| File name: | yt-dlp.exe |
| Full analysis: | https://app.any.run/tasks/78e00a29-259f-4db6-ae1b-95582f7c9502 |
| Verdict: | Malicious activity |
| Analysis date: | July 14, 2024, 05:43:47 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows |
| MD5: | 6B7779A473CEF0FE7E5C757DA49B0EDB |
| SHA1: | 926351B36890E4D55AE64A8ED96A41D1499CA8CF |
| SHA256: | 8AFEC9F5366DA9035EC78FCCA25A42926E4675D0C6459C252EC63A3BE04CF6F1 |
| SSDEEP: | 196608:ten5+zylgy9j54iEkaAPmfadLvVEUJyl421pM:mEUj39tPmELvVEUkM |
MALICIOUS
Drops the executable file immediately after the start
- yt-dlp.exe (PID: 5584)
SUSPICIOUS
Process drops python dynamic module
- yt-dlp.exe (PID: 5584)
Process drops legitimate windows executable
- yt-dlp.exe (PID: 5584)
Executable content was dropped or overwritten
- yt-dlp.exe (PID: 5584)
Application launched itself
- yt-dlp.exe (PID: 5584)
The process drops C-runtime libraries
- yt-dlp.exe (PID: 5584)
Loads Python modules
- yt-dlp.exe (PID: 3628)
Starts CMD.EXE for commands execution
- yt-dlp.exe (PID: 3628)
Found regular expressions for crypto-addresses (YARA)
- yt-dlp.exe (PID: 3628)
INFO
Create files in a temporary directory
- yt-dlp.exe (PID: 5584)
Checks supported languages
- yt-dlp.exe (PID: 5584)
- yt-dlp.exe (PID: 3628)
Reads the computer name
- yt-dlp.exe (PID: 5584)
Reads the machine GUID from the registry
- yt-dlp.exe (PID: 3628)
Checks operating system version
- yt-dlp.exe (PID: 3628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:07:09 01:53:06+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Large address aware, No debug |
| PEType: | PE32+ |
| LinkerVersion: | 2.42 |
| CodeSize: | 90112 |
| InitializedDataSize: | 179200 |
| UninitializedDataSize: | 8192 |
| EntryPoint: | 0x13f0 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 2024.7.9.0 |
| ProductVersionNumber: | 2024.7.9.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| Comments: | yt-dlp Command Line Interface |
| CompanyName: | https://github.com/yt-dlp |
| FileDescription: | yt-dlp |
| FileVersion: | 2024.07.09 |
| InternalName: | yt-dlp |
| LegalCopyright: | [email protected] | UNLICENSE |
| OriginalFileName: | yt-dlp.exe |
| ProductName: | yt-dlp |
| ProductVersion: | 2024.07.09 on Python 3.8.10 |
Total processes
125
Monitored processes
6
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1292 | C:\WINDOWS\system32\cmd.exe /c "ver" | C:\Windows\System32\cmd.exe | — | yt-dlp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1644 | C:\WINDOWS\system32\cmd.exe /c "ver" | C:\Windows\System32\cmd.exe | — | yt-dlp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2848 | C:\WINDOWS\system32\cmd.exe /c "ver" | C:\Windows\System32\cmd.exe | — | yt-dlp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3628 | "C:\Users\admin\Desktop\yt-dlp.exe" | C:\Users\admin\Desktop\yt-dlp.exe | yt-dlp.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 5584 | "C:\Users\admin\Desktop\yt-dlp.exe" | C:\Users\admin\Desktop\yt-dlp.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 5652 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | yt-dlp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
536
Read events
536
Write events
0
Delete events
0
Modification events
Executable files
110
Suspicious files
1
Text files
20
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_Salsa20.pyd | executable | |
MD5:14A20ED2868F5B3D7DCFEF9363CB1F32 | SHA256:A072631CD1757D5147B5E403D6A96EF94217568D1DC1AE5C67A1892FBF61409E | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_des.pyd | executable | |
MD5:3AEA5302F7F03EDEFF49D1C119C61693 | SHA256:E5DDA67D4DF47B7F00FF17BE6541CA80BDB4B60E1F6FD1A7D7F115DDF7683EE5 | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_cbc.pyd | executable | |
MD5:6840F030DF557B08363C3E96F5DF3387 | SHA256:B7160ED222D56925E5B2E247F0070D5D997701E8E239EC7F80BCE21D14FA5816 | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_aesni.pyd | executable | |
MD5:A914F3D22DA22F099CB0FBFBBB75DDBF | SHA256:4B4DBF841EC939EF9CC4B4F1B1BA436941A3F2AF2F4E34F82C568DFC09BA0358 | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_aes.pyd | executable | |
MD5:E63FC8375E1D8C47FBB84733F38A9552 | SHA256:F47F9C559A9C642DA443896B5CD24DE74FED713BDF6A9CD0D20F5217E4124540 | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_blowfish.pyd | executable | |
MD5:883DE82B3B17F95735F579E78A19D509 | SHA256:67FF6C8BBDC9E33B027D53A26DF39BA2A2AD630ACCE1BAC0B0583CA31ADF914F | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_cast.pyd | executable | |
MD5:0AC22DA9F0B2F84DE9D2B50D457020C1 | SHA256:480C79C713AD15328E9EB9F064B90BCDCB5AAD149236679F97B61218F6D2D200 | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_cfb.pyd | executable | |
MD5:7256877DD2B76D8C6D6910808222ACD8 | SHA256:DBF703293CFF0446DFD15BBAEDA52FB044F56A353DDA3BECA9AADD8A959C5798 | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_ctr.pyd | executable | |
MD5:B063D73E5AA501060C303CAFBC72DAD3 | SHA256:98BACA99834DE65FC29EFA930CD9DBA8DA233B4CFDFC4AB792E1871649B2FE5C | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_ARC4.pyd | executable | |
MD5:85F144F57905F68ECBF14552BAB2F070 | SHA256:28696C8881D9C9272DE4E54ABE6760CD4C6CB22AD7E3FEABAF6FF313EC9A9EAF | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2060 | svchost.exe | GET | 200 | 23.216.77.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3828 | RUXIMICS.exe | GET | 200 | 23.216.77.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
444 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
444 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.189.173.12:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2060 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3828 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
444 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4032 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3828 | RUXIMICS.exe | 23.216.77.19:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
2060 | svchost.exe | 23.216.77.19:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
444 | MoUsoCoreWorker.exe | 23.216.77.19:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
444 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |