9ff0459fc38b2277c8a482cbd19ec030c56d25cde0d6c6e390ae8be902aea052

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4kvideodownloaderplus_1.7.0_x64_online.exe
Size

942KB
MD5

9b17ab76c97b378a03fbfbf29cabee6f
SHA1

faa3ee5621c53bec49892c277149d41c82a12a6c
SHA256

9ff0459fc38b2277c8a482cbd19ec030c56d25cde0d6c6e390ae8be902aea052
SHA512

a3890c6ff63d389626dfe777d3ae8a03b2f570bfe42ecc58256ae377199e5db1fcde5c2424fbd06d00113c9592f2167ec45c3be7a5e2b34c6780250b1a883cc1
SSDEEP

24576:GNsfiTdYSuVzZH9tH1v133W3ZtxEVFx+tBi5:mT2pZ133WpHEVYw

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4c7a9df0-3fe8-4b93-8934-e8c937646d4e} = "\"C:\\ProgramData\\Package Cache\\{4c7a9df0-3fe8-4b93-8934-e8c937646d4e}\\4kvideodownloaderplus_1.7.0_x64_online.exe\" /burn.runonce"	4kvideodownloaderplus_1.7.0_x64_online.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
27	2572	msiexec.exe
28	2572	msiexec.exe
30	2572	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	4kvideodownloaderplus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	4kvideodownloaderplus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	4kvideodownloaderplus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	4kvideodownloaderplus_1.7.0_x64_online.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	4kvideodownloaderplus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	4kvideodownloaderplus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	4kvideodownloaderplus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	4kvideodownloaderplus.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls.2\Page.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Desktop\ButtonStyle.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\qtwebengine_resources.pak	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Base\GaugeStyle.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\audio\alert.mp3	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Base\SwitchStyle.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5WinExtras.dll	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtGraphicalEffects\GaussianBlur.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Private\TableViewSelection.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtGraphicalEffects\RadialBlur.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtWebEngine\qmldir	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtGraphicalEffects\RectangularGlow.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5Gui.dll	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls.2\MenuItem.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls.2\RoundButton.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\imageformats\qsvg.dll	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtWinExtras\qmldir	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls.2\ScrollIndicator.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Base\StatusBarStyle.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5WebEngine.dll	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtGraphicalEffects\ThresholdMask.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls.2\TabButton.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\concrt140.dll	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls.2\Action.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\imageformats\qwebp.dll	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\qtwebengine_locales\en-GB.pak	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Base\images\needle.png	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Base\ComboBoxStyle.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Desktop\SpinBoxStyle.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Desktop\RowItemSingleton.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Private\AbstractCheckable.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Desktop\SliderStyle.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Desktop\StatusBarStyle.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtGraphicalEffects\private\FastInnerShadow.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Base\images\header.png	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\d3dcompiler_47.dll	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQml\qmldir	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\BusyIndicator.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\conanmanifest.txt	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtGraphicalEffects\qmldir	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtGraphicalEffects\qtgraphicaleffectsplugin.dll	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Base\TabViewStyle.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\qtwebengine_locales\fi.pak	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\qtwebengine_locales\id.pak	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Base\FocusFrameStyle.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5WebEngineCore.dll	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\imageformats\qgif.dll	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\qtwebengine_locales\en-US.pak	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\qtwebengine_locales\ro.pak	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\TreeView.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls.2\Menu.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\ComboBox.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Desktop\TextFieldStyle.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtWebEngine\Controls2Delegates\MenuSeparator.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Private\FocusFrame.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Base\images\progress-indeterminate.png	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\swscale-5.dll	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtGraphicalEffects\private\GaussianMaskedBlur.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\qtwebengine_locales\mr.pak	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtWebEngine\Controls1Delegates\ConfirmDialog.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\plugins.qmltypes	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\TableViewColumn.qml	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\QtQuick\Controls\Styles\Base\images\arrow-right.png	msiexec.exe
File created	C:\Program Files\4KDownload\4kvideodownloaderplus\qtwebengine_resources_100p.pak	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICCB9.tmp	msiexec.exe
File created	C:\Windows\Installer\e57aaa7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{729957EA-F7DB-4A3B-9232-8941C96E2A03}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBB1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{729957EA-F7DB-4A3B-9232-8941C96E2A03}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e57aaab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57aaa7.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5A5.tmp	msiexec.exe
File created	C:\Windows\Installer\{729957EA-F7DB-4A3B-9232-8941C96E2A03}\icon.ico	msiexec.exe

Executes dropped EXE 18 IoCs

pid	Process
3096	4kvideodownloaderplus_1.7.0_x64_online.exe
3732	4kvideodownloaderplus_1.7.0_x64_online.exe
580	msi_analytics.exe
1840	msi_analytics.exe
4988	4kvideodownloaderplus.exe
1372	crashpad_handler.exe
1184	4kvideodownloaderplus.exe
1116	crashpad_handler.exe
4836	4kvideodownloaderplus.exe
4216	crashpad_handler.exe
1176	4kvideodownloaderplus.exe
3136	crashpad_handler.exe
4796	4kvideodownloaderplus.exe
4372	crashpad_handler.exe
3760	4kvideodownloaderplus.exe
456	crashpad_handler.exe
3992	4kvideodownloaderplus.exe
4652	crashpad_handler.exe

Loads dropped DLL 64 IoCs

pid	Process
3096	4kvideodownloaderplus_1.7.0_x64_online.exe
1520	MsiExec.exe
2628	MsiExec.exe
1520	MsiExec.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
4988	4kvideodownloaderplus.exe
1372	crashpad_handler.exe
1372	crashpad_handler.exe
1372	crashpad_handler.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\Version = "17235968"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{729957EA-F7DB-4A3B-9232-8941C96E2A03}\Dependents\{4c7a9df0-3fe8-4b93-8934-e8c937646d4e}	4kvideodownloaderplus_1.7.0_x64_online.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{729957EA-F7DB-4A3B-9232-8941C96E2A03}v1.7.0.0096\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{4c7a9df0-3fe8-4b93-8934-e8c937646d4e}\ = "{4c7a9df0-3fe8-4b93-8934-e8c937646d4e}"	4kvideodownloaderplus_1.7.0_x64_online.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{729957EA-F7DB-4A3B-9232-8941C96E2A03}\ = "{729957EA-F7DB-4A3B-9232-8941C96E2A03}"	4kvideodownloaderplus_1.7.0_x64_online.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AE759927BD7FB3A4292398149CE6A230	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\PackageCode = "D5C8753C4C6A56945805F8908A7A0D99"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\SourceList\PackageName = "4kvideodownloaderplus_1.7.0_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5A0DD6B5535352E4082B644C603BE688\AE759927BD7FB3A4292398149CE6A230	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{4c7a9df0-3fe8-4b93-8934-e8c937646d4e}	4kvideodownloaderplus_1.7.0_x64_online.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{729957EA-F7DB-4A3B-9232-8941C96E2A03}\DisplayName = "4K Video Downloader+"	4kvideodownloaderplus_1.7.0_x64_online.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\ProductIcon = "C:\\Windows\\Installer\\{729957EA-F7DB-4A3B-9232-8941C96E2A03}\\icon.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{729957EA-F7DB-4A3B-9232-8941C96E2A03}v1.7.0.0096\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\ProductName = "4K Video Downloader+"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{4c7a9df0-3fe8-4b93-8934-e8c937646d4e}\Version = "1.7.0.96"	4kvideodownloaderplus_1.7.0_x64_online.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{4c7a9df0-3fe8-4b93-8934-e8c937646d4e}\DisplayName = "4K Video Downloader+"	4kvideodownloaderplus_1.7.0_x64_online.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{729957EA-F7DB-4A3B-9232-8941C96E2A03}\Version = "1.7.0.0096"	4kvideodownloaderplus_1.7.0_x64_online.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\SourceList\Media\2 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{4c7a9df0-3fe8-4b93-8934-e8c937646d4e}\Dependents\{4c7a9df0-3fe8-4b93-8934-e8c937646d4e}	4kvideodownloaderplus_1.7.0_x64_online.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{729957EA-F7DB-4A3B-9232-8941C96E2A03}	4kvideodownloaderplus_1.7.0_x64_online.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{729957EA-F7DB-4A3B-9232-8941C96E2A03}\Dependents	4kvideodownloaderplus_1.7.0_x64_online.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{4c7a9df0-3fe8-4b93-8934-e8c937646d4e}\Dependents	4kvideodownloaderplus_1.7.0_x64_online.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AE759927BD7FB3A4292398149CE6A230\Complete	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5A0DD6B5535352E4082B644C603BE688	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AE759927BD7FB3A4292398149CE6A230\SourceList	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 7 IoCs

pid	Process
4988	4kvideodownloaderplus.exe
1184	4kvideodownloaderplus.exe
4836	4kvideodownloaderplus.exe
1176	4kvideodownloaderplus.exe
4796	4kvideodownloaderplus.exe
3760	4kvideodownloaderplus.exe
3992	4kvideodownloaderplus.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2572	msiexec.exe
2572	msiexec.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
2628	MsiExec.exe
2628	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2864	vssvc.exe
Token: SeRestorePrivilege	2864	vssvc.exe
Token: SeAuditPrivilege	2864	vssvc.exe
Token: SeShutdownPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeIncreaseQuotaPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeSecurityPrivilege	2572	msiexec.exe
Token: SeCreateTokenPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeAssignPrimaryTokenPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeLockMemoryPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeIncreaseQuotaPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeMachineAccountPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeTcbPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeSecurityPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeTakeOwnershipPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeLoadDriverPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeSystemProfilePrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeSystemtimePrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeProfSingleProcessPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeIncBasePriorityPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeCreatePagefilePrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeCreatePermanentPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeBackupPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeRestorePrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeShutdownPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeDebugPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeAuditPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeSystemEnvironmentPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeChangeNotifyPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeRemoteShutdownPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeUndockPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeSyncAgentPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeEnableDelegationPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeManageVolumePrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeImpersonatePrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeCreateGlobalPrivilege	3732	4kvideodownloaderplus_1.7.0_x64_online.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3096	4kvideodownloaderplus_1.7.0_x64_online.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3096	1708	4kvideodownloaderplus_1.7.0_x64_online.exe	80
PID 1708 wrote to memory of 3096	1708	4kvideodownloaderplus_1.7.0_x64_online.exe	80
PID 1708 wrote to memory of 3096	1708	4kvideodownloaderplus_1.7.0_x64_online.exe	80
PID 3096 wrote to memory of 3732	3096	4kvideodownloaderplus_1.7.0_x64_online.exe	85
PID 3096 wrote to memory of 3732	3096	4kvideodownloaderplus_1.7.0_x64_online.exe	85
PID 3096 wrote to memory of 3732	3096	4kvideodownloaderplus_1.7.0_x64_online.exe	85
PID 3732 wrote to memory of 580	3732	4kvideodownloaderplus_1.7.0_x64_online.exe	89
PID 3732 wrote to memory of 580	3732	4kvideodownloaderplus_1.7.0_x64_online.exe	89
PID 2572 wrote to memory of 1520	2572	msiexec.exe	93
PID 2572 wrote to memory of 1520	2572	msiexec.exe	93
PID 2572 wrote to memory of 1520	2572	msiexec.exe	93
PID 2572 wrote to memory of 2628	2572	msiexec.exe	94
PID 2572 wrote to memory of 2628	2572	msiexec.exe	94
PID 2572 wrote to memory of 2628	2572	msiexec.exe	94
PID 3732 wrote to memory of 1840	3732	4kvideodownloaderplus_1.7.0_x64_online.exe	95
PID 3732 wrote to memory of 1840	3732	4kvideodownloaderplus_1.7.0_x64_online.exe	95
PID 3096 wrote to memory of 4988	3096	4kvideodownloaderplus_1.7.0_x64_online.exe	98
PID 3096 wrote to memory of 4988	3096	4kvideodownloaderplus_1.7.0_x64_online.exe	98
PID 4988 wrote to memory of 1372	4988	4kvideodownloaderplus.exe	99
PID 4988 wrote to memory of 1372	4988	4kvideodownloaderplus.exe	99
PID 1184 wrote to memory of 1116	1184	4kvideodownloaderplus.exe	102
PID 1184 wrote to memory of 1116	1184	4kvideodownloaderplus.exe	102
PID 4836 wrote to memory of 4216	4836	4kvideodownloaderplus.exe	104
PID 4836 wrote to memory of 4216	4836	4kvideodownloaderplus.exe	104
PID 1176 wrote to memory of 3136	1176	4kvideodownloaderplus.exe	107
PID 1176 wrote to memory of 3136	1176	4kvideodownloaderplus.exe	107
PID 4796 wrote to memory of 4372	4796	4kvideodownloaderplus.exe	109
PID 4796 wrote to memory of 4372	4796	4kvideodownloaderplus.exe	109
PID 3760 wrote to memory of 456	3760	4kvideodownloaderplus.exe	111
PID 3760 wrote to memory of 456	3760	4kvideodownloaderplus.exe	111
PID 3992 wrote to memory of 4652	3992	4kvideodownloaderplus.exe	113
PID 3992 wrote to memory of 4652	3992	4kvideodownloaderplus.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4kvideodownloaderplus_1.7.0_x64_online.exe
"C:\Users\Admin\AppData\Local\Temp\4kvideodownloaderplus_1.7.0_x64_online.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\Temp\{5AE22A45-AB2A-459B-B5D1-B0E57E89B725}\.cr\4kvideodownloaderplus_1.7.0_x64_online.exe
  "C:\Windows\Temp\{5AE22A45-AB2A-459B-B5D1-B0E57E89B725}\.cr\4kvideodownloaderplus_1.7.0_x64_online.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\4kvideodownloaderplus_1.7.0_x64_online.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\Temp\{B8A397DB-80A9-4DE1-9E6F-BD83AA4E1B45}\.be\4kvideodownloaderplus_1.7.0_x64_online.exe
    "C:\Windows\Temp\{B8A397DB-80A9-4DE1-9E6F-BD83AA4E1B45}\.be\4kvideodownloaderplus_1.7.0_x64_online.exe" -q -burn.elevated BurnPipe.{F74FC406-9FE7-4BA7-8E38-AFC3082F3048} {C28A858F-2886-41F5-A500-75A4D36DD4F7} 3096
    3⤵
    - Adds Run key to start application
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\ProgramData\Package Cache\1B9F1CBFDB480DCC694C23FB063A4CD527E73A4D\msi_analytics.exe
      "C:\ProgramData\Package Cache\1B9F1CBFDB480DCC694C23FB063A4CD527E73A4D\msi_analytics.exe" --regkey "Software\4kdownload.com\4K Video Downloader+\Analytics" --an Wix --av 2 --ec "4K Video Downloader+" --ea "before-install" --el "x64" --af ""
      4⤵
      Executes dropped EXE
      PID:580
  - - C:\ProgramData\Package Cache\1B9F1CBFDB480DCC694C23FB063A4CD527E73A4D\msi_analytics.exe
      "C:\ProgramData\Package Cache\1B9F1CBFDB480DCC694C23FB063A4CD527E73A4D\msi_analytics.exe" --regkey "Software\4kdownload.com\4K Video Downloader+\Analytics" --an Wix --av 2 --ec "4K Video Downloader+" --ea "after-install" --el "x64" --af ""
      4⤵
      Executes dropped EXE
      PID:1840
- - C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe
    "C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Program Files\4KDownload\4kvideodownloaderplus\crashpad_handler.exe
      "C:/Program Files/4KDownload/4kvideodownloaderplus/crashpad_handler.exe" "--database=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" "--metrics-dir=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" --url=https://o354938.ingest.sentry.io/api/4505076032667648/minidump/?sentry_key=1a7e5dd848a445bd99b93ea2e155896c --annotation=format=minidump --annotation=sentry[release]=1.7.0.0096 --initial-client-data=0x5c4,0x5c8,0x5cc,0x5a0,0x5d0,0x7ff71e0102e8,0x7ff71e010300,0x7ff71e010318
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADDA490DDA84547AFDAEE8DC63F9BCA1
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A81F0D22DFD1392580335C958D4E853E E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2628

C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe
"C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Program Files\4KDownload\4kvideodownloaderplus\crashpad_handler.exe
  "C:/Program Files/4KDownload/4kvideodownloaderplus/crashpad_handler.exe" "--database=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" "--metrics-dir=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" --url=https://o354938.ingest.sentry.io/api/4505076032667648/minidump/?sentry_key=1a7e5dd848a445bd99b93ea2e155896c --annotation=format=minidump --annotation=sentry[release]=1.7.0.0096 --initial-client-data=0x5b8,0x5bc,0x5c0,0x594,0x5c4,0x7ff71e0102e8,0x7ff71e010300,0x7ff71e010318
  2⤵
  - Executes dropped EXE
  PID:1116

C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe
"C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files\4KDownload\4kvideodownloaderplus\crashpad_handler.exe
  "C:/Program Files/4KDownload/4kvideodownloaderplus/crashpad_handler.exe" "--database=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" "--metrics-dir=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" --url=https://o354938.ingest.sentry.io/api/4505076032667648/minidump/?sentry_key=1a7e5dd848a445bd99b93ea2e155896c --annotation=format=minidump --annotation=sentry[release]=1.7.0.0096 --initial-client-data=0x59c,0x5a0,0x5a4,0x578,0x5a8,0x7ff71e0102e8,0x7ff71e010300,0x7ff71e010318
  2⤵
  - Executes dropped EXE
  PID:4216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3984

C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe
"C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Program Files\4KDownload\4kvideodownloaderplus\crashpad_handler.exe
  "C:/Program Files/4KDownload/4kvideodownloaderplus/crashpad_handler.exe" "--database=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" "--metrics-dir=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" --url=https://o354938.ingest.sentry.io/api/4505076032667648/minidump/?sentry_key=1a7e5dd848a445bd99b93ea2e155896c --annotation=format=minidump --annotation=sentry[release]=1.7.0.0096 --initial-client-data=0x5a8,0x5ac,0x5b0,0x584,0x5b4,0x7ff71e0102e8,0x7ff71e010300,0x7ff71e010318
  2⤵
  - Executes dropped EXE
  PID:3136

C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe
"C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Program Files\4KDownload\4kvideodownloaderplus\crashpad_handler.exe
  "C:/Program Files/4KDownload/4kvideodownloaderplus/crashpad_handler.exe" "--database=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" "--metrics-dir=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" --url=https://o354938.ingest.sentry.io/api/4505076032667648/minidump/?sentry_key=1a7e5dd848a445bd99b93ea2e155896c --annotation=format=minidump --annotation=sentry[release]=1.7.0.0096 --initial-client-data=0x5ac,0x5b0,0x5b4,0x588,0x5b8,0x7ff71e0102e8,0x7ff71e010300,0x7ff71e010318
  2⤵
  - Executes dropped EXE
  PID:4372

C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe
"C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Program Files\4KDownload\4kvideodownloaderplus\crashpad_handler.exe
  "C:/Program Files/4KDownload/4kvideodownloaderplus/crashpad_handler.exe" "--database=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" "--metrics-dir=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" --url=https://o354938.ingest.sentry.io/api/4505076032667648/minidump/?sentry_key=1a7e5dd848a445bd99b93ea2e155896c --annotation=format=minidump --annotation=sentry[release]=1.7.0.0096 --initial-client-data=0x5a4,0x5a8,0x5ac,0x580,0x5b0,0x7ff71e0102e8,0x7ff71e010300,0x7ff71e010318
  2⤵
  - Executes dropped EXE
  PID:456

C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe
"C:\Program Files\4KDownload\4kvideodownloaderplus\4kvideodownloaderplus.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Program Files\4KDownload\4kvideodownloaderplus\crashpad_handler.exe
  "C:/Program Files/4KDownload/4kvideodownloaderplus/crashpad_handler.exe" "--database=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" "--metrics-dir=C:/Users/Admin/AppData/Local/4kdownload.com/4K Video Downloader+/4K Video Downloader+/../crashdb" --url=https://o354938.ingest.sentry.io/api/4505076032667648/minidump/?sentry_key=1a7e5dd848a445bd99b93ea2e155896c --annotation=format=minidump --annotation=sentry[release]=1.7.0.0096 --initial-client-data=0x5ac,0x5b0,0x5b4,0x588,0x5b8,0x7ff71e0102e8,0x7ff71e010300,0x7ff71e010318
  2⤵
  - Executes dropped EXE
  PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57aaaa.rbs

Filesize
125KB

MD5
f91dcb8c72568c6448a96ae299be85f2

SHA1
76cffc9e6792f95563da0f6180629760e89cdc1f

SHA256
6e841f547989d464e4afee9ca2d8a28619021266229d469f1b349b4e33e5f32c

SHA512
13b8c3f14cb7dbf58c1608dda055aa6fc7a5c67bd139bc31c59834e1018412e999636cee2e675d0eb8c22753966b0cb3c39b5cf1e7cce73e15edb4769ceb7c56

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5Core.dll

Filesize
7.7MB

MD5
9c1ecf03c14af50b445f4a679d90bac4

SHA1
bf43f0bf8ec52f7cfdfb441edf0f131862ce8b5d

SHA256
0491c25bcbf0dd2a7bc590af925c152eb08a533c8005d5dde32faa3a1439253b

SHA512
651ab6286004dd6c5c41cf0e9929779934f025da2f4170c1c5972af7416af1c3afe32114cd60b3bed852fc5bf8a415ae6851f6102bfb5c4720e1698ea0ae013a

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5Gui.dll

Filesize
6.5MB

MD5
4584320c923505da902b8b4622d11c28

SHA1
76ece4a164eb375d8204eafe3110338143106ebe

SHA256
ee1db564c4b429f35926c9e8f145a62ba4e4aba2dc45a610e93b344e1c30673a

SHA512
65b89485aec34eaac89f99d5c4fcf3e8b37fcfa173e5d2c831b6ec3200c21efb03126472c8cc61b648daf2bbe85e2a0083876fdff4e3a133142582e1159e6574

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5Multimedia.dll

Filesize
733KB

MD5
5921cd02df46cd56990bae988fc19715

SHA1
db404ac50563a12565f73bc6241881cc03360eeb

SHA256
7e07174036c34ec5f851f3151b20efe238134316d25313ed1c0521e95cc50261

SHA512
3b224398ded6842d06a3bfe0d0c35e2a1ee426a1155a5b14405719a7149f93ae7600c9823ff25525eab8fe4a52ea0ada4e0565b008d690dc7c202d44dd65c017

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5Network.dll

Filesize
1.3MB

MD5
58a22c03b1fa2caecbeebe8851d5a641

SHA1
39af942dab52259de39aa4d119ca0936c2bf3f79

SHA256
88486ce20f3ccdaeb9ef9ab4c7b3046de8fe0bc47cb61ab5f0cf92bf36231043

SHA512
463e5c03fb8668285920ed44b1c61b03e603ea5efbad0d4692660ee4320d068f80a97f7e92209610971ceaff7a1853e7bea351b1850e6765083b902e9e9283de

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5Qml.dll

Filesize
3.4MB

MD5
9fbd3a81a04c3f4f729ba98d978693e8

SHA1
4091d01dcc8b3056d79e8c797c6edb309d7c8073

SHA256
a4ba9451ab04754b73ec77ad0f848373a834467094cb3990cddfa3cb8f8c1f55

SHA512
2f9ff1397a5d04e6c5f0f772dbb6daf4bf76a64e26c0d1cb62fea261a0a2c6ef19b1acbdff4c57384a2c5dbf9b5756db2df1459bf95366c898a498c532fee71e

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5Quick.dll

Filesize
4.0MB

MD5
3945d58a350d379b66f44d2ec25b3350

SHA1
49485f8cf4bb295b552f197313873a354617c6da

SHA256
d0e8e0438158641bb86b37fa5e048c8f802698a872ffe78abd1af2ee27780481

SHA512
9bfb42fb98627498ec9f16504d2f25086906c3b962d3d4aed970066745998e18a3694e12374e01edc8ff18379cab683ac517f1235d11715591cd37f8cf7a2853

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5WebChannel.dll

Filesize
133KB

MD5
5ed392b1375d08b83fb3a332bdca4f3c

SHA1
4d0c3f906187286d3d8c5f2f306430ef2c3f4b0a

SHA256
ff80bcda5b1292a5a42d4fe28e515efb1a0ad3731a7252934ce5438f7f1652d6

SHA512
11bf2f9f67be97ed9b75db1abfbc1beee8137f47f0b57b84529c31e1819b1d5e7c3a1ffd8568c9c7b721eb4d4fd78c47e71fa954c8a1ea0bb767c4a3a16039a5

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5WebEngine.dll

Filesize
374KB

MD5
e1e0d151fd2a4df962fddd896c04638b

SHA1
1741d9b6f50bb4f3afc77c54878f542c4e484764

SHA256
845e3a40cb30271fcfdae9b75cb5fbfab1805717c26089a3276cd99ab0b55acd

SHA512
8c41fa3afa97ef248fe4550762b68a0465bcce09625bd5bdba13b260a28c06cb283ec30e74b38e86e02ac33a3ce213ed4b788d97e59aa054fe3081568ba215e6

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5WebEngineWidgets.dll

Filesize
247KB

MD5
0038299803317092a2d19fb2c2bfea30

SHA1
bc7baf3bb22345058991a70383ae68c0c012adfd

SHA256
554a5fbbd78bc2f2b22820bc012c1bc0d616b1f67796815f3751ff628a2c7a17

SHA512
d47a47704be1a5c2e8fffbdcd12027c145c893920aa1c3a171b604734bb07bb71197232a9934357903e6099578e8c7f6d5527fdeae692725c8007bba9e4aeee8

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5Widgets.dll

Filesize
5.3MB

MD5
4b936f00b0baaf5d28ac8628fab2eebc

SHA1
26e3e064ab94dbf74f9a4089cfe44fe512aaa77e

SHA256
04e9ec1d91aac38895e21a5bee7460ab2042ce552b25fa7cbb58f25effdc4728

SHA512
73b19d0219ccd72dac156c3ce9f0f593a6b20baeb9d13b2e2a035598d9171c055d9516c8f4355056af17a4d3120786cf7a9a05d0e1e36daa239e7f3a8980e1ac

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\Qt5Xml.dll

Filesize
212KB

MD5
e78a5bd01b97d0559c916362119319a3

SHA1
a7b4ed115013cc9f6863e67e1eb069beb1903a76

SHA256
2ded37fdb409d75a5ab8944c000b4e09459777af5e470e2e972e28c49a032f4f

SHA512
a397dca72ab7bae76c801e8fdd197d58641b3ad83fa7cb6df4b5b557cbc5600b5e4aaa8ca50766465165a6166b91fb3a74cde99f5f70576f96b9ab70b587e0dd

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\avcodec-58.dll

Filesize
26.1MB

MD5
fd477558197aae4b0b45f118fa2e8b10

SHA1
d5992a61e6b751d085bbba068c1eb8de6a742aad

SHA256
8a9e78c87a9ab87c754a5402449f5bba91153af8495f2e723eb27bab93b2b39d

SHA512
51e991fd6b141047e90bd3d1f76d1973b1db5be04c99be0165e61b5372eb364bd1f88403a08b5e5ddc1447c71e67bf5263653b58fa9ada917854c6b44c9b1f2d

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\avformat-58.dll

Filesize
2.2MB

MD5
fbc57a71569296384d453a613bc0d268

SHA1
600709fb253cc83c05f6d32275e48377bf5df0ca

SHA256
8148e18579dfd21038aa341d54996f158f503612de2990a88e95b0f13dba2090

SHA512
3af21831fb4194802c3adf60d0bcc54f8f6b496ae8d40077b3aa67b101f687e838c10771d00d5df44be61e25774ce8f93b4567fde49d5d62deacf30a2a64544c

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\avutil-56.dll

Filesize
567KB

MD5
a874eafa8258e7fe7e383542a7d2c556

SHA1
7d8eae9e672b370cb0d542903a21989c50a7e654

SHA256
e8fc9d7c7738f0b46f6b27afe8ea52cb0abff9b436ff61179a592ec07a052644

SHA512
502d76fe15375594ae0f17600cc2b7927e0336725e5dd214d11f5c11a08c735d99c95203df603a5a7220bf9833ccbb2fa736f5be80cdca27e4de14be023cfd71

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\libcrypto-1_1-x64.dll

Filesize
3.1MB

MD5
6aec069100841113fab40a7497d922c5

SHA1
390dda02a663d4beaaea7de2b81076a57791aa2f

SHA256
1a8fa8e92808071ad831066c8c889180e9c6933bb3c8bebfe5d4605cb0e6001e

SHA512
42c3d19f030ab52b125842c873f2a54150385aa5cc10f4cb1e35039f051ba1a696b0b54448e719141ac5c4065bfb4af3ce2d238d61b096effb906a8077e8478b

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\libssl-1_1-x64.dll

Filesize
645KB

MD5
2989d89c2c7c8d9206d8279273702b6e

SHA1
5ce76e8a7bb5f27d158b7687dc7b260d44c2b01e

SHA256
237f97444b8be89d1a21d456dfad3a2f31e0516fd7775a7d5b8b59811d11b5e7

SHA512
de984ac5a03c7ca3acce438b2530f68f6a88aa9423d8509f992aa23f3d7e4048671fdc0978160526b5b1861b2f6fc03671211e13310d4c82eabae9061dcbf574

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\msvcp140.dll

Filesize
568KB

MD5
9c5b73e8f95f39eabe363fb9f6c2f5c2

SHA1
35e22106f54c62e27554eb56f70ef127f53d91e6

SHA256
b0a47d07a5c10babd9f34d3d3e894a43b166f0526cd15b30a26e5d80651d0146

SHA512
2d7acd13f7681a88a392ded3b814da13311967737de8c00345fe0a73597c9b64224f78d9c6296244f78bd032989d05a421e16ab1ce474ba5c3cbfc23eea6a85f

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\msvcp140_1.dll

Filesize
44KB

MD5
f08be14d9db1c6fa4ea5b65039ad43bb

SHA1
0d19482c51705a6ae9b04ebdb7372d62ef2c981e

SHA256
d905847bfcf9ca207dbe591db52c603e3b197b243d86ca4d2355fe10eedf4adc

SHA512
a224d81c8a6d3b4e767241751caea2c8bd2a70c1fb45e8ac850dff2832f6f89b03420f6a2d4dc778229b3a5300d3774860b134722229d89d3f2874a1d1854f7e

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\portaudio_x64.dll

Filesize
275KB

MD5
77dc1dc2e8412940030d4233236af2da

SHA1
6ea2b6071be0e7b7683ec83920cd84ce1885ffa2

SHA256
4ddc7506e508cc348b09dc9023f843cf2605fb63d206df28402450419d2db7b9

SHA512
9f74ef79d5ab8a36bd5af04dec66bc2d85ad7f070067680a48cbf9402f2f5cdcff58072861ea550e1fc8e50dffa500a6fefe1fb98f7f2fb5caa3189358d472df

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\swresample-3.dll

Filesize
186KB

MD5
dd33dec8e7548c6a30850ddc94354dc3

SHA1
33cde479e61a9c59f58de0edb444ba1221405ea8

SHA256
6798dbc7a3031a2d2585020366a480ce7be56fc9e3f4c5d2d0571521f12548c0

SHA512
ac11e0d7e58664625bc71f162ad3ddc867a3a2e28225d8019d569a676493d81ad69071f9dc84bc5a22c3eab962b66f423ac1559738f449dfa258f8b98f0615d0

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\swscale-5.dll

Filesize
672KB

MD5
3eb454124864b38dc65f0911508ce290

SHA1
50c49496a61c8b68d88e267be692cd3b3315f9e4

SHA256
f6f1bde19400146f9d1e0298d8c4737bfc95ae37782010cd6676c469aa4085f7

SHA512
4fc77ed9b39a8e37a4955e44fdaee1dcc6699d695d19434c571127683452b0edc848a983d6a9893445956684d2ab8d36be551c99d2126c17a4aacba64247d53e

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\vcruntime140.dll

Filesize
125KB

MD5
15fadc3d1124a8abd466292faac945ac

SHA1
aea1703e1ff123394756fbf5bebc08b036593e7b

SHA256
6bbf02b1a92a3f2c1a653d5cff0e9989a74ea18c41c7908d74112fbc49cd8de9

SHA512
083de2a6f8fe6d1ffc6e1cdad863adabe33cd7c1a46d33a9b9b82d6e352e04e6be1c9d351b20a98cf2840c71600ca946aa767ecf32d76fe71e4d13a4e768dcd2

Download Submit
C:\Program Files\4KDownload\4kvideodownloaderplus\vcruntime140_1.dll

Filesize
57KB

MD5
566caf0bbe0c561bd410aecb37ee1583

SHA1
8e22dd6a937b2f861250340112f9c2cc682cbfa8

SHA256
2c32ef3d33b0c41c279cd2009c28a41b962acaf16be5abccaaa317d6b163f825

SHA512
013e55538ce4ed86e0b9f3b5a5fb0a162e58764e851eec6b2fa933a91ddd17664bf5f44efe50f90ac7f03b08c88a7c70c454ed519b9e7b25ccbf5f2bd2d6ca70

Download Submit
C:\Users\Admin\AppData\Local\4kdownload.com\4K Video Downloader+\crashdb\settings.dat

Filesize
40B

MD5
e878823fc09a25ee317c61e875ea820d

SHA1
16f43d42e8051303178658d2b8ae88c74003f1bd

SHA256
83a7ea65a7fff2a231a420e232f826e88846a9ad050eec504e52aa3e46236fba

SHA512
44fe0899181056a7c8c485cc795d4a54e82fbb2397015bb6dcf4c3487310079a90d3483215f0e1f8bdd544a5f846c47cba355256053f746d8188861a106327d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4K_Video_Downloader+_20240612074552_001_application_msi.log

Filesize
2KB

MD5
6c0869f366670fc53daf1b51eb000532

SHA1
91aedfd4c00afdb1393e01049e7cc2517a1b1b03

SHA256
9efe11cd66fd0cb3c3b8288c7034a804012c4349e04d6e91f9c1ae76f08a097e

SHA512
8bf07d01f0715a5be34ecaf4d580cb431207467a5447789e6ba0788f80f1c058f73a5778374524efc742086b54e6c35e6a10fe25d8c5f6d847f63425e60ef528

Download Submit
C:\Windows\Installer\MSIB5A5.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Temp\{5AE22A45-AB2A-459B-B5D1-B0E57E89B725}\.cr\4kvideodownloaderplus_1.7.0_x64_online.exe

Filesize
912KB

MD5
e83689afc95273f9cf2928424da6820c

SHA1
264659a713d78e2f068f7121668bba3479de68b7

SHA256
073f475e4e198f72faa0656bd09f0a22b93d1a922232297d8f22989bfebc4e63

SHA512
dda83a6ede0278fb15f3c82d59ba38749f2744f291ebe266a8248772642bcfe4e1ad1f242a1b8fbc281dda2bbe7d7e41619ba4c8d4156ab0574a29adb195abaa

Download Submit
C:\Windows\Temp\{B8A397DB-80A9-4DE1-9E6F-BD83AA4E1B45}\.ba\logo.png

Filesize
4KB

MD5
20986fecad1c10339e192993e72bbc4e

SHA1
ca627fc0a6e96c2021da63e71d5d05d45b9894b9

SHA256
2fab77079c0e9e6bae57c3f783936243a6f43550d08cab690c09b4409d4ea669

SHA512
4cbe6c6cfef20a770e6cb9303ceddf1f0b53a5c1a8a26a9c769fe72735a36a9646f6937c6f8af26d42b0bf9860638af80cb201e6551d41fd2c813bbda39d5990

Download Submit
C:\Windows\Temp\{B8A397DB-80A9-4DE1-9E6F-BD83AA4E1B45}\.ba\wixstdba.dll

Filesize
184KB

MD5
fe7e0bd53f52e6630473c31299a49fdd

SHA1
f706f45768bfb95f4c96dfa0be36df57aa863898

SHA256
2bea14d70943a42d344e09b7c9de5562fa7e109946e1c615dd584da30d06cc80

SHA512
feed48286b1e182996a3664f0facdf42aae3692d3d938ea004350c85764db7a0bea996dfddf7a77149c0d4b8b776fb544e8b1ce5e9944086a5b1ed6a8a239a3c

Download Submit
C:\Windows\Temp\{B8A397DB-80A9-4DE1-9E6F-BD83AA4E1B45}\msi_analytics_begin

Filesize
47KB

MD5
34fd9432d20b5a04c5cd57bc0c8abfa2

SHA1
1b9f1cbfdb480dcc694c23fb063a4cd527e73a4d

SHA256
6869d5df0b0c0b6ea7923efe19885f4c2b6e523f32a637e78abb27f931c4de3c

SHA512
2d9340ac60dc2cf7f7594c51eb1f3a3d27c24250158d95ff62991457305251599a6e235f480b467947a5070c68a83a0ddb81e73f104aa3036bb3183c966b86dc

Download Submit
memory/1176-625-0x00007FF87DC80000-0x00007FF87E082000-memory.dmp

Filesize
4.0MB

Download
memory/1176-624-0x00007FF880F70000-0x00007FF8814BE000-memory.dmp

Filesize
5.3MB

Download
memory/1184-609-0x00007FF880F70000-0x00007FF8814BE000-memory.dmp

Filesize
5.3MB

Download
memory/1184-610-0x00007FF87DC80000-0x00007FF87E082000-memory.dmp

Filesize
4.0MB

Download
memory/1184-612-0x00007FF87DC80000-0x00007FF87E082000-memory.dmp

Filesize
4.0MB

Download
memory/3760-639-0x00007FF880F70000-0x00007FF8814BE000-memory.dmp

Filesize
5.3MB

Download
memory/3760-640-0x00007FF87DC80000-0x00007FF87E082000-memory.dmp

Filesize
4.0MB

Download
memory/3992-647-0x00007FF87DC80000-0x00007FF87E082000-memory.dmp

Filesize
4.0MB

Download
memory/3992-646-0x00007FF880F70000-0x00007FF8814BE000-memory.dmp

Filesize
5.3MB

Download
memory/4796-631-0x00007FF880F70000-0x00007FF8814BE000-memory.dmp

Filesize
5.3MB

Download
memory/4796-632-0x00007FF87DC80000-0x00007FF87E082000-memory.dmp

Filesize
4.0MB

Download
memory/4836-618-0x00007FF87DC80000-0x00007FF87E082000-memory.dmp

Filesize
4.0MB

Download
memory/4836-617-0x00007FF880F70000-0x00007FF8814BE000-memory.dmp

Filesize
5.3MB

Download
memory/4988-593-0x00007FF87DC80000-0x00007FF87E082000-memory.dmp

Filesize
4.0MB

Download
memory/4988-594-0x00007FF714C60000-0x00007FF715C60000-memory.dmp

Filesize
16.0MB

Download
memory/4988-592-0x00007FF880F70000-0x00007FF8814BE000-memory.dmp

Filesize
5.3MB

Download