Malware analysis YouTubeSpamer (6).rar Malicious activity

Add for printing

File name:	YouTubeSpamer (6).rar
Full analysis:	https://app.any.run/tasks/076fa19a-b6cf-4f82-abd3-a0f98ee9b6fc
Verdict:	Malicious activity
Analysis date:	February 17, 2020, 15:10:54
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	FCC85A67D39CB1207F04514A208E18A5
SHA1:	7FEDE22FA52A3AEABB703937AAA1502E74F4D2D5
SHA256:	C846DC5262AC67CFEF11DB41C6105F1B6B076138BCACDF78BD6AD25617D0909C
SSDEEP:	393216:76EhpdqxloSSM5jT8lCfAsavKF+BTThKglD1Bb1szC+:WEhGxlnSojolCZ2TThKglfhm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - explorer.exe (PID: 372)
  - SearchProtocolHost.exe (PID: 3548)
  - YouTube Spamer .exe (PID: 2880)
  - FastExecuteScript.exe (PID: 2240)
  - SearchProtocolHost.exe (PID: 1556)
  - Worker.exe (PID: 2068)
  - Worker.exe (PID: 3088)
  - Worker.exe (PID: 3276)
  - Worker.exe (PID: 2128)
- Application was dropped or rewritten from another process
  - YouTube Spamer .exe (PID: 2880)
  - FastExecuteScript.exe (PID: 2240)
  - Worker.exe (PID: 3276)
  - Worker.exe (PID: 2068)
  - Worker.exe (PID: 3088)
  - Worker.exe (PID: 2128)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3828)
  - YouTube Spamer .exe (PID: 2880)
- Creates files in the user directory
  - explorer.exe (PID: 372)
- Application launched itself
  - Worker.exe (PID: 2068)
INFO
- Dropped object may contain Bitcoin addresses
  - WinRAR.exe (PID: 3828)
  - YouTube Spamer .exe (PID: 2880)
- Reads settings of System Certificates
  - YouTube Spamer .exe (PID: 2880)
- Reads the hosts file
  - Worker.exe (PID: 2068)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

372

C:\Windows\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\winanr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1556

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchProtocolHost.exe

—

SearchIndexer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Windows Search Protocol Host

Exit code:

Version:

7.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\searchprotocolhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2068

.\Worker\Worker.exe ru --UseFlash 0 --ProxyTunneling 1 --SkipFrames 1 --unique-process-id=fCrhOolt --Profile prof/ev1XEoFN --Extensions "" rkkxevcoqo none 2240

C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\Worker.exe

FastExecuteScript.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\worker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\libiconv.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\libcef.dll

2128

"C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\Worker.exe" --type=gpu-process --disable-gpu-sandbox --no-sandbox --log-file="C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\debug.log" --log-severity=disable --lang=en-US --parent-process-id=2068 --unique-process-id=fCrhOolt --gpu-preferences=KAAAAAAAAACAA4BAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --log-file="C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\debug.log" --log-severity=disable --lang=en-US --parent-process-id=2068 --unique-process-id=fCrhOolt --service-request-channel-token=13918685148648314337 --mojo-platform-channel-handle=2028 /prefetch:2

C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\Worker.exe

—

Worker.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\worker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\libiconv.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\libcef.dll

2240

appslocal\e3b0c442\SID9957e8f4\engine\FastExecuteScript.exe

C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\FastExecuteScript.exe

—

YouTube Spamer .exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\fastexecutescript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\engine.dll
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\libxml2.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

2880

"C:\Users\admin\Desktop\YouTubeSpamer\YouTube Spamer .exe"

C:\Users\admin\Desktop\YouTubeSpamer\YouTube Spamer .exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\youtubespamer\youtube spamer .exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\desktop\youtubespamer\qt5widgets.dll

3088

"C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\Worker.exe" --type=renderer --no-sandbox --disable-gpu-compositing --service-pipe-token=7558175544363531900 --lang=en-US --log-file="C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\debug.log" --log-severity=disable --parent-process-id=2068 --unique-process-id=fCrhOolt --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7558175544363531900 --renderer-client-id=2 --mojo-platform-channel-handle=1248 /prefetch:1

C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\Worker.exe

—

Worker.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\worker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\libiconv.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\libcef.dll

3276

"C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\Worker.exe" --type=gpu-process --no-sandbox --log-file="C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\debug.log" --log-severity=disable --lang=en-US --parent-process-id=2068 --unique-process-id=fCrhOolt --gpu-preferences=KAAAAAAAAACAA4BAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --log-file="C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\debug.log" --log-severity=disable --lang=en-US --parent-process-id=2068 --unique-process-id=fCrhOolt --service-request-channel-token=13677222192036164990 --mojo-platform-channel-handle=1216 /prefetch:2

C:\Users\admin\Desktop\YouTubeSpamer\appslocal\e3b0c442\SID9957e8f4\engine\Worker\Worker.exe

—

Worker.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\worker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\libiconv.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\desktop\youtubespamer\appslocal\e3b0c442\sid9957e8f4\engine\worker\libcef.dll

3548

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\System32\SearchProtocolHost.exe

—

SearchIndexer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Windows Search Protocol Host

Exit code:

Version:

7.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

3828

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\YouTubeSpamer (6).rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

Add for printing

Total events

4 662

Read events

4 450

Write events

210

Delete events

Modification events


(PID) Process:	(372) explorer.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3828) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3828) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3828) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3828) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\YouTubeSpamer (6).rar
(PID) Process:	(3828) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3828) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3828) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3828) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(372) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList
Operation:	write	Name:	a
Value: WinRAR.exe

Add for printing

Executable files

184

Suspicious files

Text files

814

Unknown types

232

Dropped files

PID	Process	Filename		Type
3828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3828.28937\YouTubeSpamer\bearer\qgenericbearer.dll		executable
		MD5:DBA35D31C2B6797C8A4D38AE27D68E6E	SHA256:086D6BA24F34A269856C4E0159A860657590D05AABB2530247E685543B34C52F
3828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3828.28937\YouTubeSpamer\imageformats\qgif.dll		executable
		MD5:C108D79D7C85786F33F85041445F519F	SHA256:D5459A707922DD2BF50114CC6718965173EE5B0F67DEB05E933556150CFDD9D1
3828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3828.28937\YouTubeSpamer\bearer\qnativewifibearer.dll		executable
		MD5:A8BCA50F7966F578B127D1E24FC2430F	SHA256:C209D080A62F5E67DDC01A3AE6B4F9B103FAF4104C93B7DBB5FFA8D548BF0CD5
3828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3828.28937\YouTubeSpamer\iconengines\qsvgicon.dll		executable
		MD5:90BB882A4B5E3427F328259530AA1B3B	SHA256:B2B420AA1805D8B5DC15CCB74DD664D10BD6BA422743F5043A557A701C8A1778
3828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3828.28937\YouTubeSpamer\imageformats\qicns.dll		executable
		MD5:52C6978203CA20BEEAD6E8872E80D39F	SHA256:E665F3519309BAE42E0E62F459ECC511701DDDDF94599EBFD213D0A71775C462
3828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3828.28937\YouTubeSpamer\imageformats\qtga.dll		executable
		MD5:D0604A5F13B32A08D5FA5BD887F869A6	SHA256:2B6444D2A8146A066109CA19618CEEE98444127A5B422C14635AB837887E55BF
3828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3828.28937\YouTubeSpamer\D3Dcompiler_47.dll		executable
		MD5:E6945CCEEFC0A122833576A5FC5F88F4	SHA256:FB8D0049F5DD5858C3B1DA4836FB4B77D97B72D67AD951EDB48F1A3E087EC2B1
3828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3828.28937\YouTubeSpamer\imageformats\qdds.dll		executable
		MD5:3FDB8D8407CCCFAA0290036CC0107906	SHA256:3A71A119EEABCE867B57636070ADEB057443A6EC262BE1360F344CB3905545DB
3828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3828.28937\YouTubeSpamer\data\project.xml		xml
		MD5:EC83791BEA128F390C57B15823213641	SHA256:9957E8F4587E83BDCC6B84715E9CFECBA036FEA0055A4AB19105C2DA4992BF22
3828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3828.28937\YouTubeSpamer\imageformats\qico.dll		executable
		MD5:EDDF7FB99F2FCAEA6FE4FD34B8FD5D39	SHA256:9D942215A80A25E10EE1A2BB3D7C76003642D3A2D704C38C822E6A2CA82227BF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2880	YouTube Spamer .exe	146.185.145.186:443	bablosoft.com	Digital Ocean, Inc.	NL	suspicious
2068	Worker.exe	172.217.18.13:443	accounts.google.com	Google Inc.	US	whitelisted
2068	Worker.exe	216.58.207.67:443	ssl.gstatic.com	Google Inc.	US	whitelisted
2068	Worker.exe	172.217.23.99:443	fonts.gstatic.com	Google Inc.	US	whitelisted
2068	Worker.exe	172.217.22.37:443	mail.google.com	Google Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
bablosoft.com	146.185.145.186	whitelisted
accounts.google.com	172.217.18.13	shared
ssl.gstatic.com	216.58.207.67	whitelisted
fonts.gstatic.com	172.217.23.99	whitelisted
mail.google.com	172.217.22.37	shared

Threats

No threats detected

Add for printing

No debug info

General Info

YouTubeSpamer (6).rar

FCC85A67D39CB1207F04514A208E18A5

7FEDE22FA52A3AEABB703937AAA1502E74F4D2D5

C846DC5262AC67CFEF11DB41C6105F1B6B076138BCACDF78BD6AD25617D0909C

393216:76EhpdqxloSSM5jT8lCfAsavKF+BTThKglD1Bb1szC+:WEhGxlnSojolCZ2TThKglfhm

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Application launched itself

INFO

Dropped object may contain Bitcoin addresses

Reads settings of System Certificates

Reads the hosts file

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings