URL:

https://github.com/FreeTubeApp/FreeTube/releases/download/v0.19.1-beta/freetube-0.19.1-setup-x64.exe

Full analysis: https://app.any.run/tasks/f51b8304-799f-4522-97bb-172cbf8d780f
Verdict: Malicious activity
Analysis date: October 21, 2023, 16:59:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

D84F66AD3AD3917BDA05B2C7D1F64493

SHA1:

9FF3A1DA5F53C9269E56E0EA70A01840E21FB093

SHA256:

E84AB50CF23F7CA919658CCD5D96DF182BBF4D6E2FA4ED5A25C95F405BEFC97D

SSDEEP:

3:N8tEdbrQKQJlkCecLho52rU/rcJ4A:2uiQcLIlcyA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • freetube-0.19.1-setup-x64.exe (PID: 1140)

    • Drops the executable file immediately after the start

      • freetube-0.19.1-setup-x64.exe (PID: 1140)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • freetube-0.19.1-setup-x64.exe (PID: 1140)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • freetube-0.19.1-setup-x64.exe (PID: 1140)

  • INFO

    • Checks supported languages

      • freetube-0.19.1-setup-x64.exe (PID: 1140)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3480)

    • Application launched itself

      • iexplore.exe (PID: 1240)

    • Reads the computer name

      • freetube-0.19.1-setup-x64.exe (PID: 1140)

    • Create files in a temporary directory

      • freetube-0.19.1-setup-x64.exe (PID: 1140)

    • The process uses the downloaded file

      • iexplore.exe (PID: 1240)

    • Loads dropped or rewritten executable

      • freetube-0.19.1-setup-x64.exe (PID: 1140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe freetube-0.19.1-setup-x64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1140"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\freetube-0.19.1-setup-x64.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\freetube-0.19.1-setup-x64.exeiexplore.exe
User:
admin
Company:
PrestonN
Integrity Level:
MEDIUM
Description:
A private YouTube client
Exit code:
2
Version:
0.19.1
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\freetube-0.19.1-setup-x64.exe
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1240"C:\Program Files\Internet Explorer\iexplore.exe" "https://github.com/FreeTubeApp/FreeTube/releases/download/v0.19.1-beta/freetube-0.19.1-setup-x64.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3480"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1240 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
17 001
Read events
16 944
Write events
56
Delete events
1

Modification events

(PID) Process:(1240) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(1240) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(1240) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(1240) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1240) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1240) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1240) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1240) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1240) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1240) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
2
Suspicious files
15
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\freetube-0.19.1-setup-x64.exe.30axmr8.partial
MD5:
SHA256:
1240iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\freetube-0.19.1-setup-x64.exe
MD5:
SHA256:
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:5C19D64D8D50F951CDD8AC79359E972B
SHA256:1BCA6CA083DEDA28F91509BC18FD86D67E3F6779AC481EC5CBA1C2F5089D7E8A
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:45C97A859CF0A0B7CB7FAC6A84C575EC
SHA256:1D2198E64A8CDEE368D5B478CA5CA5F34A7D1D488F3AD2FBF151D8B6CB70F8F9
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_D222662A57BAA60D2F5EA0D2CC7B2F1Cbinary
MD5:6703CD0A5B12AC41AB14DF22DA0938E5
SHA256:70E8B0BA18B63A89E2C4E56425FF57AAE11E496E39F11112F5D7E4FAF53EDDDB
1240iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
1240iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF1EE65BCC278DDF33.TMPbinary
MD5:22277357C55271F5F0F1403E5F7DEB19
SHA256:5A92806868F5408FE1F0EEFF19BE5147261D8755BDBC152F77887B485BFF4FEC
1240iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xmlxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
1240iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:BC1BDF78D97DC696D1CE1D8A67DD7377
SHA256:157F7673D754103CFE454D99C42E46F7988591C0E0441169C25C3EE77F961507
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
11
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3480
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D
unknown
binary
471 b
unknown
3480
iexplore.exe
GET
200
46.228.146.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ab121734c4c30a79
unknown
compressed
4.66 Kb
unknown
3480
iexplore.exe
GET
200
46.228.146.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?26be22f8eec632ad
unknown
compressed
4.66 Kb
unknown
3480
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
binary
471 b
unknown
1240
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
3480
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrHR6YzPN2BNbByL0VoiTIBBMAOAQUCrwIKReMpTlteg7OM8cus%2B37w3oCEAzQqL7GMs%2FmReygqbCE%2Bxw%3D
unknown
binary
314 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3480
iexplore.exe
46.228.146.0:80
ctldl.windowsupdate.com
LLNW
US
unknown
3480
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3480
iexplore.exe
185.199.109.133:443
objects.githubusercontent.com
FASTLY
US
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1240
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
1240
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 46.228.146.0
  • 46.228.146.128
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
objects.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
shared
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/FreeTubeApp/FreeTube/releases/download/v0.19.1-beta/freetube-0.19.1-setup-x64.exe