| File name: | freetube-0.22.0-setup-x64.exe |
| Full analysis: | https://app.any.run/tasks/90fb3e6b-a680-456f-ac06-1fa982f033c1 |
| Verdict: | Malicious activity |
| Analysis date: | November 07, 2024, 04:31:42 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | 4BA2D4200C7A9218052100ED21031E2B |
| SHA1: | 18814638BBEC9B7BD3FE935068B43ACDD022C1A6 |
| SHA256: | C4A643228CD9AED87F3448CDC1B8F54117A77AEF611609E00C482BF65D1A152D |
| SSDEEP: | 786432:s16yfnh/mBhZ8uKqFUxGN1h1EMxkfkrXb2+mHgUpyF:sNnh/mBhdKqFUMNhe8v2+mHz+ |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- freetube-0.22.0-setup-x64.exe (PID: 4956)
Drops 7-zip archiver for unpacking
- freetube-0.22.0-setup-x64.exe (PID: 4956)
Reads security settings of Internet Explorer
- freetube-0.22.0-setup-x64.exe (PID: 4956)
Creates a software uninstall entry
- freetube-0.22.0-setup-x64.exe (PID: 4956)
Malware-specific behavior (creating "System.dll" in Temp)
- freetube-0.22.0-setup-x64.exe (PID: 4956)
The process creates files with name similar to system file names
- freetube-0.22.0-setup-x64.exe (PID: 4956)
Application launched itself
- FreeTube.exe (PID: 7144)
Starts CMD.EXE for commands execution
- freetube-0.22.0-setup-x64.exe (PID: 4956)
Get information on the list of running processes
- cmd.exe (PID: 4292)
- freetube-0.22.0-setup-x64.exe (PID: 4956)
Process drops legitimate windows executable
- freetube-0.22.0-setup-x64.exe (PID: 4956)
INFO
Checks supported languages
- freetube-0.22.0-setup-x64.exe (PID: 4956)
- FreeTube.exe (PID: 7144)
- FreeTube.exe (PID: 4816)
- FreeTube.exe (PID: 2684)
- FreeTube.exe (PID: 6240)
Creates files or folders in the user directory
- freetube-0.22.0-setup-x64.exe (PID: 4956)
- FreeTube.exe (PID: 7144)
- FreeTube.exe (PID: 4816)
Manual execution by a user
- FreeTube.exe (PID: 7144)
Reads the computer name
- FreeTube.exe (PID: 7144)
- FreeTube.exe (PID: 2684)
- FreeTube.exe (PID: 4816)
- freetube-0.22.0-setup-x64.exe (PID: 4956)
Process checks computer location settings
- FreeTube.exe (PID: 7144)
- FreeTube.exe (PID: 6240)
Checks proxy server information
- FreeTube.exe (PID: 7144)
Reads the machine GUID from the registry
- FreeTube.exe (PID: 7144)
Create files in a temporary directory
- FreeTube.exe (PID: 7144)
- freetube-0.22.0-setup-x64.exe (PID: 4956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:12:15 22:26:14+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 473088 |
| UninitializedDataSize: | 16384 |
| EntryPoint: | 0x338f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.22.0.0 |
| ProductVersionNumber: | 0.22.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | PrestonN |
| FileDescription: | A private YouTube client |
| FileVersion: | 0.22.0 |
| LegalCopyright: | Copyleft © 2020-2024 freetubeapp@protonmail.com |
| ProductName: | FreeTube |
| ProductVersion: | 0.22.0 |
Total processes
123
Monitored processes
9
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2684 | "C:\Users\admin\AppData\Local\Programs\FreeTube\FreeTube.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\FreeTube" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1848,i,3760306284014865114,16894881573375648642,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1836 /prefetch:2 | C:\Users\admin\AppData\Local\Programs\FreeTube\FreeTube.exe | — | FreeTube.exe | |||||||||||
User: admin Company: PrestonN Integrity Level: LOW Description: A private YouTube client Version: 0.22.0 Modules
| |||||||||||||||
| 3620 | "C:\WINDOWS\system32\find.exe" "FreeTube.exe" | C:\Windows\SysWOW64\find.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4292 | "C:\WINDOWS\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq FreeTube.exe" /FO csv | "C:\WINDOWS\system32\find.exe" "FreeTube.exe" | C:\Windows\SysWOW64\cmd.exe | — | freetube-0.22.0-setup-x64.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4432 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4816 | "C:\Users\admin\AppData\Local\Programs\FreeTube\FreeTube.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\FreeTube" --standard-schemes=app --secure-schemes=app --fetch-schemes=app --field-trial-handle=2260,i,3760306284014865114,16894881573375648642,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:3 | C:\Users\admin\AppData\Local\Programs\FreeTube\FreeTube.exe | FreeTube.exe | ||||||||||||
User: admin Company: PrestonN Integrity Level: MEDIUM Description: A private YouTube client Version: 0.22.0 Modules
| |||||||||||||||
| 4956 | "C:\Users\admin\Desktop\freetube-0.22.0-setup-x64.exe" | C:\Users\admin\Desktop\freetube-0.22.0-setup-x64.exe | explorer.exe | ||||||||||||
User: admin Company: PrestonN Integrity Level: MEDIUM Description: A private YouTube client Exit code: 0 Version: 0.22.0 Modules
| |||||||||||||||
| 6240 | "C:\Users\admin\AppData\Local\Programs\FreeTube\FreeTube.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\FreeTube" --standard-schemes=app --secure-schemes=app --fetch-schemes=app --app-path="C:\Users\admin\AppData\Local\Programs\FreeTube\resources\app.asar" --no-sandbox --no-zygote --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2948,i,3760306284014865114,16894881573375648642,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2944 /prefetch:1 | C:\Users\admin\AppData\Local\Programs\FreeTube\FreeTube.exe | — | FreeTube.exe | |||||||||||
User: admin Company: PrestonN Integrity Level: MEDIUM Description: A private YouTube client Version: 0.22.0 Modules
| |||||||||||||||
| 6332 | tasklist /FI "USERNAME eq admin" /FI "IMAGENAME eq FreeTube.exe" /FO csv | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7144 | "C:\Users\admin\AppData\Local\Programs\FreeTube\FreeTube.exe" | C:\Users\admin\AppData\Local\Programs\FreeTube\FreeTube.exe | — | explorer.exe | |||||||||||
User: admin Company: PrestonN Integrity Level: MEDIUM Description: A private YouTube client Version: 0.22.0 Modules
| |||||||||||||||
Total events
2 339
Read events
2 307
Write events
14
Delete events
18
Modification events
| (PID) Process: | (4956) freetube-0.22.0-setup-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\609c326f-6a5e-5cd1-9fc0-6e966fad073f |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Local\Programs\FreeTube | |||
| (PID) Process: | (4956) freetube-0.22.0-setup-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\609c326f-6a5e-5cd1-9fc0-6e966fad073f |
| Operation: | write | Name: | KeepShortcuts |
Value: true | |||
| (PID) Process: | (4956) freetube-0.22.0-setup-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\609c326f-6a5e-5cd1-9fc0-6e966fad073f |
| Operation: | write | Name: | ShortcutName |
Value: FreeTube | |||
| (PID) Process: | (4956) freetube-0.22.0-setup-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\609c326f-6a5e-5cd1-9fc0-6e966fad073f |
| Operation: | write | Name: | DisplayName |
Value: FreeTube 0.22.0 | |||
| (PID) Process: | (4956) freetube-0.22.0-setup-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\609c326f-6a5e-5cd1-9fc0-6e966fad073f |
| Operation: | write | Name: | UninstallString |
Value: "C:\Users\admin\AppData\Local\Programs\FreeTube\Uninstall FreeTube.exe" /currentuser | |||
| (PID) Process: | (4956) freetube-0.22.0-setup-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\609c326f-6a5e-5cd1-9fc0-6e966fad073f |
| Operation: | write | Name: | QuietUninstallString |
Value: "C:\Users\admin\AppData\Local\Programs\FreeTube\Uninstall FreeTube.exe" /currentuser /S | |||
| (PID) Process: | (4956) freetube-0.22.0-setup-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\609c326f-6a5e-5cd1-9fc0-6e966fad073f |
| Operation: | write | Name: | DisplayVersion |
Value: 0.22.0 | |||
| (PID) Process: | (4956) freetube-0.22.0-setup-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\609c326f-6a5e-5cd1-9fc0-6e966fad073f |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Users\admin\AppData\Local\Programs\FreeTube\FreeTube.exe,0 | |||
| (PID) Process: | (4956) freetube-0.22.0-setup-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\609c326f-6a5e-5cd1-9fc0-6e966fad073f |
| Operation: | write | Name: | Publisher |
Value: PrestonN | |||
| (PID) Process: | (4956) freetube-0.22.0-setup-x64.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\609c326f-6a5e-5cd1-9fc0-6e966fad073f |
| Operation: | write | Name: | NoModify |
Value: 1 | |||
Executable files
22
Suspicious files
162
Text files
13
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4956 | freetube-0.22.0-setup-x64.exe | C:\Users\admin\AppData\Local\Temp\nsu11E7.tmp\app-64.7z | — | |
MD5:— | SHA256:— | |||
| 4956 | freetube-0.22.0-setup-x64.exe | C:\Users\admin\AppData\Local\Temp\nsu11E7.tmp\7z-out\icudtl.dat | — | |
MD5:— | SHA256:— | |||
| 4956 | freetube-0.22.0-setup-x64.exe | C:\Users\admin\AppData\Local\Temp\nsu11E7.tmp\7z-out\LICENSES.chromium.html | — | |
MD5:— | SHA256:— | |||
| 4956 | freetube-0.22.0-setup-x64.exe | C:\Users\admin\AppData\Local\Temp\nsu11E7.tmp\StdUtils.dll | executable | |
MD5:C6A6E03F77C313B267498515488C5740 | SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E | |||
| 4956 | freetube-0.22.0-setup-x64.exe | C:\Users\admin\AppData\Local\Temp\nsu11E7.tmp\System.dll | executable | |
MD5:0D7AD4F45DC6F5AA87F606D0331C6901 | SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA | |||
| 4956 | freetube-0.22.0-setup-x64.exe | C:\Users\admin\AppData\Local\Temp\nsu11E7.tmp\nsDialogs.dll | executable | |
MD5:466179E1C8EE8A1FF5E4427DBB6C4A01 | SHA256:1E40211AF65923C2F4FD02CE021458A7745D28E2F383835E3015E96575632172 | |||
| 4956 | freetube-0.22.0-setup-x64.exe | C:\Users\admin\AppData\Local\Temp\nsu11E7.tmp\7z-out\locales\af.pak | pgc | |
MD5:CCAFB2B77E0A8C7904819F4A9F699F6C | SHA256:F8FC117DD58DDA4A34B26D82F79A9ABA6008B01308581355444604A878A941BB | |||
| 4956 | freetube-0.22.0-setup-x64.exe | C:\Users\admin\AppData\Local\Temp\nsu11E7.tmp\modern-wizard.bmp | image | |
MD5:52FF52EEE3B944B862C11C268A02C196 | SHA256:2079F7A3EBA60E0D9EE827A7208AA052A71B384873B641DE5E299AEB8E733109 | |||
| 4956 | freetube-0.22.0-setup-x64.exe | C:\Users\admin\AppData\Local\Temp\nsu11E7.tmp\7z-out\chrome_100_percent.pak | binary | |
MD5:3C72D78266A90ED10DC0B0DA7FDC6790 | SHA256:14A6A393C60F62DF9BC1036E98346CD557E0AE73E8C7552D163FA64DA77804D7 | |||
| 4956 | freetube-0.22.0-setup-x64.exe | C:\Users\admin\AppData\Local\Temp\nsu11E7.tmp\nsis7z.dll | executable | |
MD5:80E44CE4895304C6A3A831310FBF8CD0 | SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
28
DNS requests
12
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 93.95.230.186:443 | https://api.invidious.io/instances.json | unknown | ini | 5.77 Kb | unknown |
— | — | POST | 204 | 104.126.37.144:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | whitelisted |
— | — | GET | 200 | 174.143.201.50:443 | https://write.as/freetube/feed/ | unknown | xml | 262 Kb | whitelisted |
— | — | GET | 200 | 140.82.121.5:443 | https://api.github.com/repos/freetubeapp/freetube/releases?per_page=1 | unknown | text | 56.9 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 104.126.37.128:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6944 | svchost.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6944 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
api.invidious.io |
| unknown |
api.github.com |
| whitelisted |
write.as |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |