Malware Analysis Report

2025-01-02 07:43

Sample ID 240510-g4gd1sff2x
Target Ultimate YT Downloader Cutter.msi
SHA256 bc4d7fbcab5275cd4f3459fab23a8bfff4e6abe9f3b5d407ceb7742049f42fbc
Tags
redline https://free-yt-downloader.com infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc4d7fbcab5275cd4f3459fab23a8bfff4e6abe9f3b5d407ceb7742049f42fbc

Threat Level: Known bad

The file Ultimate YT Downloader Cutter.msi was found to be: Known bad.

Malicious Activity Summary

redline https://free-yt-downloader.com infostealer

RedLine

Enumerates connected drives

Blocklisted process makes network request

Drops file in Windows directory

Drops file in Program Files directory

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 06:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 06:21

Reported

2024-05-10 06:24

Platform

win7-20240508-en

Max time kernel

119s

Max time network

147s

Command Line

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Ultimate YT Downloader Cutter.msi"

Signatures

RedLine

infostealer redline

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\runtimes\win-x86\native\WebView2Loader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\x86\sqlcecompact40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Microsoft.Web.WebView2.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Syncfusion.Shared.WPF.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\amd64\Microsoft.VC90.CRT\README_ENU.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\x86\Microsoft.VC90.CRT\README_ENU.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\x86\sqlcese40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\AutoUpdater.NET.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Microsoft.Web.WebView2.Wpf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\amd64\sqlcecompact40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Newtonsoft.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\System.Data.SqlServerCe.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\amd64\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\amd64\sqlceer40EN.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\x86\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\System.Net.Http.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\NLog.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\x86\sqlceqp40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Syncfusion.SfInput.WPF.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\runtimes\win-x64\native\WebView2Loader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\DMSkin.WPF.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\amd64\sqlceqp40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\amd64\sqlcese40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\x86\sqlceca40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\WpfAnimatedGif.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\amd64\Microsoft.VC90.CRT\msvcr90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\UrlBase64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\runtimes\win-arm64\native\WebView2Loader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\amd64\sqlceme40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Activatar.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\System.Net.Http.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\amd64\sqlceca40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\x86\Microsoft.VC90.CRT\msvcr90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\x86\sqlceer40EN.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\x86\sqlceme40.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Microsoft.Web.WebView2.WinForms.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76603a.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{626452F4-B8AA-45B8-8EEA-5254120C9460}\icon.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\{626452F4-B8AA-45B8-8EEA-5254120C9460}\icon.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI62BC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6397.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6434.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f766039.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f766039.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76603c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76603a.ipi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9E0C251-0E95-11EF-805B-F637117826CF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000d720b6632469b97020d8a3fc63a3d46410a31eb666c3ae749f304c6d1244f5ba000000000e8000000002000020000000666089df480749458036515502b32726c205512cafecc949cd89b6e2ea6c887c20000000938f0adac3840c3bd122452a7d9cdc81bdf8d758e49fd876b4cc0f52f7e1c40240000000388d12c5a6617ca49e5b62328178a39679cf92b5cffabbf03d15665a62e20f2848294ed914330350824a8e8699b8a5f40a0cb3c8c02f3975b8aca3275f27e44d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000000e21708a2ba48e6a8cdc0b4709b5855cdc450924f505639ce9cd72c96f157c64000000000e8000000002000020000000a21804db5468097157e4da9cbb41c01628ec09d1de23f82ba32cfbd9d38ecdee90000000434ce218fdf42fe555396484baa24fcccbc5056b1301b6f7dfc23c9c9c4ee1add56a77a4426886786953813d5fa0e951f98321377173ea8b7947df232ea693bb64f9392a35889451adc3f6d4dc135c3a4ca26ffe357edf37d15f998836b83ddd913861e0ee89f42d1bdfc2411df53aef88212f6491d150b719261973ecf6e77eea52820adbac0a6b10df558556fa544840000000373011151196ce675c2d9a988a65c2ccaff033d55ed68a4198ed4db7ed748f90f1432b6bc384e90d0dd42d08366ce24af3e2ac7dbeed395e60eea9c971e75c93 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0fcdd7ea2a2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\Version = "33619968" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F254626AA8B8B54E8AE254521C04906 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\PackageCode = "D68CC0C487EC9194E984EC1B3D0B989F" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7E05039D0D2AF634A975179193B7FBE4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\ProductIcon = "C:\\Windows\\Installer\\{626452F4-B8AA-45B8-8EEA-5254120C9460}\\icon.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\ProductName = "Ultimate YT Downloader Cutter" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7E05039D0D2AF634A975179193B7FBE4\4F254626AA8B8B54E8AE254521C04906 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\SourceList\PackageName = "Ultimate YT Downloader Cutter.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F254626AA8B8B54E8AE254521C04906\MainFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F254626AA8B8B54E8AE254521C04906\SourceList\Media C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe N/A
N/A N/A C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 1628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 1628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 1628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 1628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 1628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 1628 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1628 wrote to memory of 1312 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe
PID 1628 wrote to memory of 1312 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe
PID 1628 wrote to memory of 1312 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe
PID 1628 wrote to memory of 1312 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe
PID 1312 wrote to memory of 2192 N/A C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1312 wrote to memory of 2192 N/A C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1312 wrote to memory of 2192 N/A C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2192 wrote to memory of 1588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2192 wrote to memory of 1588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2192 wrote to memory of 1588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2192 wrote to memory of 1588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Ultimate YT Downloader Cutter.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 159F91DFA8318EDC4DCE52BBDCF5D95C C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "00000000000003D8"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 85A14981A4B6C02E43DB752034274705

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe

"C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://free-yt-downloader.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:80 www.microsoft.com tcp
US 8.8.8.8:53 free-yt-downloader.com udp
US 107.155.112.174:443 free-yt-downloader.com tcp
US 107.155.112.174:443 free-yt-downloader.com tcp
US 107.155.112.174:443 free-yt-downloader.com tcp
US 107.155.112.174:443 free-yt-downloader.com tcp
US 107.155.112.174:443 free-yt-downloader.com tcp
US 107.155.112.174:443 free-yt-downloader.com tcp
US 107.155.112.174:443 free-yt-downloader.com tcp
US 107.155.112.174:443 free-yt-downloader.com tcp
US 107.155.112.174:443 free-yt-downloader.com tcp
US 107.155.112.174:443 free-yt-downloader.com tcp
US 107.155.112.174:443 free-yt-downloader.com tcp
US 107.155.112.174:443 free-yt-downloader.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab1400.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar1412.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\MSI18B0.tmp

MD5 ecc2ea125c88d370cfbf7e9b3e8da730
SHA1 5be848f91b706c1c8dc3c0a0a068b8b1373b6769
SHA256 1afddd9333f9d503690449b0bb1079f9e1e6328bba133466a2a91469834ad518
SHA512 9495eaafab088a6c86d8ab6b7999ff1e4a4230b9400509920608284ee5e927e14e1d41ea56e4ae2481d1499254a44ca7236079eb046b5b697c2c1bf1200eff23

C:\Users\Admin\AppData\Local\Temp\MSI1A67.tmp

MD5 4b173b8e79fb7e9c2982b1ef01aa8e1e
SHA1 91bcc926825f8385d818d5b54065d44335f3ad11
SHA256 47479dea827aad287543ecd996564dccd73eff7b1d9bf8b683357a80696edd0a
SHA512 fb5ad1c117537511fe8d54029515508d8bb4f535c8077a502c914d1d8ee66c143c1f787f3a377f2198d1f2e79bd97a53bcb6c7b3da18504320afabab13e12357

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bef2da45c332e2d84ce2014d2107cefc
SHA1 f32cf19db2f51e783d6ea8ae6fbb73a38dfff87d
SHA256 3147d6441942f0893de7473af6d45b21a6a5b8fa83b7f7ad825138f62e20fb8a
SHA512 cd83a550f7aa484d1004d2b2549e1ccb1c788e715b361312f3fffcabf9cf8c7de059f9d61d0176ece01c254bf12e3165321cb60fe7507427811e80a81f0f0750

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B82739147960582EB39EC59AF53E8BB5

MD5 5687f6b4522344f881ed754fa9f59230
SHA1 b26174768d6a84be9154b93a7d47f2e9122f6a23
SHA256 85ddc22dd6608b9a3498d572497bfa5666de789c57bd8665cfedd6eaaa774961
SHA512 3eac2d1540b17c50289b69e356c5a550493bc3c040348bf12f19015c022e78d8b79046ba57b174998009569aecb13d0f7b454942bc18dadbc674b0c3c047c5e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B82739147960582EB39EC59AF53E8BB5

MD5 be954f16012122448ca8bc279602acf5
SHA1 f40042e2e5f7e8ef8189fed15519aece42c3bfa2
SHA256 5367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270
SHA512 b617f4c211c33da258561c99812252fc9fa0446294680e3cd39689b1b4ba522b5bd3c03925582cb119fc4dff7cf0ed863832dc325d640bee759fea3da2118e09

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe

MD5 918729104bb4b5ce3fec09b32bb2cdf8
SHA1 b6020ac4267cbe23e434e85df9fb6979bc7f1a7f
SHA256 62797f3751b81349bd4c27c8c19ff1ae3d059ed967a8caf350f9c4ce09118a34
SHA512 3fddf5066049002bec61131290202c789393de6c4d830c868f0951ce2d217a6f2abf1f923f47694e8aa79219d944a30a55c796e3e68bc63c8281876cf93aa67f

C:\Config.Msi\f76603b.rbs

MD5 df8ab45443af73fb6fdb4f3f2e7069d5
SHA1 dbbc3c9e3c81705a3e22c0d80ccb891735624683
SHA256 6b91de11993ed0a64bc0ec654586aa580b4475bbd117f5c3557e83f7984c6ff7
SHA512 51309a469bdcb6e36361a8e2278e927e85230fb729315eea1c200d92f16918b8eb40061712003596292c443120b5d315f72ca77e41c335c0326e3c1645699726

C:\Windows\Installer\f766039.msi

MD5 c258f77dfbbb6580b38fbf744ff238e4
SHA1 33af74b935e5f48af1ffcbd893f2451a9cf1ec5f
SHA256 bc4d7fbcab5275cd4f3459fab23a8bfff4e6abe9f3b5d407ceb7742049f42fbc
SHA512 6c0eac4e36dc12c0266bf40d2ceb10972f9abecf5e80564301facb1a53623a2bd66728dd5aacbf4c87d356e5f2a6af3e9aec3d4c7cc35fa98aec1e7dfd2744c1

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\FYD.exe.config

MD5 bef761d10ce6b0717da0416195ed6c68
SHA1 51c18b6f7a6f701050dbddcc6713a14a66136e2c
SHA256 88a4d86b76638763151e4afda9d32bc3c0af065eb8f005ad825d11a8f6238737
SHA512 1c902addf0aeac5cdfdda7f3fe0a2c0cff8e3a5e00d3189889b60dea9b2fab3487db1771ff229d15a762d77ac1582de6b63dfbcee138b9e279978e3a2740f943

memory/1312-394-0x0000000000AE0000-0x0000000000C68000-memory.dmp

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\DMSkin.WPF.dll

MD5 53ea91001038cb440ac3bc9952b3497d
SHA1 2ec20d220c160b854ff0fd582002ed5853745dcf
SHA256 56f8fec98e2ac889cbdc57fdd103111f71fdfbdf952b7e449a48f0a4f3f0f572
SHA512 4b4440ae5a0d83ea8f82b4f9bff92babb7d3cea0847492e48465d8c928f6e09f0e3f7263697a4bed1055fa0f1a393cb6406f2b3a6924048c9c7efb24a734247d

memory/1312-396-0x0000000000180000-0x00000000001AA000-memory.dmp

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\System.Data.SqlServerCe.dll

MD5 de710d68f76e076e161226836792c025
SHA1 e428220184ec752b7e1318481877139c3713e4be
SHA256 7f30232a69c65bb389ded22bdff2d19ecf6624561b9470757acde80b14e2fe4d
SHA512 66c09bfaf55d69195b5807bb148b5b7199926edfe13eb342a0943545c48c529302a7d56328319db4ca49645bebf64707e6a6cabe3aeeae975ba9206063245fac

memory/1312-398-0x0000000002070000-0x00000000020E8000-memory.dmp

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\AMD64\sqlceme40.dll

MD5 2463b0154dac9ebb5792be48dd9da715
SHA1 111e26d3741d7d6bb7c13186c99e859f65374e86
SHA256 9e4c6c6fc7eee4e1ce25aae114de3434b931202491c50498ab9847e57cc01d80
SHA512 dbe4aafd2bb03986792fb569a8eb5ba2101a9161c20612b455412dfa8d5507d3fdb2b0f5becc4f7874bd4ec8867e5da5ed674f22ec80db66778442a73f0232d7

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\AMD64\Microsoft.VC90.CRT\msvcr90.dll

MD5 e4c2344e31d3c577fb2723c961069858
SHA1 572f0281081bbb7a87e491d32b4a29e2447cd75e
SHA256 4546eb9106e86e471caf0870acdd4d1fe34c2ad293f596fd55b82215b922ae14
SHA512 7f35d0f0bf6dcfb44a1cd7e07f95536010690722fd28d587450f158f87be0913f210b06efceb87d63bdaf4dad4ecc09a4cf7397f64c5284a36579a133cfd5ba1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88473d4d6e4affbd6f1fafad15b42d0f
SHA1 954384d36474dd1c086e6c2f93ef68774f2dbe18
SHA256 9cef9d3910682cf7df8e8cdff50c3436a5968b9c60824f10912783f86fbb86c5
SHA512 9aca1437926d91553ea93a7c0682b9b9b27cccbba28bf0b0da9dd87b0403788b6641d639c8d3934be7f97a832051f04c8306f870bdbcd6983fce36a4d21f061c

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\AMD64\sqlceer40EN.DLL

MD5 5b95f2033a574e491952daf40f19cdb2
SHA1 b824549e9cd1aaff10cadcc45e7a5ea289c42f8b
SHA256 b55993cd7098a4b107ba75b701dc90596ec2b30c4bee78c6a9bbb48f34ce62ab
SHA512 e68b8f77a3f8c5cb06735543029371d1d4712c2260748c2b219869ba1bad11c3a4538a2b088ce056be621808c499b1023fae05c6add876c0d55d84e7ff7543cd

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Syncfusion.Shared.Wpf.dll

MD5 0852032c746f147f3ffa1d2edca71168
SHA1 46727b799c0262741b6e1579d9e6eb591b1f4b3e
SHA256 a13b5dc35ee2aeea8d6cfc55a0f6ad65ca83a21133ccf9b9b3b26cb7bd97e1f9
SHA512 679b28a73ba397d3ead87fe1cbb6b5a17a893446478034db68ec8a2c614df6f222c79ff2f0fc32e9c42299404169d5b7a4bd2a17def990fee7cbc99ab58c02c8

memory/1312-416-0x000000001A880000-0x000000001A916000-memory.dmp

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Syncfusion.SfInput.Wpf.dll

MD5 37e4673baa12bf32f05cd41f23fc65ab
SHA1 e656b6170eb4e2b4b18390c6cba00407a128460e
SHA256 5fb4854d31b4f7a182732adcdfa5c0e1e7421746af7c1419c221882ad143a77c
SHA512 f164f39d052f915d3e96d2f9f19ca88e178ff42213d07bef71c9b7dfa8561fa31fd0342da56ff9f4b6294dd7c7aaf5cee37f0d353cf7df0ecceca645f8c08c15

memory/1312-418-0x000000001CC20000-0x000000001CF62000-memory.dmp

memory/1312-420-0x0000000000570000-0x000000000057A000-memory.dmp

memory/1312-419-0x0000000000570000-0x000000000057A000-memory.dmp

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\WpfAnimatedGif.dll

MD5 47d729b6841f1e0e510bbc7d74454b73
SHA1 bb7a519a2bf2dbfa8aef238241d6dd5c62aeed77
SHA256 b4c69be213ba3dd40e6bc819b7bfc13ab03d06d5f3efa0e4643b1b55e5a529f9
SHA512 f5ecd0cca56306273685c12ccb5af8f540161e2cffe3f639a2fa1f9de29cfebb2f6d8f8ba4ad43e02a721da30dd8e3cc911e46e4237578e026a5ba8c059429af

memory/1312-422-0x0000000000570000-0x0000000000580000-memory.dmp

memory/1312-424-0x0000000000580000-0x000000000058A000-memory.dmp

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Activatar.dll

MD5 cc7163d2b152b4fa799186c9f7101a90
SHA1 06fd59c23a06371c4a92e566592c58cec0d7f233
SHA256 0521fd3680925df577a634dd4970e17bc46ef3a37a07172ec09b77b0cc3d4eea
SHA512 28a68e7f68b22541e6327a0b806e6c21e14196a5a883958c04b530e8000d4048e43c1571947b5d765d44e61b67a409a032e5c6309ee6eda1986cd2137f0448cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbe05d7c6912321ffdae8a021fb8d75a
SHA1 ed62418e4afa200b9fa3bafc1dc3c4ee22eec095
SHA256 1669de40ade81f031cf3f8be3038ba5e80dd0cd3da788f72264d4059ea17bd40
SHA512 c997f6f72148027129fba0d7ffe20e330d08f780df06330b7a106a90e14b4cc027f5d9cf43b2aed9ed197baae3b5267f61fd42248b40638c53c7fbbaa87666e8

C:\Users\Admin\AppData\Local\FYD\FYD.exe_Url_5t0xub23sazmmuxc5dxxumghbmmlc2yy\2.1.0.0\user.config

MD5 243fdc9cb8dad2d83e80e641f9922493
SHA1 73b124a63d66f243fb865fdf6d2f2f756e706512
SHA256 8dfa912b7741e117998098fe236eea8ad39942cb4be285fb886fcf81be8c8ced
SHA512 0087a3a0d4b87eaeaab101b730218eb05f23b27c89aef1efded5387218591ff0b913ef35868d0704993e5bcb4ad0a970c9ed15d4870ea62a913c9051d14301d2

C:\Users\Admin\AppData\Local\FYD\FYD.exe_Url_5t0xub23sazmmuxc5dxxumghbmmlc2yy\2.1.0.0\user.config

MD5 17b473c2ce0840addc6efbab35df32dd
SHA1 8306c4a58b63a0313df58c421e03a37fa843ecfd
SHA256 0b81a0bab3a59eb1beb257d9773a746837a505029d4354bc5e48c9621f7e71c6
SHA512 93ff0375be2f34f5925f6e8e52f16912ebac62ff2f3109a64b63081d9c12420b486ae9dcf90c997191013d384f0046d9583f9b3dd8b53fed4513bd8101bac1b8

C:\Users\Admin\AppData\Local\FYD\FYD.exe_Url_5t0xub23sazmmuxc5dxxumghbmmlc2yy\2.1.0.0\user.config

MD5 acd9a80356247f8efb67c46243320118
SHA1 6e7b3e2ea93fca72581af26123847a0399b7e62e
SHA256 44696153318baf852afa947157c1d35ab35e8a0c0aa578ef7f435127c2da9c44
SHA512 e66f9a3c2707e78aa63d070b65d10417e847004034007ad07f03debac33ce881da399a72124b1523fa7eb24e5ee04f536fccac7c3a01bba2282e15b8fbc5446a

C:\Users\Admin\AppData\Local\FYD\FYD.exe_Url_5t0xub23sazmmuxc5dxxumghbmmlc2yy\2.1.0.0\user.config

MD5 bc4eab9d92aa452eb0ba2fd197c1ebd7
SHA1 dd9eca60270c7706c7987fcf83ded895ee4ff693
SHA256 6f6f39be68534af762c3e6bcc1c947270f4e5e4fa7cfa8fcd220c5575e753589
SHA512 bfbca3f099116958c5e046082d94464f63726e58dd67da2c943b95e320e50087c0a0b45979e80b09ab50c12dfbc452d6202c89ad8203842f559eafe430692407

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Microsoft.Web.WebView2.Wpf.dll

MD5 611c83edc9a644a30a09b0dff410908f
SHA1 b6abb1b2bb2bb13d887a7f7ff03f815772f98818
SHA256 f66bba17bae3df35d2330bc3ca252419207dd61f5a4f726151d577adc2ddb8a8
SHA512 fc819fbe97adba5b12cec93aa6e15e1921f7ab36a492d6e4f796e242bbed4dfe30135e8b05e96cb49c29a07644ec8243fc97b0bcc60102d3f7e49866877065f5

memory/1312-622-0x000000001A930000-0x000000001A93E000-memory.dmp

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\Microsoft.Web.WebView2.Core.dll

MD5 0901d7f2f8b621433f3eaee6a63cb8d1
SHA1 12bf14a2ad26f568f78e4a9304234a6a990757ba
SHA256 c6feb73ec1cb9271f2004d2586fe1833621a0fcd3d04a6fc1dcf08557d634ac0
SHA512 e428770009468c5e48e843031758d2ec2af3ceb3c0614248b17e90105415d7ddbf9783e5cfa77738731cf3aceaca788afa7405944dea0af3247ac5f0a4638b40

memory/1312-624-0x000000001BCF0000-0x000000001BD68000-memory.dmp

C:\Users\Admin\AppData\Local\FYD\FYD.exe_Url_5t0xub23sazmmuxc5dxxumghbmmlc2yy\2.1.0.0\user.config

MD5 644eab875fa598f79d7cc14b5a5fedb9
SHA1 af8bf11641fcc803c5c4eb9c1ca177652cafd266
SHA256 b580fcc8b36b4a5f0a0e9207f48d5dfc85b0f231b040986bcdf4013ed9c1c94b
SHA512 bc89466e3a31395823cd16b821afed75a3b242de4da81f5bfe96d943c08aec66d754655835905c583b84a259a248ff9011fdcd51f38809469f0a93f0cf1da438

C:\Users\Admin\AppData\Local\FYD\FYD.exe_Url_5t0xub23sazmmuxc5dxxumghbmmlc2yy\2.1.0.0\user.config

MD5 9e1200f3e5903efb89c0add3b6d11691
SHA1 d3a53bf687dca6e9d931c958c6f35fb7b6491a7a
SHA256 0c1efe11e5c0f85ff5cfc18031cd80a4cd8a8832e991fa47ede2e336c132f774
SHA512 1f4f41b1b9f578a23e2a9d35dc5dcb6690c974eae955c3c918fd1568469f07d1f91b3d68ae4ded857ce090dbf8372d916ab59a80e81f7393327e36fd3c94ad0f

C:\Users\Admin\AppData\Local\FYD\FYD.exe_Url_5t0xub23sazmmuxc5dxxumghbmmlc2yy\2.1.0.0\user.config

MD5 26e4ee71b355542183acb3670ed85bb5
SHA1 127ed6481e83147e29e793c6a99cfac5502aef62
SHA256 40cf4b4e31ea33880ee972e4f4bb1a86bfe9bcd4fbf778e212d5e67184c7eec1
SHA512 37ac0bd79f24e6ec8e7cb11751e274953331b246a9be54e98953fbb4dd199d80e30b479928a0df346512b0ae91bb0392626ab8cc1920f1375f486c0ebcda0e7b

C:\Users\Admin\AppData\Local\FYD\FYD.exe_Url_5t0xub23sazmmuxc5dxxumghbmmlc2yy\2.1.0.0\user.config

MD5 5003ba504bf31cde4614b8c83a8276bc
SHA1 da4b6c95593ced4054729bea443ee816199f59ef
SHA256 7e7dc86be2d6a4dce7ca7140bf167692933cffee45375195a2615dd62d4e2078
SHA512 8a5b6697c677e9b9e5b1e5076d00616ee8f4eb82bb028183d7511d05cafb8890525540a4c1ed8cb2f2977e8425465fdedb64fb20e77d176c9e487a980c94d2b6

C:\Users\Admin\AppData\Local\FYD\FYD.exe_Url_5t0xub23sazmmuxc5dxxumghbmmlc2yy\2.1.0.0\user.config

MD5 052ad9c6855766e131c65fe4228e1b1b
SHA1 38e11c1b263a34723a5331ebc2fdb52f759888df
SHA256 a59fdb7e311b1197e22c8cc1be10929e763ec17a6e02f5f16de6a491a960825a
SHA512 e20a8ca3c5c7025129d4b2883e120a2b409f945955242527d71178f96d6eacb38a533282b6d25c9a9692a090cb02ea1797ad45c4553bdb74ff49dff26162985b

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\AMD64\sqlcese40.dll

MD5 b9855b76ef9cef229fcd56293e80efa4
SHA1 b605f3351cf7672e060bdf33e3a4519d2cd9c935
SHA256 69902ffb63494cfdea72192073a00755f3afd17be1b5512347a8ca05f16dfdf0
SHA512 4b629173919b3e1e865ff8a8cc9bb57ff746c90be458f5806d8fb55abbaee2fbae9c45463a4a88355f8719c0906b422951533d8f1c67cd3d2bc9370aaf41db2f

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\AMD64\sqlceqp40.dll

MD5 af4e172abb526fa60d76f63bb8c6ed8b
SHA1 18f517803b1aea798813cadac07d2838b6345525
SHA256 7017da640e48baaca2b7fe60081437edbdade883327445633513d4eb6dc0208d
SHA512 ed6e6192dc91fe67a7245273642aede7f1b590271baa5acc7c1333ca1985f910bec31f664d19d02d6f1ee0360ee9f2cdad548bcc27a68fad4fff7e884a62b8c9

C:\Users\Admin\AppData\Roaming\Ultimate YT Downloader Cutter\core\library.sdf

MD5 27efafa57516658ef938d966c365cd2f
SHA1 4f45807f4adc41099dcb2985342d29e40b851bdd
SHA256 1dd01e57824c36293723db57f0c2cc2d55690a7f8070adde165b84768fd445f2
SHA512 c83fb18e029b0cdfcbdecf00d07592a0c40cc082248a0f62444ee7538d4a826fb97868696f9c75463c66ca69a6a5dbd279a50d1bbb4cdd0947d28d8f3db81510

memory/1312-685-0x000000001AFF0000-0x000000001B015000-memory.dmp

C:\Users\Admin\AppData\Roaming\Ultimate YT Downloader Cutter\core\library.sdf

MD5 519ed4a0792673eff723c36a3f30f45f
SHA1 dc5365a086caa4fc936dff9e72178fdd546bee15
SHA256 9cdda5c21be48c51effa63a1eba68c27336f2a94fabf61f33b086406958b44b2
SHA512 e064e59f6c47da2216c2f4d0008adefcf03031ce36532c87b29335a72af962ccd55fdbc998777f2ec6b8820a460f0f3fbd12148a493d9ff1e4446d882cdf13b6

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\icon.ico

MD5 46024f1baec5b1177a841a22dfce8c6c
SHA1 2faf68d6cf5324f4505f9582f82873f71344f3fb
SHA256 aa0a0219bda4b37fdb394de6cbbbebac2a7f2c777c2f57458c27777e2fbefbeb
SHA512 90e868973529a3322894cb9d0249b26b6bc0f49d3be3dd91e680091ea711425a12e18f736095280034fbe1cdb14f450f6591e909e2288ed8842b22d480391a71

C:\Program Files (x86)\Abro\Ultimate YT Downloader Cutter\AutoUpdater.NET.dll

MD5 146a6629826ffaa5cebf97fe5d797198
SHA1 1f79582cb40b2b7534437b6e0e2415a15c51ca57
SHA256 81dcab16aab930ed0c83a5896cf952e663a3c3d9c3e07b35492917362868c456
SHA512 4fa616104e16207eb9421f7dd11a49009b8d6ccdd0fd45e6b7a4760f4a94beaec0d2d3741d0a47218bf9314a0ede1f14f6c3c101b25bcc608d74328283a867c2

memory/1312-707-0x000000001BA50000-0x000000001BAC6000-memory.dmp

memory/1312-709-0x0000000000570000-0x000000000057A000-memory.dmp

memory/1312-708-0x0000000000570000-0x000000000057A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d14ea77b961b811aba2bc08c6e04278d
SHA1 4860caaa3392add44ead30b02a42acea3d912c5a
SHA256 58140d5478d609124eb8c57f7a234485df088270aa4c9b4e3c4eb0131f91c419
SHA512 ff8179fe7e45434462b416666758e2677ca564f21fa424c918044fab2d42b1c0836809c7a79dc75758cb8033b6ed4106e756951bba2b79612f6791a2a136f670

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50c5c89c9ba713d3a43fdf28ef2ed6aa
SHA1 d149b294137b084e52e7670f0adf9847e4f407c3
SHA256 6f129fb468f23d952757687bd54079e71bd95549ca1dcd049486c84229762e0c
SHA512 f984995bb865156dfa5604b6b974c99cb02340a0ebd44b827a343d7754eea47b8359897f1d54904931593e0870068b75dde758edc83a5834b2b31d69350474ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ada71f2ce1162f61c7baba123c54482b
SHA1 29caa9a1c053cfa35243df4213ef89cef37d388a
SHA256 31437eb8bd7cfa9728bb2e2079f2a9003fba1ec12ed52f0637f989673cc5ddfc
SHA512 014bd940efad40afe0a798547762784875d11224a0a701c925d7a8d2ff023c594b5294f26e77b43bbea94718d16574844aa704481f276ed0ccc544bc0749dd31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c6339e52f4bc4372eb3a3dd09ec8d3b
SHA1 ed64bed03b7d2bbe30d7fa907a0d4846b09167ec
SHA256 b2a04d5f4bfec027b220862f86dda4e7457b5a405a749aacdfa8f4e6acbc42b4
SHA512 5a1dc513fb7f320146add0db7c29edafee7259b0ed0a23117e75d1af662c8f99e3b98437fa39008b16c54951e74119565ff2001461fcf0782db8bc5166de28f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e55763acd3a248928c20f2a12bc2691
SHA1 27091b658ab55b71b0107c3343918c2ae9abf727
SHA256 0a9227e0c877182d0b137a9b230236c6ac67861c08d1d47c3577a951437c842f
SHA512 b970e15f06267962c5068582a8dcf399d75875f0fb43e6451d4b7be1e8dddd6929176adc0c23c7a7c136b26e4442769f9bf7ffb142f87bcb2ee478c31302ac22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77027ded40c99191b6bdc81838bfdb20
SHA1 167f3c2bf1f8028f8c37a6fb9d0dc232e28ba477
SHA256 caa4aee30d95380c9f2e5d7e47a4432f6fa1a83b7c6f8775e449c88667d053af
SHA512 6b3721bd946cb196e37e934ee3d3b2f5c85e9252f9d463248667dbd2a16b2df5a7f5c83132fd48ba946c4944586cd023872e6e82c329884f24efa0baa4588160

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d77a17b06c210a53a08a4b2fd940aab0
SHA1 a283bcad71732cecf8e9c1cc0c76205b1ef85f53
SHA256 bf0959c76e302976987c75631cdb1658a61109767dfc6f9a75a923f6a2d73cca
SHA512 65316ddaadf13e3f388ea3c6f871f20f6093cd865586ab6883befbab73f0369dbcde9619d07775b5e2947030766f8b7060f20becb20fa102a232418a54f087f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb6b512c6a8257b5ccca9a92580e3786
SHA1 25da073fd5495e5e5b001f8b9725449606d374b8
SHA256 e16fb99571829b62003a40d5a8ff33026406007077e079be8e5aa0fcd7501024
SHA512 032ab0ef411c5b2a9108d5bc5a395b2ed530d88ee4c8688cb06f3f9a6585dbf601ec9186e7ce8d6ec2b3912e5bb9b04866aa0a321b4998980eadb973494d78ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38fb80c0b1da020e249b8d6751907c48
SHA1 f20a9041113d98af47f34d15c19d4d4fc5359464
SHA256 f58390be409382a65fa6d9438ec567823715898e2db1de21f633d0dd92673577
SHA512 9760cc1d4f5f9e775343e4d0fe0fb50bc0489a7c03466a274d625c7675b924d237cb9d6e3afb4bf375f16cbdbf606833e15c2f9f694facfe196d51c835f41a8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 509604d824ab0c23f5fea3b6bac627ae
SHA1 2b81bad0ecd8b5fe417ee79639d1ca78fde78d54
SHA256 be46150fdf039dd062fd1b20994ffb7a85cd952e348384c2997b4de32b968d46
SHA512 6187d9c28c4fb43227791f5acb4eb40e4971c93bf3849d44c9308d1b0922c1b7162086228fd2edf2b5bcb551c55174233e46f8a00472e77d82946d0ee1901afe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0dbffdf15920958d2ac53bd376ab5823
SHA1 a2961c3c275601e785ed917819f7cb5d2bbd167f
SHA256 f2cc06e864a211249810285122aa3ac0014de49dd08c51534b91e74894311dce
SHA512 3cb07fdeeadd47b4c5ca49548834b0da73259ad3b2e872f0b60b94341eaba5873f7f4bc1f271f85be0b9df502a552034f9272d8a8321c37fa67f559ff2ff8cc7

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 06:21

Reported

2024-05-10 06:23

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

95s

Command Line

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Ultimate YT Downloader Cutter.msi"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 1884 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1476 wrote to memory of 1884 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1476 wrote to memory of 1884 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Ultimate YT Downloader Cutter.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1E727F2DC33CF75AEAA548BF7A5E5475 C

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:80 www.microsoft.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.115:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 115.107.17.2.in-addr.arpa udp
BE 2.17.107.115:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI4527.tmp

MD5 ecc2ea125c88d370cfbf7e9b3e8da730
SHA1 5be848f91b706c1c8dc3c0a0a068b8b1373b6769
SHA256 1afddd9333f9d503690449b0bb1079f9e1e6328bba133466a2a91469834ad518
SHA512 9495eaafab088a6c86d8ab6b7999ff1e4a4230b9400509920608284ee5e927e14e1d41ea56e4ae2481d1499254a44ca7236079eb046b5b697c2c1bf1200eff23

C:\Users\Admin\AppData\Local\Temp\MSI4663.tmp

MD5 4b173b8e79fb7e9c2982b1ef01aa8e1e
SHA1 91bcc926825f8385d818d5b54065d44335f3ad11
SHA256 47479dea827aad287543ecd996564dccd73eff7b1d9bf8b683357a80696edd0a
SHA512 fb5ad1c117537511fe8d54029515508d8bb4f535c8077a502c914d1d8ee66c143c1f787f3a377f2198d1f2e79bd97a53bcb6c7b3da18504320afabab13e12357