| File name: | yt-dlp.exe |
| Full analysis: | https://app.any.run/tasks/78e00a29-259f-4db6-ae1b-95582f7c9502 |
| Verdict: | Malicious activity |
| Analysis date: | July 14, 2024, 05:43:47 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows |
| MD5: | 6B7779A473CEF0FE7E5C757DA49B0EDB |
| SHA1: | 926351B36890E4D55AE64A8ED96A41D1499CA8CF |
| SHA256: | 8AFEC9F5366DA9035EC78FCCA25A42926E4675D0C6459C252EC63A3BE04CF6F1 |
| SSDEEP: | 196608:ten5+zylgy9j54iEkaAPmfadLvVEUJyl421pM:mEUj39tPmELvVEUkM |
MALICIOUS
Drops the executable file immediately after the start
- yt-dlp.exe (PID: 5584)
SUSPICIOUS
Process drops legitimate windows executable
- yt-dlp.exe (PID: 5584)
Application launched itself
- yt-dlp.exe (PID: 5584)
Executable content was dropped or overwritten
- yt-dlp.exe (PID: 5584)
The process drops C-runtime libraries
- yt-dlp.exe (PID: 5584)
Loads Python modules
- yt-dlp.exe (PID: 3628)
Process drops python dynamic module
- yt-dlp.exe (PID: 5584)
Starts CMD.EXE for commands execution
- yt-dlp.exe (PID: 3628)
Found regular expressions for crypto-addresses (YARA)
- yt-dlp.exe (PID: 3628)
INFO
Checks supported languages
- yt-dlp.exe (PID: 5584)
- yt-dlp.exe (PID: 3628)
Reads the computer name
- yt-dlp.exe (PID: 5584)
Reads the machine GUID from the registry
- yt-dlp.exe (PID: 3628)
Create files in a temporary directory
- yt-dlp.exe (PID: 5584)
Checks operating system version
- yt-dlp.exe (PID: 3628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:07:09 01:53:06+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Large address aware, No debug |
| PEType: | PE32+ |
| LinkerVersion: | 2.42 |
| CodeSize: | 90112 |
| InitializedDataSize: | 179200 |
| UninitializedDataSize: | 8192 |
| EntryPoint: | 0x13f0 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 2024.7.9.0 |
| ProductVersionNumber: | 2024.7.9.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| Comments: | yt-dlp Command Line Interface |
| CompanyName: | https://github.com/yt-dlp |
| FileDescription: | yt-dlp |
| FileVersion: | 2024.07.09 |
| InternalName: | yt-dlp |
| LegalCopyright: | pukkandan.ytdlp@gmail.com | UNLICENSE |
| OriginalFileName: | yt-dlp.exe |
| ProductName: | yt-dlp |
| ProductVersion: | 2024.07.09 on Python 3.8.10 |
Total processes
125
Monitored processes
6
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1292 | C:\WINDOWS\system32\cmd.exe /c "ver" | C:\Windows\System32\cmd.exe | — | yt-dlp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1644 | C:\WINDOWS\system32\cmd.exe /c "ver" | C:\Windows\System32\cmd.exe | — | yt-dlp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2848 | C:\WINDOWS\system32\cmd.exe /c "ver" | C:\Windows\System32\cmd.exe | — | yt-dlp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3628 | "C:\Users\admin\Desktop\yt-dlp.exe" | C:\Users\admin\Desktop\yt-dlp.exe | yt-dlp.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 5584 | "C:\Users\admin\Desktop\yt-dlp.exe" | C:\Users\admin\Desktop\yt-dlp.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 5652 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | yt-dlp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
536
Read events
536
Write events
0
Delete events
0
Modification events
Executable files
110
Suspicious files
1
Text files
20
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_chacha20.pyd | executable | |
MD5:E2AB7EECFD020CFDEBA6DD3ADD732EB7 | SHA256:85BCF0FD811ADE1396E3A93EEEF6BC6B88D5555498BA09C164FAA3092DACDEFF | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_Salsa20.pyd | executable | |
MD5:14A20ED2868F5B3D7DCFEF9363CB1F32 | SHA256:A072631CD1757D5147B5E403D6A96EF94217568D1DC1AE5C67A1892FBF61409E | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_aesni.pyd | executable | |
MD5:A914F3D22DA22F099CB0FBFBBB75DDBF | SHA256:4B4DBF841EC939EF9CC4B4F1B1BA436941A3F2AF2F4E34F82C568DFC09BA0358 | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_ARC4.pyd | executable | |
MD5:85F144F57905F68ECBF14552BAB2F070 | SHA256:28696C8881D9C9272DE4E54ABE6760CD4C6CB22AD7E3FEABAF6FF313EC9A9EAF | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_pkcs1_decode.pyd | executable | |
MD5:7FA5B1642D52FABFE1D3EBD1080056D4 | SHA256:88C7EC96B9E1D168005B3A8727AAA7F76B4B2985083ED7A9FB0A2AB02446E963 | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_aes.pyd | executable | |
MD5:E63FC8375E1D8C47FBB84733F38A9552 | SHA256:F47F9C559A9C642DA443896B5CD24DE74FED713BDF6A9CD0D20F5217E4124540 | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Hash\_BLAKE2b.pyd | executable | |
MD5:7D6979D69CD34652D5A3A197300AB65C | SHA256:2365B7C2AF8BBAC3844B7BEF47D5C49C234A159234A153515EB0634EEC0557CC | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_ecb.pyd | executable | |
MD5:1C74E15EC55BD8767968024D76705EFC | SHA256:0E3EC56A1F3C86BE1CAA503E5B89567AA91FD3D6DA5AD4E4DE4098F21270D86B | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_des3.pyd | executable | |
MD5:BA5BA714AEBFD8130EB6E0983FBAE20B | SHA256:861167DFEB390261E538D635EAD213E81C1166D8D85A496774FBF2EBFF5A4332 | |||
| 5584 | yt-dlp.exe | C:\Users\admin\AppData\Local\Temp\_MEI55842\Cryptodome\Cipher\_raw_eksblowfish.pyd | executable | |
MD5:E7826C066423284539BD1F1E99BA0CC6 | SHA256:0E18B7C2686BB954A8EE310DD5FDB76D00AC078A12D883028BFFC336E8606DA2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2060 | svchost.exe | GET | 200 | 23.216.77.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3828 | RUXIMICS.exe | GET | 200 | 23.216.77.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
444 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
444 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.189.173.12:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2060 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3828 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
444 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4032 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3828 | RUXIMICS.exe | 23.216.77.19:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
2060 | svchost.exe | 23.216.77.19:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
444 | MoUsoCoreWorker.exe | 23.216.77.19:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
444 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |