL
      PID:4036
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
        5⤵
        Loads dropped DLL
        
        PID:2276
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      4⤵
      Loads dropped DLL
      PID:3376
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4360
  - - C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
      "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4180
    - - C:\Windows\system32\RUNDLL32.EXE
        
        "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
        5⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:4380
      - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:2696
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:3588
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:1648
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:3652
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:2836
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:3412
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        
        PID:1072
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:3120
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start IDMWFP
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4448
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start IDMWFP
        6⤵
        
        PID:4304
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2892
      - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2424
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      PID:3100
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
        5⤵
        Loads dropped DLL
        
        PID:5008
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:548
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1860
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
      4⤵
      Loads dropped DLL
      PID:3764
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
        5⤵
        Loads dropped DLL
        
        PID:232
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
      4⤵
      Loads dropped DLL
      PID:5076
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2580
  - - C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe
      "C:\Program Files (x86)\Internet Download Manager\MediumILStart.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3388

C:\Program Files (x86)\Internet Download Manager\IDMan.exe
"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" -Embedding
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4672
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  PID:5064
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:244
- C:\Program Files (x86)\Internet Download Manager\Uninstall.exe
  "C:\Program Files (x86)\Internet Download Manager\Uninstall.exe" -instdriv
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1476
- - C:\Windows\system32\RUNDLL32.EXE
    "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      PID:3540
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:4856
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:4796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:4800
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:4136
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:1676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:936
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:3208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:4804
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start IDMWFP
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start IDMWFP
      4⤵
      System Location Discovery: System Language Discovery
      PID:3660
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
    3⤵
    - Loads dropped DLL
    PID:4496
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll

Filesize
73KB

MD5
d04845fab1c667c04458d0a981f3898e

SHA1
f30267bb7037a11669605c614fb92734be998677

SHA256
33a8a6b9413d60a38237bafc4c331dfebf0bf64f8057abc335b4a6a6b95c9381

SHA512
ccd166dbe9aaba3795963af7d63b1a561de90153c2eaefb12f3e9f9ddebd9b1f7861ee76f45b4ef19d41ca514f3796e98b3c3660596730be8d8eb9e1048ef59e

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll

Filesize
464KB

MD5
88f83ad79e64dcef42756a42d68799dc

SHA1
75ff8c043387529ea536e5f7da7d526ff066852a

SHA256
135f7df262609a992c197e1f6ba06285d14d755574f937f1aa67d177b5cf171b

SHA512
e366ef8db07191a6ab7099ddf88ad35ec2daba266a01ff498bf68f373cdd3984a7345ed957e0c1341f27fd4e0eddba3cbff43a23cb3c74979807376b438dcc7a

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll

Filesize
658KB

MD5
aa1c6adb00cf7a70f064077d546308b8

SHA1
3a3b53449c534d22c96a84355535edfa25861031

SHA256
dcc7186f3df09526db5e32b8e4224f7e1f15a26928f98edc7696142c8602f6a1

SHA512
01def578bd1fbd41160d1a9f3cb8f9fd28dfb46a86bc727f9084432ce6897e1d870ba8f0c18378034a1fd7d9389e58a939c3f9056d31c7ac819d307778640694

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMNetMon64.dll

Filesize
455KB

MD5
5f318a9cf9f20d8285c30377eae28894

SHA1
9f682a3dfc99662411d52a5dd2bed57b62a585c1

SHA256
abd5e04ef88c6be675a52bc4a088a7cfefebbe459dd232c80bf919b50793b28c

SHA512
ea9ce7b3796453fa2b0f0d4f9ab15bb0ea065fb89a397d4fb6581f0ae7264023648f2d4f819d4a366cb24aba48c9ed6d83ffe65b1bb08278386511bc01efe0e4

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll

Filesize
36KB

MD5
a3c44204992e307d121df09dd6a1577c

SHA1
9482d8ffda34904b1dfd0226b374d1db41ca093d

SHA256
48e5c5916f100880e68c9e667c4457eb0065c5c7ab40fb6d85028fd23d3e4838

SHA512
f700cf7accab0333bc412f68cdcfb25d68c693a27829bc38a655d52cb313552b59f9243fc51357e9dccd92863deecb529cc68adbc40387aad1437d625fd577f1

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDMan.exe

Filesize
5.4MB

MD5
6bfa07c101ef8f3708392bd3a13ee325

SHA1
03f057f942bb41b98a2b26daf6b6769aff11c770

SHA256
0456c1235db5460dfbab99520c95a0a9cf4c037c30aaca2fd76b0d3e8889d6ef

SHA512
191ecde5373321c6bac57eb57936affaa6cd6dc190a48482636044a722c80cdc422fbf752f03ad286bf426e39813cdaba67858402a753eaf4266cc87b581a92a

Download Submit
C:\Program Files (x86)\Internet Download Manager\IDManTypeInfo.tlb

Filesize
2KB

MD5
60adb0ad984d5c3a4289ced459913963

SHA1
f8508d53a8d9d46e7e437a9f9c04dbfaf4d69519

SHA256
d421d11ef7cf2b766ca6fbc8e837912b2100339c686d48ca56f650649f7b9343

SHA512
2ca09a3b971218fc7116871d854a44e1c1a7abb16afca73bcbfa1e92fda1b8cf82e9b93c3dbc7b4e0efb9e31874b8ac592f151b08428bf1281a8a8d977e3a3fb

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_am.lng

Filesize
179KB

MD5
04c2c4ae4447f4fcdfe9891b31815c31

SHA1
8933389fc3affea4b2be275c292dd8c20be73cd2

SHA256
59feb468b93278b65159ba506e930505d22e766a4795d44662c1e6ce0bbbcf00

SHA512
af5d4ac168ca53fba4ae1c4e0d822eebcedc97a3d6668fc5846f81930c34200518a62be190dfc895a44fdf659b125b14bb1e4466d3d088df5b7f25770f4f9303

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_ar.lng

Filesize
95KB

MD5
9a2557e3708d2812efc9c49c56cb082b

SHA1
2b955c2a77a845df080fea1b215de1a118ab0705

SHA256
0c48d9dd4c0611ac9117cd2ba08d164237a5304bc3c45c4154f717c67751ff90

SHA512
13b30db1dde45ea1fce0ef01e0e76e12b70ee3794026316a3d2fd4e35f04686aaccb130b8114c2d5a811d69980e105abdba0594760ca8231cf50b2b0e6c364d2

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_chn2.lng

Filesize
76KB

MD5
4ffc9407b04179d6ab6631891643310b

SHA1
f2e531a2e7582776d1a7e3fca9ac5bed75cc7eef

SHA256
cadc2511f15db0cb65ae2bb50fac6864ce765d207e08ddafd773ffbd0e3534d1

SHA512
e8c0819e61ace77b3263e478cefc7be8fc2c9267be48430b6b9a43be139be6256ec465522310f24502d8f6ed0da3a2dee1ef02ccc0c8e0eeb67b856b136becb8

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_cht.lng

Filesize
75KB

MD5
748fe90f8037e5ec3c6526334c6acd04

SHA1
0d6955b1b56f9440c3fea798efa528b4e4ff285a

SHA256
5ac9c869d9b2093509e52b503aa36a845cf0ca1cc638533196a85139b9c8ae52

SHA512
13d9c081d705cb9d645105f2eed272fbb16a0d9286ffc19bf8dc13bbcd172ef361f9041df37c7090676a79ffa520e3f38ffeae1197cb811c160440830e89fbb8

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_cz.lng

Filesize
96KB

MD5
ad49287674f036ad7a272fff8e468b20

SHA1
d3e2e3ee5ea5bcef5b4fe0e6195004220850858f

SHA256
449f23660278b268ce198c7ca7c1988e5aac4aa18928c45282f4f75a89904b66

SHA512
17bb5ef1eee005951b75d6e4ad5f4063c8dd43cd4984b794f322a98703e7ae2c85d29b91dd1b2b88149fd9ac9371d4ab54f0115f88c1693cbf8ed4deba2f73d4

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_de.lng

Filesize
115KB

MD5
4babfc1366167ee3b04b09a6e7cf5fcf

SHA1
eb7bd98d67a0b1d83e16845f76e0afd22410a5b7

SHA256
e205f37b208f4383f0813c61ef5f9839ef2cf4a6bae63aba0662072908550495

SHA512
7726b0ff86ef5116b1ddb8db3f69032753db2c6c56b99e538add1b91a2cc42ac36f429f78bd1e707f731485f898346ba37ca0af1405985aba3a10bdadeb5aa9d

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_es.lng

Filesize
116KB

MD5
e5223cc0f24b447e17f67012b4f1f026

SHA1
45e0c903b9186b11bc8cd1976425230393e63a8c

SHA256
da67c969d0ec5c9db04415ad27f98759dd580881b5e6d34839d4c6fb0b05ea96

SHA512
e3efab7ae4498aa55bad8483a78d5fe53af12392df90c3791e1ecc99aa71461faacd47a909babb97e54f7f7e5fda946bbccc552f25584997455c9571aa0a25b2

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_fa.lng

Filesize
108KB

MD5
88dba7e850c1a4e13e78322136a61c49

SHA1
e95de8aa4919b06ac6661bb4c973a95579303e27

SHA256
bdc81db3e7cab8d8022697065d5b1d328bc47423edef9530e3eb8db60c75a245

SHA512
391ccdbda3b36e93bf88a84eba614d8e09e0a5b17715f181ba0781e987b3cca093a21219d156051ef8e3eb300e1a091fba829ae909b5dd8e1d4ba25329dd5670

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_fr.lng

Filesize
127KB

MD5
1d7384f9a6b899c6f9ca68fedf1a6211

SHA1
74f3da4de29fec52bc29185077217dfc65da524d

SHA256
79e344289cdde986bcbba93585aaf74eefadcc4fddd17d93c8f22dd824b352df

SHA512
01722d536d4daa5eb61121bb3b20510491af9052ba499db786fd028d7cda527e01b1b6cab8c341760b1d4478da921b0b4001852f88936769fa389802fd4990c4

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_ge.lng

Filesize
255KB

MD5
94b39957358b8ad6fd44cb4d58cd0232

SHA1
57b1c7168e3cae19569967039db053a49d9676d6

SHA256
e84e133ad8b0fc2585c044913e8ad4cb17d7ceed622de4a56bd92376d5a350cb

SHA512
2bcfda91f964f5abcc5ae9b0d171171d41f63748e856187b4ae1032967bc99d63ce1b837985c343aea1fee1d3f16d22eea8138cb65a2178db99e8196da2def0a

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_gr.lng

Filesize
107KB

MD5
0bad5ec5d39de002eb7c225e0d840f7f

SHA1
1c0874e9e8b218a7d70cde10cdfc8727113651a2

SHA256
db65ef51d8abda581c13994d13186e1efb3c16879e6475720c841d72d41ebe15

SHA512
9ca1616bb941ccc3265c132a4e2585892a7ce4202f499a97e71b8f2d51d1bce5b3d9c88900a71a03b9c59e4c27345bcb454706304cdfe357dbae130906daad4f

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_hu.lng

Filesize
98KB

MD5
47220123da512c99d58fcb0c4b9fba78

SHA1
799c6f3e665076a4964585700f34904baeb2afe8

SHA256
35469c7f7d4c6e877a0101091f39ab4dd5abe81b2f6ba200d2c12c3f51614ac3

SHA512
5bae79a8e8bfa6c26a5449f06a2aafa7e3fe808f3bfe82fb38626364f4d41b551782113b4994a777609741d1381740c39f1f93996bdca9f55c565e2208a0432b

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_id.lng

Filesize
93KB

MD5
4fc37880503b46a5d2dcbbc86123a488

SHA1
c21bb4df2e426d462613e8f8cf8b0059a242e952

SHA256
6acd5c9b492bdfb69939bf364ac989fecd91f033eb7484a3dcad4d7490eaf653

SHA512
680d04cef9d8eeeae4c3a269a323d15268c1a529cd78977912c60818b5025cd1346c559f1053b030fdf12f9139cfd181cee242888cdd8ac5e8b870270e8a6739

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_it.lng

Filesize
122KB

MD5
6182604aac88708e17080093fb6e839b

SHA1
2141fb5f5d9d14d5a2efbfef4034251113b58794

SHA256
cb7b8a7c43f28e654666e6ef33246498ad0ef6bc30259915a60a881082e6b56e

SHA512
82c03ab69a4b66fe5851361a8bb7e0053c6617b7b40f34ba4f120f66f36635abc5dd3832c58f8ff3df0dbd346449ffc9139d52823c71231c2eb362fdb10f0b62

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_iw.lng

Filesize
83KB

MD5
cf4cf41a7dfdbed842d53ef67afdac9b

SHA1
014ce165ba3d4b2ec9edd6e818ac370068293fcc

SHA256
55eee12afc157cb1b51fff074e55a3cf63630fb036ded1b51207f91af9ac0fd3

SHA512
8b4e53079735b924d65a428935da251f06c6e74f8b5b73205651641c1e8eb63f675b46d1f7a6a38e321cb7294876feeaecb1bbf0cf5d5d15968c82926ed06a2a

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_jp.lng

Filesize
76KB

MD5
eb10dc0005b3dd71baef3e74d1ff43fb

SHA1
9eb7a8f6282be5e1401fdb27818c15d5566fcc2b

SHA256
0288dec15ddcd53646975ba87d1af968f124dc4cbb39a7bd0582da17a8feb84e

SHA512
21f27a1cb71106298552a4d8bcfb792b7ae2ad07ebc8a1b0f4dceee035f570f72f6cefb309fd53d0b5ea9c86f55f663bd494ef2e462866c7033c2c22b99ebb76

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_kr.lng

Filesize
85KB

MD5
dfb270eb35b8dc8133eb11afa9f8dd49

SHA1
1a5621424779f6d4de55356fba0c5c32de456b0a

SHA256
fb027598d5ec83f29e5b72941713cfcfe265f1da77d84e9e38eda1e39888a87a

SHA512
b18cc394c1ce4554beec25126c807822f5e59edf109fa0d1d56dab2f02107cf72fc4cc697fa7420e020d1681524b3ff710f23d851a807fcaef9ec3f80afb222c

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_nl.lng

Filesize
87KB

MD5
abdd394a90aefc9b0d45d1a3c5a8a2ce

SHA1
69018f131edbacf4681fedcaa1cde2dca6ef28d7

SHA256
13d0656e4cf72225491361ef03fafd5ba77ff6ed6b3a84b63fd2a08d20d11e8a

SHA512
6f3103c69ea98bcedb126eabf4b9520350bf6f8b1d52da5765e7163fa91d4a9f0bd8f185f3a46f08254489f628f36c3d6b303130689537932a176c1404188c44

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_pl.lng

Filesize
118KB

MD5
e3624fc46f45c08f392625230b7a7207

SHA1
0937957f304824b2e4ec1641f535d6aceb71b4bc

SHA256
300991c0e17ce62a9a3cfb25199cb807cb1204d54cd9511da277b857903612d4

SHA512
8b24da8d692efaec267f3019cf7e379d9a47e5f42ade9870d7ac3366483b93ec932aa61f8fd776dafdcc8bc339edfae4efda1f7d392291b4d1f811b8416a504f

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_ptbr.lng

Filesize
115KB

MD5
932049a7bf47e3f826c467f89745425d

SHA1
719b6eacabd4e244ca457bd3ee8b988d68fd34fb

SHA256
049396bff939fc33a2a8b1e1c00d40b56e5d2eef51d7c553ce2681c36f796d4d

SHA512
d555e3b88e757f1b341a71e957156c6ce2afed20645593e96a55c2bbdbf91c34b30f675eff0d7285740bdeb6f688a28591135fbd2fd94102cdc272569604a2c5

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_ru.lng

Filesize
106KB

MD5
1cbbeacec44b36b374f3a36c04d35b17

SHA1
1ddf82591ddee2a9f8b2a5e42bda771664a557e1

SHA256
2f0da35d7309616d7695b0b01c2cf06978caa5502104e1dcf0b3c1aa69823ba0

SHA512
6ceb4fc01dd39a09ed9f0ae3f8632e917a8bd67b8c7b4f9289fa5ea68110b3ede02811026704704fd64904cef1815c327b8cdfbdde7fbf9f1305d0321f45b547

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_sk.lng

Filesize
115KB

MD5
bb98edcd629bc5135131e995dd8178df

SHA1
8f81d988b5e85f11e5712669ed9cebb5ee7c4fdf

SHA256
23e5ccb3eeef49f031f1f27ad9822aafaeb2a8058df9e78a12ec02497b9f7bf5

SHA512
2d32de272942420faed0e2412129fbaf0c2c839d6ec5f13743f891fb9fe0eb2b29741615e84f3030879841d7e1b9b38b9ae9692217ee6afcb9779c0beed2feb5

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_th.lng

Filesize
97KB

MD5
4458f1ab858c6038f23b4ccde737ece4

SHA1
55021b07cab37920aa05e302d5d06993dfae5090

SHA256
e5769b1f1a9f22a53e988452248c5276d5c29ead02c5c3ebeba9767737dd88af

SHA512
7c3f5643c9476d328b9d8af8e8b264860af579deef09cc52051037c9b8798fbf0531f333923ec6a94e3fab1c190dc9240c530bfb3cc4edfe218319e0a5e64a53

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_tr.lng

Filesize
112KB

MD5
33de9de10d2d4225ad5a18d29cb75e81

SHA1
b3a74a3c527bf47398122b05467cb07a2d4d622b

SHA256
7d7b891c17c433ce646a70cbdf554e0e73b11248dcd029e783bc88d087bfa34a

SHA512
d7bb090f187b97adbaf202f2d43dbf929dca76631716fcd09cd72fbfaeeccddea917ae17aac210d5609b7441833baef31a222c1c1dacef014ddcaae36155a09c

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_ua.lng

Filesize
94KB

MD5
13f879e8a8238c677f1bc5224cf2b00f

SHA1
58a8ff0fef00de094ef4711adb88a8ee5d3d21c2

SHA256
6383699f275c757134f53ac62302ef9324de0e8255e4371e25d32e78585d7266

SHA512
ff11fffa35453ef5b270580aaaf900a9abbf74f5aa38eef4f28d097f9dec0f405af82ff72d74d6bbb0bf25e1acde96f60f9dd756b3bfeb1cf3d1062985a86d6c

Download Submit
C:\Program Files (x86)\Internet Download Manager\Languages\idm_vn.lng

Filesize
107KB

MD5
c6ebbfa4dfb862e634a1ed8a8a63f075

SHA1
1322df337e2248923db109700333cf6c66993698

SHA256
1425f4ee30f57ed854248fba10621f4aef9b40cf109a31f46bf635e252010113

SHA512
861a6a66438bdb93d5fb2f905fd71c4e9ef90a09f9a052219fbfd54d542def22a7dc57077212d3cf23cbc8070fd4660ecd959eabf2e18359eaecbe3b77de40ea

Download Submit
C:\Program Files (x86)\Internet Download Manager\Toolbar\PureFlat.tbi

Filesize
171B

MD5
7383a950fd9cf4e544d6c0daa11f3dc6

SHA1
04b1f5372560a000aa87d3afd2d400e6fae5b9b2

SHA256
b4a3be388ba7abdbd86b9bbf6d775ac2505860d16f714c46e1b761b0ce706e1b

SHA512
b0b63c6a3e716c568a904b888b0516ae715d13b157b83f9973ae9758349c2df8232e7ca1aa2536e8010e81be333e55bf13f52f3922143d0ee77dc9a7ad16bc7b

Download Submit
C:\Program Files (x86)\Internet Download Manager\Uninstall.exe

Filesize
161KB

MD5
85ffda25e7f8584420496a45ff114eb5

SHA1
1ce8d2d592d1ca1509fb18a3d6cc8a251dc5c5f8

SHA256
124701995b3aefba458dc4f654ff2e6c8df014e9ab210525edc031abf24c0491

SHA512
5c07a29fc42e81a4591e8dbbea2a641b42a110bb31f4b6458794124246210af805bacd6949b95310038c5f19be392d33be081f2dce3946917e8972e00cc3fa90

Download Submit
C:\Program Files (x86)\Internet Download Manager\downlWithIDM.dll

Filesize
197KB

MD5
b94d0711637b322b8aa1fb96250c86b6

SHA1
4f555862896014b856763f3d667bce14ce137c8b

SHA256
38ac192d707f3ec697dd5fe01a0c6fc424184793df729f427c0cf5dfab6705fe

SHA512
72cdb05b4f45e9053ae2d12334dae412e415aebd018568c522fa5fe0f94dd26c7fe7bb81ccd8d6c7b5b42c795b3207dffa6345b8db24ce17beb601829e37a369

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmcchandler2.dll

Filesize
326KB

MD5
36b618f848d6dda620bf0b151eacf02d

SHA1
fce4b8bacd1b764c01051603e6548f8b458ee2b8

SHA256
1450146b904919474ef6d528b20a672a33a32afc4a1e40f69d515b523d72fa19

SHA512
b5cbadaa41ac4cfd634c6a7546a4d25116ea33b88f9d5136f2b8982299f3dc50b18b01b0afde4efa4a0fa28b48d539a4039196d9a983c43b4b4cd8395ec4d31b

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmcchandler2_64.dll

Filesize
451KB

MD5
5012ea14f13dd58ffeb14553824d8ebb

SHA1
416009ed1d66d9e19e6a5d0e45f90923892c94e1

SHA256
59ac02f5a0644bf56b7ad7e2b48fc8f89083f8cfe12a0a93f63163a5573a876f

SHA512
d86880353c24cff8580b799afcbe3e5319a2d454bb72fdad37f950d4470b51b3adf46e685bcae49111de6864543d5a51a6849e804cd32e292cabdb6d9c443617

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmfsa.dll

Filesize
94KB

MD5
235f64226fcd9926fb3a64a4bf6f4cc8

SHA1
8f7339ca7577ff80e3df5f231c3c2c69f20a412a

SHA256
6f0ed0a7a21e73811675e8a13d35c7daa6309214477296a07fe52a3d477578ad

SHA512
9c6be540cffb43211e464656c16cb0f6f88fb7224087b690ca910acbd433eaf5479508f088b6e6b5437dd260923e26dd928a861db6a3ce76607ad9e77628262d

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmvs.dll

Filesize
37KB

MD5
77c37aaa507b49990ec1e787c3526b94

SHA1
677d75078e43314e76380658e09a8aabd7a6836c

SHA256
1c55021653c37390b3f4f519f7680101d7aaf0892aef5457fe656757632b2e10

SHA512
a9474cefe267b9f0c4e207a707a7c05d69ac571ae48bf174a49d2453b41cffd91aa48d8e3278d046df4b9ce81af8755e80f4fa8a7dacbf3b5a1df56f704417b2

Download Submit
C:\Program Files (x86)\Internet Download Manager\idmwfp.inf

Filesize
2KB

MD5
166e36297b7ea7326c4c74061ba2e8ef

SHA1
85d55e3be7a505a8ce154e9693670fabe5c2f3a6

SHA256
65c1ddf7a040192e05f01d4e289a0c3ccf42a86e8bbc32b0185de5bb86c4fc4b

SHA512
333c538cd67cda1521668eb69f5cd7017cd5b26647d6aee49151a45881ed16960574407401303c8c5b602a12d9511a484ad3495c8cae6f201fbcc44bd5a12564

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.js

Filesize
36KB

MD5
f41480f6f0858cdabe2ceea3e0020041

SHA1
83dd98a7de70dc21f39a52e6ed27b9f6c85fd6bd

SHA256
83286f93ec6cdf32c96e9f8e5466d5ff24ac240db67a42e6da99b79dccf90eab

SHA512
8427357325ea628e3447741304844fb307b3e1910b6d68bd83198610f6078f81b0fe46144e197d3c2732e26045b31020348e1ab27c0b16b5f331a1648a573ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB6BF.tmp\Aero.dll

Filesize
6KB

MD5
869c5949a10b32d3a31966cc5291301b

SHA1
329080c974d593ecdefd02afa38dd663a10331c4

SHA256
b19961de6ca07e08704d6372718542f70dbbb203e59bf9bbe3a58f6e069a625c

SHA512
3b9dde16e9ca803b1048243dbf29c717ac0472dffa764542c234318a960828834aa650b1dfb8bba66c4e7a9ce3aaf453829afc57dfb33dc8c311d203150d4fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB6BF.tmp\Cleanup.cmd

Filesize
10KB

MD5
83b35ccf8c895db938a399c0802fc04b

SHA1
f3dd65310b93d474c991f50231711957463a1540

SHA256
051a2e1c9188161b792787d643d635351e5a4e319af94b79e13056c340302915

SHA512
8caaa8b04b18a6898f172dc792fd09bf8423e6a5e3ab250dac043812eb0a0710ff2eb925112b00ca347c7c1587e81c449ec2e8f2fd322ca094b4f2d3dd78401d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB6BF.tmp\LangDLL.dll

Filesize
5KB

MD5
109b201717ab5ef9b5628a9f3efef36f

SHA1
98db1f0cc5f110438a02015b722778af84d50ea7

SHA256
20e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319

SHA512
174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB6BF.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB6BF.tmp\inetc.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB6BF.tmp\newadvsplash.dll

Filesize
8KB

MD5
55a723e125afbc9b3a41d46f41749068

SHA1
01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c

SHA256
0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06

SHA512
559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB6BF.tmp\nsDialogs.dll

Filesize
9KB

MD5
ec9640b70e07141febbe2cd4cc42510f

SHA1
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

SHA256
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

SHA512
47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB6BF.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB6BF.tmp\repackme.gif

Filesize
6KB

MD5
23d3840adb8f4f1efc083a1f7e640191

SHA1
adf0c7daa49637767b2abe2f390d1da4780eea9c

SHA256
82a1454402156d74f4f23c992d5d772b665546208eff44790871b8dcb36d2304

SHA512
7743a17141581ffa8023097678bf2eaf6db7d337af45052d00caba74f21f13e7ffa95097b629c3a28a3366eda873afdce240344adfdf7c0ef662a0ba0fe6db25

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
8.5MB

MD5
99bb51fcdb17ce1d306d47ea756100c0

SHA1
408f498f73abd509d2f4c7fdbf88d63e09b9d02c

SHA256
6c96205eafa8c750afc2c3d9e316a633e0af3ef8a1dafce0176503af81ae52f8

SHA512
85350c8c587df6618468ed859a33f7ac5884ad4f20f8518c6a11f46bbc62aa126da7eb197855b48468901ea61f410c2a6c9054274c38ca32dd59c7c3d3d9c11b

Download Submit
C:\Windows\System32\drivers\idmwfp.sys

Filesize
223KB

MD5
2aa81ab974c62144c8678f2cb3b6b7f4

SHA1
717e6ce7b216aa27f9c51942319400399f2e902c

SHA256
d48f8f9db8e128e72b1c6faafc3e6b3af49d4a7e295e057479bc6ff12359e0a2

SHA512
4fd394bb68f4da1a10cc002a1f96c74f81bf61502f10eb6d8187e3e983c025be06b59b950f508d320e39c396981ab1d7244a1dc6837183dc610cb3da4efb2b54

Download Submit
memory/1476-578-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3504-422-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3504-430-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4180-565-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4968-49-0x0000000075110000-0x0000000075119000-memory.dmp

Filesize
36KB

Download
memory/4968-61-0x0000000075110000-0x0000000075119000-memory.dmp

Filesize
36KB

Download