Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-vbh9ssfe58
Target Downloadly.zip
SHA256 a88edca3b030046fe82e7add6da06311229c5c4f9396c30c04ab3f0b433eac6e
Tags
discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

a88edca3b030046fe82e7add6da06311229c5c4f9396c30c04ab3f0b433eac6e

Threat Level: Shows suspicious behavior

The file Downloadly.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Adds Run key to start application

Downloads MZ/PE file

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:48

Reported

2024-03-02 16:49

Platform

win7-20240221-en

Max time kernel

30s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Downloadly = "\"C:\\Users\\Admin\\Programs\\Downloadly\\Downloadly.exe\"" C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A

Downloads MZ/PE file

Checks installed software on the system

discovery

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\Programs\Downloadly\Downloadly.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\Programs\Downloadly\Downloadly.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\Programs\Downloadly\Downloadly.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\Programs\Downloadly\Downloadly.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\Programs\Downloadly\Downloadly.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\Programs\Downloadly\Downloadly.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Programs\Downloadly\Downloadly.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Programs\Downloadly\Downloadly.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Programs\Downloadly\Downloadly.exe N/A
N/A N/A C:\Users\Admin\Programs\Downloadly\Downloadly.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp
PID 1708 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp
PID 1708 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp
PID 1708 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp
PID 1708 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp
PID 1708 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp
PID 1708 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp
PID 3024 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp C:\Windows\SysWOW64\taskkill.exe
PID 3024 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp C:\Users\Admin\Programs\Downloadly\Downloadly.exe
PID 3024 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp C:\Users\Admin\Programs\Downloadly\Downloadly.exe
PID 3024 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp C:\Users\Admin\Programs\Downloadly\Downloadly.exe
PID 3024 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp C:\Users\Admin\Programs\Downloadly\Downloadly.exe
PID 1972 wrote to memory of 432 N/A C:\Users\Admin\Programs\Downloadly\Downloadly.exe C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe
PID 1972 wrote to memory of 432 N/A C:\Users\Admin\Programs\Downloadly\Downloadly.exe C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe
PID 1972 wrote to memory of 432 N/A C:\Users\Admin\Programs\Downloadly\Downloadly.exe C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe
PID 1972 wrote to memory of 432 N/A C:\Users\Admin\Programs\Downloadly\Downloadly.exe C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe
PID 1972 wrote to memory of 432 N/A C:\Users\Admin\Programs\Downloadly\Downloadly.exe C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe
PID 1972 wrote to memory of 432 N/A C:\Users\Admin\Programs\Downloadly\Downloadly.exe C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe
PID 1972 wrote to memory of 432 N/A C:\Users\Admin\Programs\Downloadly\Downloadly.exe C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe

Processes

C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe

"C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe"

C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp" /SL5="$8011E,15784509,779776,C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im Downloadly.exe

C:\Users\Admin\Programs\Downloadly\Downloadly.exe

"C:\Users\Admin\Programs\Downloadly\Downloadly.exe" EnablePro

C:\Users\Admin\Programs\Downloadly\Downloadly.exe

"C:\Users\Admin\Programs\Downloadly\Downloadly.exe"

C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe

C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /AllowStatusPage=false /ShowUI=false /DIR="C:\Users\Admin\Programs\Massive"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.joinmassive.com udp
AT 18.66.27.82:443 api.joinmassive.com tcp
AT 18.66.27.82:443 api.joinmassive.com tcp
AT 18.66.27.82:443 api.joinmassive.com tcp
AT 18.66.27.82:443 api.joinmassive.com tcp
AT 18.66.27.82:443 api.joinmassive.com tcp
AT 18.66.27.82:443 api.joinmassive.com tcp
AT 18.66.27.82:443 api.joinmassive.com tcp
AT 18.66.27.82:443 api.joinmassive.com tcp
US 8.8.8.8:53 downloads.joinmassive.com udp
AT 18.66.27.42:443 downloads.joinmassive.com tcp
AT 18.66.27.42:443 downloads.joinmassive.com tcp
US 8.8.8.8:53 api.segment.io udp
US 35.155.246.37:443 api.segment.io tcp
US 8.8.8.8:53 cdn.computewall.com udp
US 172.67.68.80:443 cdn.computewall.com tcp
US 35.155.246.37:443 api.segment.io tcp

Files

memory/1708-1-0x0000000000400000-0x00000000004CC000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp

MD5 0d5dc73779288fd019d9102766b0c7de
SHA1 d9f6ea89d4ba4119e92f892541719c8b5108f75f
SHA256 0a3d1d00bfdbded550d21df30275be9bca83fb74ca3b2aabd4b0886a5d7cc289
SHA512 b6b1cf77bcb9a2ad4faa08a33f54b16b09f956fa8a47e27587ad2b791a44dc0bd1b11704c3756104c6717abcaffc8dd9260e827eccd61551b79fcedd5210fe61

memory/3024-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1708-15-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3024-16-0x0000000000400000-0x0000000000705000-memory.dmp

C:\Users\Admin\Programs\Downloadly\Downloadly.exe

MD5 c64463e64b12c0362c622176c404b6af
SHA1 7002acb1bc1f23af70a473f1394d51e77b2835e4
SHA256 140dcfc3bde8405d26cfe50e08de2a084fb3be7cf33894463a182e12001f5ce7
SHA512 facd1c639196d36981c89048c4e9ccf5f4e2a57b37efc4404af6cafb3ec98954fe5695b0d3a3ee200b849d45d3718b52cce0af48efba7c23b1f4613bcaa35c0a

C:\Users\Admin\Programs\Downloadly\Downloadly.exe.config

MD5 894f0bab00555ff07b8a97a05ef659fc
SHA1 e3a469e2654ab2630e13243b432abdbcd269836c
SHA256 6b56cc5c8bbc5cad7f55212643ed4a7408b43fa297642f250a05d3a59be21a8f
SHA512 697673191d1491652d0d42ca727b1be11cdf59ab11fe3330bdea8134de3ae32f4e83482c09e588b5b542ed869e1e5dc9e1094533b666d30f28b298f9046e8785

memory/1972-149-0x000000013F840000-0x000000013F8C4000-memory.dmp

memory/1972-150-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/3024-153-0x0000000000400000-0x0000000000705000-memory.dmp

C:\Users\Admin\Programs\Downloadly\log4net.dll

MD5 e4b95eee136c9c270f9b69b72162f300
SHA1 2b774fcfe5072b4c9ad61c9ebe7d0f26a57dc0ab
SHA256 02017ccacc6855755e8568f411ed248394606c004689119b59bb9ec8134caa39
SHA512 223e593a6bfa57353685ab4b5d77cced8c0dbf07ebdbd2b21077460f0a176428e8fea18eda98e65adc5e95844f089bbe5cc07362eda8cc1afdd9a4d5d95c3d46

memory/1972-155-0x0000000000530000-0x0000000000576000-memory.dmp

memory/1708-156-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1972-157-0x000000001C420000-0x000000001C4A0000-memory.dmp

memory/1972-158-0x000000001C420000-0x000000001C4A0000-memory.dmp

C:\Users\Admin\Programs\Downloadly\Analytics.dll

MD5 4bfda9b9b1176dc30c84a70fed2c1316
SHA1 72b1921cec6686f52d05a5d0cbed274cd01a0f00
SHA256 2d17ed0895df0d2f958573eb601a1485604e63d9f8ff905fc1fc74f1c43b2904
SHA512 178939745a74943c239db8c740a8f547649004df5c5b469d55967d69008803377bb47befc158b1d6faef421f0c5b583e975d55207c6f92a5b8769c2ae83ce9d1

memory/1972-163-0x00000000005C0000-0x00000000005D0000-memory.dmp

memory/1972-164-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/1972-165-0x00000000005B0000-0x00000000005BA000-memory.dmp

C:\Users\Admin\Programs\Downloadly\Newtonsoft.Json.dll

MD5 785ee25cc12c75540fbcf20dbdd08140
SHA1 e94dac0a508e27a30a5472b2ebfa1016889a42f5
SHA256 d091c67e46698a82bf806eaf2d2c13c3da5d5aa858ba2ad1891fc7a5ddbb4de1
SHA512 a70cae48b3291b9abcfb003289c1567dbc2be9b542501c3bb70c58ec6c730d545b7aaff8f4c6e3a254225670c3b4ce91e0436515089173d020dd09ba6eef8873

memory/1972-167-0x000000001E1B0000-0x000000001E260000-memory.dmp

memory/1360-170-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/1360-171-0x0000000000810000-0x0000000000890000-memory.dmp

memory/1360-174-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

C:\Users\Admin\Programs\Downloadly\AppIcon\icon.ico

MD5 3387dda8a9109717168b2691a8c5bdd9
SHA1 ede213dc7dc627177aca420745a883b4cc1fde13
SHA256 99c2bab37ee04bc9dc210bef0365120ceb55f7d2f859eb1823c1a9d23ad75482
SHA512 581f0fe668584b5872cbc64e03296090ba323d83d250cee9aa65430cffb35c1dc367c04245f7f89643c752cfc3b8a681fa7a842355d52da1e98e1708c6749ff9

C:\Users\Admin\Programs\Downloadly\WinSparkle.dll

MD5 598e7f89a37d006066a497440a8fbfd8
SHA1 067508e7621e8106a7d32587d2b17176172417ad
SHA256 f5f8540822f4c449364e0f71fdf85b33dfca50e73bdc0d59dd6de2cbde367bf3
SHA512 f8c2c73498f0e42ed7dadd8b8af257ead79e8404856bf0877cd71028564a9be9e9787fe40b54e5ffe00f863140fa987302a52399143d97b23bcc0df83b12626b

C:\Users\Admin\Programs\Downloadly\Massive.dll

MD5 aa8a9be864bb1e25c6c371834beace33
SHA1 e3904292b2ca564258c9278d6cd5cc7dfc69f95e
SHA256 b384459db379a1f47877f38b5d0e6f615ee1811230ad5d1f456c800e63f0246d
SHA512 8ba1bcb21509276ac21146329c5b3508cd68fdaabf462d1579fd6e63992d72d74fbe095e0c242eec9d9f1e1c165b5d0be065b341b5e74c1ab84441cca7358806

memory/432-185-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe

MD5 d0281d1056c23d6df08c5475aed431ed
SHA1 6dc430f44945a04533fb303b621cbea02601f47f
SHA256 c11d3a7f835d0ce0fa06ed1bfb54fabdc94fd4dd2e43468d0f9a5aa47b92588e
SHA512 14104544b99ded467d9aac44d56265aa7eda4ceb6fd2899f0384294ceaaab8d1030dd3a4aee2428db17f203981eade8184e9152a924400f3927760ecdda801d4

C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe

MD5 c9c91145c227822491ef989de89c61c3
SHA1 1cfd0305db7744fe055a37e2f63f1b44dc13a1f0
SHA256 cd99293dbc2f06811ab6b5185c865e43c2a717584f71a64cc70fe427ec58820c
SHA512 627a2634650f02a75f2e3bba2ef17e582c10c36caf1d16a61831c3d3c9a0b4d1454db1b3589039925969718ad55d15971dba987ddb785294504cd817ef4ec7fd

memory/1972-188-0x000000001C420000-0x000000001C4A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFCA9.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarFE55.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51f01421ebbc13fa5f5f257b303250f6
SHA1 3953ae333046c486aec5c195edcaff90b481019e
SHA256 f4218ab1b355bde5e77beb713c5b5e74c0b216e68f9ac0eca0bafb2aac7fe759
SHA512 b0dafffe27f1ef4a862d253a22b1eef3771801e8254fd3c797b946b5cead1b5c6ee485dabe175d6110b3a69484a224c8ca8d6efde935fbdb41caf4af674a00c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c419e3f761156e725f8e1a95aba4aa8
SHA1 893f9ac5e8f5b2df1bcc928cd8f264f104603e49
SHA256 c6b5af4bc63b93671eecad6b6268d9a5d39ebafeb65e686840f99bce62411e92
SHA512 cc154a54d578d49ba193a853ceff2b10b78f0d88e36a829b2f5330608e21b1e04743300e1ab881769bb69c928d3d09967babe435629a8d94a8223397ccfe668e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 382a7e928c9c5a02dea7c3460db888b8
SHA1 0e280033590a278a0a47bda810cef8b4bebffe3c
SHA256 dbce99c9f569624bbdff29e14a61cb711865e78dbd112cedccfa4ac334eff579
SHA512 b2fd70e2ec0ca4c8d518856a34a3c77846c075cc2b15c440a225e8e5bdfcf5dbe81de54f6a63a343bfaf5e85b20f644f8ceb7c1b523189cf11416c4fd7342849

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af611a84dc72b58877799efbe93028ec
SHA1 14b74a620562f57d8b97ced027a7c81098f32f2b
SHA256 6eaca4b391ede5356b20445c405e096dfafe3035538791d36a7047e9664416eb
SHA512 79b9d77b73dd9553bd4d7bd12968c3886ea72ce704aff75d27bc57b787bb8e0d2cb43206589665ef8ccb8ea1447161b4df626dc4d6994fb7715ed04053408c49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ae14c7e6612143f5fdb38ad48654247
SHA1 e28e842c401b1e1c357184f62bca93666a1a6e72
SHA256 5558c463b4b547db5e24226074f54fe889f72ba4e4f7f077852c9d5021c0aaf1
SHA512 b1baa10ac7551d122dcf364151ce4b282909408264a7c4e441ef9035013bc2b06ca8cc2e850200f84d8d1ae36707a64100374fbc5dd7b6d7a39d4fad55d34dd3

memory/1972-423-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e23f201f682d75254eefa16564cbb247
SHA1 6b149415704a3253c9ac6f0583ec0a846155754f
SHA256 c3f3b80e0e25594fc9881353a0b0f4ca623d1147945eb7c31e7689da338bec85
SHA512 971b638786e4c5a674c78e9aa50b71a70ac93f3441b3ccbc874fb033b3db44dd6cb30b24c975093b1cdf99d578e9707e0cb97a5f376580994817aa427066252b

memory/1972-451-0x000000001C420000-0x000000001C4A0000-memory.dmp