0c4950be3e7d765fad2a533a75ee0b4a6541a35220624aadbee3d6ac5434cd36

Analysis

max time kernel
87s
max time network
90s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15/04/2024, 23:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fdm_x64_setup.exe
Size

41.2MB
MD5

2dffb2a3f68ce9b506f4aa14ceaf433a
SHA1

5d0008687f2bfecbeca68279cbbfbb9791797e36
SHA256

0c4950be3e7d765fad2a533a75ee0b4a6541a35220624aadbee3d6ac5434cd36
SHA512

6de3cd0c8e67b4bec40d01ee099bbbf450ba8321a23b515cfe50e7ebd64605a920513cb46fd41bce61fcafc246b1b8d27a60c31db56bf182d727cf362c770976
SSDEEP

786432:JmUBy8Nm0t6A4md+ipMJ1sIa/ZpsV29K61cIXhjzpFzrPHyA:9yJb+dyJyI0ZCi1c8hP3zr

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3180	netsh.exe
1256	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	fdm.exe

Executes dropped EXE 8 IoCs

pid	Process
2160	fdm_x64_setup.tmp
4840	helperservice.exe
8	fdm.exe
1808	importwizard.exe
2104	fdm5rhwin.exe
3608	fdm5rhwin.exe
1804	fdm.exe
1116	importwizard.exe

Loads dropped DLL 64 IoCs

pid	Process
4840	helperservice.exe
4840	helperservice.exe
4840	helperservice.exe
4840	helperservice.exe
4840	helperservice.exe
4840	helperservice.exe
4840	helperservice.exe
4840	helperservice.exe
4840	helperservice.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
8	fdm.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe
1808	importwizard.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Download Manager = "\"C:\\Program Files\\Softdeluxe\\Free Download Manager\\fdm.exe\" --hidden"	fdm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fdm.exe
File opened (read-only)	\??\F:	fdm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	mediafire.com
10	mediafire.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Material\is-89PP2.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\unins000.dat	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-SIFBG.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\networkinformation\is-ABC9S.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQml\Models\is-1ON6B.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Fusion\is-7AE58.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-02R91.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\imageformats\is-RPFS0.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Universal\impl\is-IDNLD.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Dialogs\quickimpl\qml\is-9VSTK.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\NativeStyle\is-BOT9T.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-CKC33.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Imagine\is-NE4QC.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Material\is-1E8KB.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Particles\is-NT5QQ.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Imagine\is-LMM0T.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Universal\is-LNIBT.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Dialogs\quickimpl\qml\+Universal\is-V4OLV.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-QSRS8.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-L3SP3.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Basic\is-2HH9F.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Basic\is-VOELU.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Imagine\is-A2SA8.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\LocalStorage\is-TNVV4.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\Qt5Compat\GraphicalEffects\is-SIN6Q.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQml\XmlListModel\is-403T6.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Basic\is-ONDBG.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Imagine\is-PG621.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Dialogs\quickimpl\qml\+Material\is-NTDV8.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\torrents\is-6N5DK.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-3AAD3.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\Qt5Compat\GraphicalEffects\is-MR2FA.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Basic\is-9RT9Q.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Imagine\is-EDUHP.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Material\is-85H6L.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Universal\is-OB5GC.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\NativeStyle\controls\is-AOMA9.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\tls\is-FH7E8.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\imageformats\is-GVK22.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\Qt5Compat\GraphicalEffects\private\is-6GTCV.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Material\impl\is-3MKMV.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Universal\is-BT8FB.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Universal\is-MQ8O7.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\is-S0BAA.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-L3IIK.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-94RNG.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Window\is-DVEDM.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-ASQUJ.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\Qt5Compat\GraphicalEffects\private\is-AA5KQ.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Basic\is-HEULQ.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Universal\is-S89H5.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Universal\is-2D3J3.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Material\is-0LRR7.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Basic\is-ESEU3.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Material\is-E1NU4.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\tooling\is-VMOQ4.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\translations\main\is-L6KVD.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Basic\is-016U7.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Universal\is-N26PG.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Universal\is-BSP3M.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Universal\is-TC8C4.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\LocalStorage\is-F2863.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\is-BA0PO.tmp	fdm_x64_setup.tmp
File created	C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Imagine\is-6SJA6.tmp	fdm_x64_setup.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3836	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\fdm.exe = "1"	fdm_x64_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING	fdm_x64_setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\fdm.exe = "1"	fdm_x64_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING	fdm_x64_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	fdm_x64_setup.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fdm.exe = "11000"	fdm_x64_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	fdm_x64_setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fdm.exe = "11000"	fdm_x64_setup.tmp

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	fdm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	fdm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	fdm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	fdm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	fdm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	fdm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Pack = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\fdm	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	fdm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	fdm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	fdm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 600031000000000084583d6310004d594e4f54457e310000480009000400efbe84583c6384583d632e0000000ba10100000001000000000000000000000000000000aa99d7004d00790020004e006f007400650062006f006f006b00000018000000	fdm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\fdm\{17FF5AC0-1D17-4A53-A10F-85E3EFA3DF17}	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	fdm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	fdm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ad8518738a8fda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\fdm\Content Type	fdm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	fdm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	fdm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	fdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\fdm\ = "URL:fdm link"	fdm.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\fdm\shell	fdm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	fdm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "3"	fdm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	fdm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	fdm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	fdm.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
8	fdm.exe
1804	fdm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2104	fdm5rhwin.exe
2104	fdm5rhwin.exe
3608	fdm5rhwin.exe
3608	fdm5rhwin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1804	fdm.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4844	MicrosoftEdgeCP.exe
4844	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	8	fdm.exe
Token: SeDebugPrivilege	4492	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4492	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4492	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4492	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1468	MicrosoftEdge.exe
Token: SeDebugPrivilege	1468	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2160	fdm_x64_setup.tmp
1804	fdm.exe
1804	fdm.exe
1804	fdm.exe
1804	fdm.exe
1804	fdm.exe
1804	fdm.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1804	fdm.exe
1804	fdm.exe
1804	fdm.exe
1804	fdm.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1468	MicrosoftEdge.exe
4844	MicrosoftEdgeCP.exe
4492	MicrosoftEdgeCP.exe
4844	MicrosoftEdgeCP.exe
1804	fdm.exe
1804	fdm.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 2160	216	fdm_x64_setup.exe	73
PID 216 wrote to memory of 2160	216	fdm_x64_setup.exe	73
PID 216 wrote to memory of 2160	216	fdm_x64_setup.exe	73
PID 2160 wrote to memory of 2496	2160	fdm_x64_setup.tmp	74
PID 2160 wrote to memory of 2496	2160	fdm_x64_setup.tmp	74
PID 2160 wrote to memory of 3836	2160	fdm_x64_setup.tmp	76
PID 2160 wrote to memory of 3836	2160	fdm_x64_setup.tmp	76
PID 2160 wrote to memory of 4844	2160	fdm_x64_setup.tmp	78
PID 2160 wrote to memory of 4844	2160	fdm_x64_setup.tmp	78
PID 2160 wrote to memory of 1256	2160	fdm_x64_setup.tmp	81
PID 2160 wrote to memory of 1256	2160	fdm_x64_setup.tmp	81
PID 2160 wrote to memory of 8	2160	fdm_x64_setup.tmp	85
PID 2160 wrote to memory of 8	2160	fdm_x64_setup.tmp	85
PID 8 wrote to memory of 1808	8	fdm.exe	86
PID 8 wrote to memory of 1808	8	fdm.exe	86
PID 2160 wrote to memory of 2104	2160	fdm_x64_setup.tmp	90
PID 2160 wrote to memory of 2104	2160	fdm_x64_setup.tmp	90
PID 2160 wrote to memory of 3608	2160	fdm_x64_setup.tmp	93
PID 2160 wrote to memory of 3608	2160	fdm_x64_setup.tmp	93
PID 2160 wrote to memory of 3180	2160	fdm_x64_setup.tmp	95
PID 2160 wrote to memory of 3180	2160	fdm_x64_setup.tmp	95
PID 2160 wrote to memory of 1256	2160	fdm_x64_setup.tmp	99
PID 2160 wrote to memory of 1256	2160	fdm_x64_setup.tmp	99
PID 2160 wrote to memory of 1804	2160	fdm_x64_setup.tmp	103
PID 2160 wrote to memory of 1804	2160	fdm_x64_setup.tmp	103
PID 1804 wrote to memory of 1116	1804	fdm.exe	104
PID 1804 wrote to memory of 1116	1804	fdm.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fdm_x64_setup.exe
"C:\Users\Admin\AppData\Local\Temp\fdm_x64_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\is-MUQLR.tmp\fdm_x64_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MUQLR.tmp\fdm_x64_setup.tmp" /SL5="$8008C,42260626,832512,C:\Users\Admin\AppData\Local\Temp\fdm_x64_setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /end /tn FreeDownloadManagerHelperService
    3⤵
    PID:2496
- - C:\Windows\system32\schtasks.exe
    "schtasks.exe" /create /RU SYSTEM /tn FreeDownloadManagerHelperService /f /xml "C:\Program Files\Softdeluxe\Free Download Manager\service.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3836
- - C:\Windows\system32\schtasks.exe
    "schtasks.exe" /change /tn FreeDownloadManagerHelperService /tr "\"C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe"\"
    3⤵
    PID:4844
- - C:\Windows\system32\schtasks.exe
    "schtasks.exe" /run /tn FreeDownloadManagerHelperService
    3⤵
    PID:1256
- - C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe
    "C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" --install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Program Files\Softdeluxe\Free Download Manager\importwizard.exe
      "C:\Program Files\Softdeluxe\Free Download Manager\importwizard" 3FE02402165644D986B63DE6638495E4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1808
  - - C:\Windows\system32\LaunchWinApp.exe
      "C:\Windows\system32\LaunchWinApp.exe" "https://www.freedownloadmanager.org/afterinstall.html?os=windows&osversion=10.0&osarchitecture=x86_64&architecture=x86_64&version=6.20.0.5510&uuid=b44d91a6-9d36-4a7d-b27f-9a8f458f9b14&locale=en_US&ac=1&au=1"
      4⤵
      PID:3300
- - C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe
    "C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe" 21907CB0205CFF989F82C03684A01B86 phase1
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2104
- - C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe
    "C:\Program Files\Softdeluxe\Free Download Manager\fdm5rhwin.exe" 21907CB0205CFF989F82C03684A01B86 phase2
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3608
- - C:\Windows\system32\netsh.exe
    "netsh.exe" firewall add allowedprogram program="C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" name="Free Download Manager" ENABLE scope=ALL profile=ALL
    3⤵
    - Modifies Windows Firewall
    PID:3180
- - C:\Windows\system32\netsh.exe
    "netsh.exe" firewall add allowedprogram program="C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" name="Free Download Manager" ENABLE scope=ALL profile=CURRENT
    3⤵
    - Modifies Windows Firewall
    PID:1256
- - C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe
    "C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe" --byinstaller
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Program Files\Softdeluxe\Free Download Manager\importwizard.exe
      "C:\Program Files\Softdeluxe\Free Download Manager\importwizard" 3FE02402165644D986B63DE6638495E4 --printFdm5Setting=ExpectingUpdateToVersion
      4⤵
      Executes dropped EXE
      PID:1116

C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe
"C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Softdeluxe\Free Download Manager\MSVCP140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\MSVCP140_2.dll

Filesize
182KB

MD5
e35261e9f4478aabe736bb2269c20b59

SHA1
f17330804c159418d4acf7a803662b8c1f7686fd

SHA256
366af8e071f004da5d95a832a46b2e8821a8e0294340a93f7c95cf48c441067e

SHA512
2694d21431e9b72a9591c4658dc3ade5795a52fcf2bc8631928181a7aeee49184cf741d50e28581b96d439360d21cb176c6bb011db4fa742a2fc64afa38baaf9

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6Core.dll

Filesize
5.4MB

MD5
35d53341ac216d0fb3110db4a7a64682

SHA1
665de22a218c8c11ba16a8164cd461d61032c811

SHA256
ef9a8048a33001b552601b7e0a9a5adeecad429bbfd3281e2223656cdea692d5

SHA512
c32c13c970a58661e34efaacf7772bf70c1f50bf4ecf1bbcce436d09ce2beef1224d36d77e5e825fc08acbb0f0a9db9766c2cfa6366694d9841acacf92855788

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6Network.dll

Filesize
1.3MB

MD5
af8bc0a820105e41ce20b69e650f10f9

SHA1
6dff5b88ddeb89f44d34b2908e7302feb46c1851

SHA256
81d3f7ebc99fbcef29f44ed70c78574c25607ca58f33908b1fc522f6a0935c77

SHA512
ce92932b144aab73e214a38654dc9c6f005f5a71bef900570d258f9d045582524dc808b15d5d31bdd7ae32f3be82d5dc448c683ab940c935e0da3bf08a111c3b

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6OpenGL.dll

Filesize
1.8MB

MD5
2ff088c11c249368f64be39013e7761d

SHA1
b8e912b8d014de30542fed23997512a7353f0bb8

SHA256
da03bc40f15939b59a0d11f2c4f4ac1e7323eee548d0d0561a9b0ea806223f9a

SHA512
39b4a916fb8feb1fbcb27244811e4d40a3d2d697ae8c97b7e121ebe1032e0b364ebbc1abafdba714931e623e8c53f622d5301d622a81fa2a6fdbc9f5fc60db96

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6QmlModels.dll

Filesize
659KB

MD5
12aee243dea816f3fac0d08d802312b2

SHA1
38e22fc1a743cd86c016042e7734314dae545144

SHA256
b48cdbf0e4345e7f3c2286845ae1104ea7912da506d9e9a4fec6495b01b26ad9

SHA512
27e0168a02264c4b4ce72f6d8dad5674c8d0907ef3d76b391b08af4d533c46a09d77e61afebb4593d28c1a8246a846e78c3856e7bb7f3c82dea9b27f3a4fa565

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6QuickControls2.dll

Filesize
63KB

MD5
0d29044c0c0ee85acee45172a535a224

SHA1
22455ffa59e15f081a08680144ec4ad3d8d09fb6

SHA256
97a054561a765babe850db982ebd8d245aad0869196ca95c52808689fa3fe596

SHA512
5e28d3c5bb7dedcfd599c3166f8348c87fd170ec29059b96320a6bc140c84da64e3d27aadcc16688f5b8ad6d846dd3837c0655ad388a200e7d33f3c0e8bff08d

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\Qt6Widgets.dll

Filesize
5.8MB

MD5
ff2c4b667875f7da2fc805bf80d286d3

SHA1
1ef87b32699269e7a69cb68098184daea707b684

SHA256
12385663fa6a4432049692171e8cf3e74e739cd23edd2d1fc5f8dba13daa2c33

SHA512
f5879182f415149289a2d4f1b37057f77f36ce42abad7ba1353faa90f0b55035d6c2b5fe49210bd05cde76cd3a6859268983eec8c397f055939358e84402b236

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Universal\is-3AIFE.tmp

Filesize
1KB

MD5
63340c8fcb71734ce4bbac29a86821b5

SHA1
0cfd02b3e95fa482cbd4bd83b0f2d9214acc9709

SHA256
78b5fc58e6d881d16351e92d32b8cadea6b14fbf8c20c1bc7e56d02946467ae8

SHA512
fe035bb77a32d0fe9d4983d90c65d4c2600a019ac20743dbec409f29ffbfbecd8bca2d15abfffb2e71b77e3c105e248627a176942cdf9d7b98ed9113e6f73ba0

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\QtQuick\Controls\Windows\is-GNDU6.tmp

Filesize
215B

MD5
2006d4b7d0da455aa4c7414653c0018a

SHA1
6685b8360b97799aa4d6b18789bf84a343e9e891

SHA256
a96c7bf5832767bdc9d91e2290a3920aec3abfbf2e3814bce38b49483f16f84a

SHA512
703804e6fab0cf44317b7292c547a1348e2e7395e4b71367c32c3b097bcfb3344d3296179bf4ba33a4c752ae58a3873af57d8cdef35a34564205356bb4e6fd84

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\fdm.exe

Filesize
7.1MB

MD5
d196125ef7b84019dd830be5fa1f4bf5

SHA1
5571646807a2f54c6e96e832e373d8d8d55d3f09

SHA256
5c7f8211967d840b974bb91e69e5c16ef508882533545949a9330442be0008fc

SHA512
ad26682b1ce0fa4cc09cc760ca91e2873c81f4e3f71b868e28dc73c97b91056475876acbf4b5d1132762e3af4be2dabf5aae34ed3ed15a0edc6733162f4e4644

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe

Filesize
134KB

MD5
c1ce9805f633d496eb7a7d32ea3c18c4

SHA1
53eb29add150aeea7b4a82f98357cbe34b1133e0

SHA256
41afc19a2b818bcb6be2e4247211d5986a1295553402af635061f31e81058190

SHA512
5fab42edefc8f1c709b0c18d09f58655d7ba5dfd74744594cd8f8f4fcb7fc945cd22c125f1fedf927feffc916ff93289a3b0cb6d9f152025b16644bb20ac4208

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\logger.dll

Filesize
44KB

MD5
99a7fb5718d43c0e93604a02e8746d0e

SHA1
4a545161c38ca1d05a5deaffb1000ce8f0ba2fc4

SHA256
5e14c4a28ec001181f0c88204fff7fa815a564e22cc3e49929d5eee6881e3d00

SHA512
1d1d5189cb34260395e1d7ab87a0b08404d9abb567e72a5919798a3e1d0900c2efb8568986a1502d90c465a96ccd89c2664c50cdeeded939bdf45f1b2277ed43

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\service.xml

Filesize
2KB

MD5
85c61b85b0ffe2609b00379a5512790d

SHA1
2dfaf069df408819b06916381ac80b3ec097214c

SHA256
24f6062b8679b4140b5c15900deefa8ba187ed5e3c5cb8efc91b26b31769664d

SHA512
3a18c17ddcd10cd89d1c666134f13be6ed441fbe2c36a9567e894c0e1674232d5882e696ad2d385bd5eb4d50b6a1b4225bb992389aad93a77b203318293ca6fa

Download Submit
C:\Program Files\Softdeluxe\Free Download Manager\vmsclshared.dll

Filesize
675KB

MD5
5f2be7c579b9d7c255bd7faba35496a1

SHA1
dd4976dc927e60eb1ddd2e86afb44c2c1c1ad6f8

SHA256
13d18bccd025162e0de4ee816b3c7dabe0dc2c79b4312241835a6105aa5ffcde

SHA512
942c5a5372998747480a33be4eb219202f9ca363c46121b90c8043adeb4798baab73530eb79f53d7231f9c583331783892d3351fd57e766e988f75fa408b50f6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF0ABA25C66CD7AC5D.TMP

Filesize
16KB

MD5
ea9c1fab76d7e27ff397f5bb80cb53d6

SHA1
9893adb6f337ff1b590af945ef9160f70d159cc8

SHA256
754a2b11766e82f9eb125c8b76c2749067b90fa47ee28a2d7d88d46d3ecdbc2d

SHA512
808a733aa9d9f0ebb203d1c13f8066ca03c2e45b2a5f33b8f8e0883c23267571d539797e3ce74e6380912affdc44d7d2a8439ec69e469def3235822bc8cb8ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MUQLR.tmp\fdm_x64_setup.tmp

Filesize
3.1MB

MD5
f1721288ae36ec36e6c843d422a060d6

SHA1
8d7dc264b9f6da3f43cbb57b4359ec395964a1f5

SHA256
8e5d5fd3b9c9a29b279c7777c752b1620570077f47b96fa89f7886584ecea1f0

SHA512
977221fde9b11f717d585a2ed2e24dffe5684b1114db39f64baa6d51557585410b770dd80c46ba5c2dd3261277ea3dca74edb81435b93d123380e4907dcc680d

Download Submit
\Program Files\Softdeluxe\Free Download Manager\Qt6Core5Compat.dll

Filesize
816KB

MD5
80df3f0de422990dca83ad9ca16e3bcd

SHA1
c6a1f755c4c64ed2546e85b8f7ea7131055116bb

SHA256
b0fb4983062f26bbb18cca4b22e410b677d0684ee37597157763090f3262a766

SHA512
f61e33434f65c53021814b3705eeec9b8b9a6b34793f47746df6b1a754fdd97e3ea80c6e19b4507bfc3ed3142beb718c05a3092a4710fcff464659bc78947737

Download Submit
\Program Files\Softdeluxe\Free Download Manager\Qt6Gui.dll

Filesize
7.4MB

MD5
dd053d4df77c90e53119cbaa524f673d

SHA1
9b14e17d44b0781acd6dff26a9921b318aa970e7

SHA256
c128872b19f0a5ba9f1adfbb9c475216d6968b622be672b703104ce574206119

SHA512
7d74a023a7eefee1f413031c5af8705f4c47639f3d6ec2d51e8c74c381766087bb3e9f3be593ffdbb4e7031100a5b71c76ebebdff8dbaabb644b2b75c80e6fb1

Download Submit
\Program Files\Softdeluxe\Free Download Manager\Qt6Multimedia.dll

Filesize
719KB

MD5
55a8c7eed8e12f2bd4dc052742564206

SHA1
13bc884cdd263b157091b63c2a41c6bab736589e

SHA256
cad5143865a4e1d58fa7b37929447a77038eb38dd74d3eb251a1ae3ae91436f2

SHA512
ca520bf7460442cdf34db9ed42577146e19d9aab5856f13c62fef44ff5fbd8f8187a51315405afa88f5be1fe545e287db7295ada37d3b809b0a8114adaf4bcbf

Download Submit
\Program Files\Softdeluxe\Free Download Manager\Qt6Qml.dll

Filesize
4.3MB

MD5
47ae262acba811c1c2e76d4cd6f89313

SHA1
fbfb253cf448ad162af03e9815ef2e7efbd50221

SHA256
2bd3b4ac35a3046d127837e857d508baca8492fe53a3ab71cb5091f4e142f7d1

SHA512
7494b969279a5e8aeeacff577a8df932f7140c39a7589d2b50c32e6374ee2d0ecafe6060b6951b8fcd2a03c041dd7a7f57656ffd4ebf95836b343e0f926fe534

Download Submit
\Program Files\Softdeluxe\Free Download Manager\Qt6Quick.dll

Filesize
4.9MB

MD5
e22387ebfe63ef698c0b557b990c70d7

SHA1
85001072bf9a7d3ead59e3a7e0e802f282ed59a9

SHA256
bfb4ba19032cacbdd746b89734add47259356a8b90cb7ba3cc53c51d7a040f48

SHA512
25913ebecb2039b9b92a523a878ea3915a3d218eadf98fb30a09a13a56dc2042dcacdcf0cdc752d6ad0a952e697244fe71f03153355cfbcef8789bf81e8251c5

Download Submit
\Program Files\Softdeluxe\Free Download Manager\Qt6QuickTemplates2.dll

Filesize
1.6MB

MD5
1d9068bec4f6c2ac35b89aa745e9e047

SHA1
f598121d338d429a05b8e8d260b4195a995d2b04

SHA256
c6d315cbaa6e7bd7ea2ecf13a72639470ba50e126ab7b6663401d90e009016c0

SHA512
49740525156fd7954bfc7bb9b3cc64fa15bcd924e7573540e1fac7d47360dbc5e99b8af6d78f39c375d2ddafaf0bacc8b1fb5afea7e566886b1d41151a1dd326

Download Submit
\Program Files\Softdeluxe\Free Download Manager\Qt6Sql.dll

Filesize
277KB

MD5
14872671585dd98ed22188252c5be1b5

SHA1
98167d06b656010216ac17bb5e813b83b5542dd6

SHA256
bb5956c39d34db758e2da5ccb3dac9afcca4d2738bfdc681769534d95b269c20

SHA512
0a3763cff851c9ec39dcc99367c04612d73cd009089f3aec8486a1e5a6c2ef6ddb18d374e0631a2ee2c59b926957206637a01f5c808bdc3967df701eef61f3eb

Download Submit
\Program Files\Softdeluxe\Free Download Manager\downloadsjsp.dll

Filesize
109KB

MD5
7b2a4760c09af4aef6d767a994869d05

SHA1
2300e2aa1a644a75b463b1dc2ed211d84efb1227

SHA256
46f99f00b5bca3219ee923d6322cd3fc20b93a256fe3823535a3d65895d809e3

SHA512
b6f892e913493522356c770c07b44202742591c5d9f03146d089531cb3601d90188237b506c29d38b309a227440b9c70399b754606ac4666363e499bc9cb387e

Download Submit
\Program Files\Softdeluxe\Free Download Manager\downloadsms.dll

Filesize
610KB

MD5
7973e296c553756e188303c6153a707b

SHA1
79e43fdd8a38fcf4567e417b00d24a76a781ffbd

SHA256
b6178d1aebb01570216755ae1b96a3a39f64b37dccf2f74853267fdfaf7c0b07

SHA512
3486cd5d23754c8a3c1707004d9919e9b471b41fa2e1c7d7928f3514a1248b24c0c8b1685f73f4efcaadcd61d59fe8616c4048f07c9bf3b0b64de5cf9feb7bc7

Download Submit
\Program Files\Softdeluxe\Free Download Manager\libcrypto-1_1-x64.dll

Filesize
2.7MB

MD5
fdac5f31d1f0376133c70e861f54de69

SHA1
f3d260fdb7fddf64eb4848f120e7cee0a2735deb

SHA256
501da04bd22b3a07a96d18b2babee760f1dcdb1c6ae803ff590c7f37885bb667

SHA512
7980645799d15d42d8f9cfc766ffdb898a4a1b9cbec9ee6b0e91aaf479af2c220663895ba0ea4afc179005835e1a2fa61f62c8710c210f42141c7f9c654b204a

Download Submit
\Program Files\Softdeluxe\Free Download Manager\msvcp140_1.dll

Filesize
23KB

MD5
0832532fab0d5c949aa0c65169aa9d61

SHA1
26f1bee679b7a6289b663c4fa4e65eba33a234e8

SHA256
8731a93e519c2595c9fd489e6d9ac07e964448c0da1c8ee9ee500a7989482617

SHA512
03147a59ee35fb3d2752d4c40741a39674ccd4474a575746bc574d2b2fae1fd04f5ab9c2e02b0dc6268fc6aee8fbb46dc4bf5ff23b5fcc4a0e9b847f57ca79d0

Download Submit
\Program Files\Softdeluxe\Free Download Manager\quazip.dll

Filesize
229KB

MD5
fb62bc6bc8d1ff137f6737ba9a46246d

SHA1
a1c63015679d036a022b7ac8412b7f5ee84bfb92

SHA256
d45ed34b358406b5ee60d599fee83c7ef1b5b9956e2d0036f5fd8c5320f796ef

SHA512
ac647dd9e6ef9078b3c32ef7ebd583eedc975c42d16510d8f1c4d995fc85896c1a58a168dadef3df4dad4d5850e425eb491f92b0815d1dc4fc4d4c7d1c543edc

Download Submit
\Program Files\Softdeluxe\Free Download Manager\vcruntime140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
memory/8-1508-0x000002C1574C0000-0x000002C1574D0000-memory.dmp

Filesize
64KB

Download
memory/8-1505-0x00007FF7B2EF0000-0x00007FF7B361B000-memory.dmp

Filesize
7.2MB

Download
memory/8-1506-0x00007FF8B8EF0000-0x00007FF8B93DF000-memory.dmp

Filesize
4.9MB

Download
memory/8-1507-0x00007FF8B93E0000-0x00007FF8B99A8000-memory.dmp

Filesize
5.8MB

Download
memory/216-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/216-236-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/216-1656-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1116-1685-0x00007FF8B7570000-0x00007FF8B7B38000-memory.dmp

Filesize
5.8MB

Download
memory/1468-1638-0x000002837A540000-0x000002837A542000-memory.dmp

Filesize
8KB

Download
memory/1468-1576-0x0000028374C20000-0x0000028374C30000-memory.dmp

Filesize
64KB

Download
memory/1468-1592-0x0000028375B00000-0x0000028375B10000-memory.dmp

Filesize
64KB

Download
memory/1468-1611-0x000002837A3D0000-0x000002837A3D2000-memory.dmp

Filesize
8KB

Download
memory/1468-1645-0x000002837A330000-0x000002837A331000-memory.dmp

Filesize
4KB

Download
memory/1468-1641-0x000002837A400000-0x000002837A401000-memory.dmp

Filesize
4KB

Download
memory/1804-1692-0x0000023526930000-0x0000023526D72000-memory.dmp

Filesize
4.3MB

Download
memory/1804-2125-0x0000023528A30000-0x0000023528A31000-memory.dmp

Filesize
4KB

Download
memory/1804-2924-0x0000023523000000-0x0000023523010000-memory.dmp

Filesize
64KB

Download
memory/1804-1651-0x00007FF8B7B40000-0x00007FF8B802F000-memory.dmp

Filesize
4.9MB

Download
memory/1804-1650-0x00007FF7B2EF0000-0x00007FF7B361B000-memory.dmp

Filesize
7.2MB

Download
memory/1804-1652-0x00007FF8B7570000-0x00007FF8B7B38000-memory.dmp

Filesize
5.8MB

Download
memory/1804-1654-0x0000023523000000-0x0000023523010000-memory.dmp

Filesize
64KB

Download
memory/1804-2128-0x0000023528A30000-0x0000023528A31000-memory.dmp

Filesize
4KB

Download
memory/1804-2127-0x0000023528A30000-0x0000023528A31000-memory.dmp

Filesize
4KB

Download
memory/1804-2126-0x0000023528A30000-0x0000023528A31000-memory.dmp

Filesize
4KB

Download
memory/1804-2124-0x0000023528A30000-0x0000023528A31000-memory.dmp

Filesize
4KB

Download
memory/1804-2123-0x0000023528A30000-0x0000023528A31000-memory.dmp

Filesize
4KB

Download
memory/1804-1694-0x0000023526D80000-0x0000023526F82000-memory.dmp

Filesize
2.0MB

Download
memory/1804-2122-0x0000023528A30000-0x0000023528A31000-memory.dmp

Filesize
4KB

Download
memory/1808-1510-0x00007FF8B93E0000-0x00007FF8B99A8000-memory.dmp

Filesize
5.8MB

Download
memory/1808-1511-0x000001ED695C0000-0x000001ED695D0000-memory.dmp

Filesize
64KB

Download
memory/2160-239-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2160-5-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2160-1653-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2160-1655-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2160-1625-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download