58903b06bce461163047273a495de51c399a2aed0296a2847c87ce5c9236a2e7

Analysis

max time kernel
126s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Open Video Downloader.exe
Size

120.5MB
MD5

0c8c1e64e417f7a146a7c196384cd63b
SHA1

b59393be8b692638a687baad06c313d1abdaa776
SHA256

5a497b48f329e8f70c73e7a8607fc6d1575bcf756db7fe39acbcb9d35b168f0a
SHA512

e169eb21613c61f51216cba4156462d22fc0658b7317581587e21f22968aae90d5631a16654d99ca145c3da9c71ff907154ffb01c04296a967737d9c4ba5f830
SSDEEP

1572864:11f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49z:gasulbg8yTnbEOz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Open Video Downloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Open Video Downloader.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Open Video Downloader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Open Video Downloader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Open Video Downloader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Open Video Downloader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Open Video Downloader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Open Video Downloader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Open Video Downloader.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3028	Open Video Downloader.exe
3028	Open Video Downloader.exe
3028	Open Video Downloader.exe
3028	Open Video Downloader.exe
3028	Open Video Downloader.exe
3028	Open Video Downloader.exe
3028	Open Video Downloader.exe
3028	Open Video Downloader.exe
3028	Open Video Downloader.exe
3028	Open Video Downloader.exe
2376	Open Video Downloader.exe
4556	Open Video Downloader.exe
2376	Open Video Downloader.exe
4556	Open Video Downloader.exe
1236	Open Video Downloader.exe
1236	Open Video Downloader.exe
1236	Open Video Downloader.exe
1236	Open Video Downloader.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3772	3028	Open Video Downloader.exe	87
PID 3028 wrote to memory of 3772	3028	Open Video Downloader.exe	87
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 316	3028	Open Video Downloader.exe	89
PID 3028 wrote to memory of 2376	3028	Open Video Downloader.exe	90
PID 3028 wrote to memory of 2376	3028	Open Video Downloader.exe	90
PID 3028 wrote to memory of 4556	3028	Open Video Downloader.exe	91
PID 3028 wrote to memory of 4556	3028	Open Video Downloader.exe	91
PID 3028 wrote to memory of 2484	3028	Open Video Downloader.exe	94
PID 3028 wrote to memory of 2484	3028	Open Video Downloader.exe	94
PID 3028 wrote to memory of 3536	3028	Open Video Downloader.exe	96
PID 3028 wrote to memory of 3536	3028	Open Video Downloader.exe	96
PID 3028 wrote to memory of 1236	3028	Open Video Downloader.exe	111
PID 3028 wrote to memory of 1236	3028	Open Video Downloader.exe	111

C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe
"C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe
  "C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\youtube-dl-gui /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\youtube-dl-gui\Crashpad --url=https://o762792.ingest.sentry.io/api/5793871/minidump/?sentry_key=ceb9de0231034eda91620bf3623a22cc --annotation=_productName=youtube-dl-gui --annotation=_version=2.4.0 --annotation=prod=Electron --annotation=sentry___initialScope={} --annotation=ver=11.5.0 --initial-client-data=0x440,0x444,0x448,0x41c,0x44c,0x7ff71e871678,0x7ff71e871688,0x7ff71e871698
  2⤵
  PID:3772
- C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe
  "C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe" --type=gpu-process --field-trial-handle=1612,6374860985983449327,2738959816499808108,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1636 /prefetch:2
  2⤵
  PID:316
- C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe
  "C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,6374860985983449327,2738959816499808108,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe
  "C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe" --type=renderer --field-trial-handle=1612,6374860985983449327,2738959816499808108,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-user-model-id=com.jelleglebbeek.youtube-dl-gui --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Temp\resources\app.asar\preload.js" --context-isolation --world-safe-execute-javascript --background-color=#212121 --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "ffmpeg"
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "yt-dlp"
  2⤵
  PID:3536
- C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe
  "C:\Users\Admin\AppData\Local\Temp\Open Video Downloader.exe" --type=gpu-process --field-trial-handle=1612,6374860985983449327,2738959816499808108,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2396 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\youtube-dl-gui\Crashpad\settings.dat

Filesize
40B

MD5
65ab5ae8dd6c31e6193599b5773bfa09

SHA1
7966aba6308892102a3948dd79f874138da1d8ce

SHA256
f121fd5705dd5566f6cb0e1372f7e826a8ed5ce572444c256041f54a77d24735

SHA512
626d5617a6aa23f11ab1b46029d28bdfe6efb2ca32c2b279e91d63dd5be01ff4def6c555506f274aa2a0cdc8d4f0ed41c9ca9028ab3b99b34b5f0d86afb08a01

Download Submit
C:\Users\Admin\AppData\Roaming\youtube-dl-gui\Network Persistent State

Filesize
192B

MD5
edc072a73773bc463cbefe3fc6c5b674

SHA1
87b74eadeb0591ae5a895cdf0759cb1f140726ff

SHA256
0cce818ffa2f19c705cef38686f046c76f4ad22522b646b37f74cb20c82f8e04

SHA512
559ed29dfa33ee978ee163c71d8e2abd2b8c8efe261945433188bbdc023cd6a56c3fc3dd558e595bc739cc279e654eab6f0fa2905e4f791078b90a899235afb0

Download Submit
C:\Users\Admin\AppData\Roaming\youtube-dl-gui\Network Persistent State~RFe5873b4.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
memory/316-7-0x00007FFA36180000-0x00007FFA36181000-memory.dmp

Filesize
4KB

Download