Edit tour

Windows Analysis Report
fdm_x64_setup.exe

Overview

General Information

Sample Name:	fdm_x64_setup.exe
Analysis ID:	690704
MD5:	31dd1d05a00ad4c3cbb94a8af6726f98
SHA1:	f8a33287bef3e721d52f6b8152822bbdc9a9c3a8
SHA256:	072ee364c81db95d8f45c8d06037cba332cd004d3b8290ee435b369f7becb829
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Obfuscated command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

PE file contains strange resources

Drops PE files

PE file contains sections with non-standard names

Found dropped PE file which has not been started or loaded

Classification

Process Tree

System is start

fdm_x64_setup.exe (PID: 184 cmdline: "C:\Users\alfredo\Desktop\fdm_x64_setup.exe" MD5: 31DD1D05A00AD4C3CBB94A8AF6726F98)

fdm_x64_setup.tmp (PID: 3892 cmdline: "C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp" /SL5="$2038C,34713263,780288,C:\Users\alfredo\Desktop\fdm_x64_setup.exe" MD5: 3C90C4DAABD5AFA78392EA879FA341A6)

schtasks.exe (PID: 3176 cmdline: "schtasks.exe" /end /tn FreeDownloadManagerHelperService MD5: 003D681048A63B9862C299F30492CFDF)

conhost.exe (PID: 2520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: fdm_x64_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\unins000.dat
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-7CO7S.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-D0NHS.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-R31M0.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-V105V.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-1LRU2.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-99UVP.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-8QFML.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-OVIG9.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-H4KKL.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-B4BVM.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-90813.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-VG0RE.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-9G3VC.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-6EUK9.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-EA331.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-I4TC5.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-BHSLV.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-5PCKA.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-5L5E8.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-3PMR7.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-940K7.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-RPNAI.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-4IDOF.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-GGULB.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-ONUPS.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-3V1LO.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-242RF.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-87ER9.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-GMHAL.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-7H68L.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-5S1KV.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-7CG1Q.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-8OREA.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-4DDA0.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-0BB6O.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-VEVHM.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-AA7GK.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-RG2KI.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-8IIMH.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-OFL7K.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-U351B.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-JRBN3.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-23BE3.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-T89KD.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-FD6K5.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-8ATK9.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-N2MR5.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-BNRSO.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-4000T.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-T4J2V.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-PSIFG.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-B3NPD.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-G7439.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-2M2DR.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-9O60R.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-GTRN5.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-N12R1.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-JFJJL.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-TTH8V.tmp

Source: fdm_x64_setup.exe

Static PE information: certificate valid

Source: fdm_x64_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Source: fdm_x64_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: fdm_x64_setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fdm_x64_setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\alfredo\Desktop\fdm_x64_setup.exe

File read: C:\Users\alfredo\Desktop\fdm_x64_setup.exe

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\alfredo\Desktop\fdm_x64_setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\alfredo\Desktop\fdm_x64_setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: unknown	Process created: C:\Users\alfredo\Desktop\fdm_x64_setup.exe "C:\Users\alfredo\Desktop\fdm_x64_setup.exe"
Source: C:\Users\alfredo\Desktop\fdm_x64_setup.exe	Process created: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp "C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp" /SL5="$2038C,34713263,780288,C:\Users\alfredo\Desktop\fdm_x64_setup.exe"
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /end /tn FreeDownloadManagerHelperService
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /end /tn FreeDownloadManagerHelperService
Source: C:\Users\alfredo\Desktop\fdm_x64_setup.exe	Process created: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp "C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp" /SL5="$2038C,34713263,780288,C:\Users\alfredo\Desktop\fdm_x64_setup.exe"

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:304:WilStaging_02

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp

File created: C:\Program Files\Softdeluxe

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp

File created: C:\Users\alfredo\AppData\Local\Programs

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp

File created: C:\Users\alfredo\AppData\Local\Temp\is-IHEBO.tmp

Source: classification engine

Classification label: sus24.winEXE@6/26@3/0

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: fdm_x64_setup.exe

Static file information: File size 35460872 > 1048576

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\unins000.dat
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-7CO7S.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-D0NHS.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-R31M0.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-V105V.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-1LRU2.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-99UVP.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-8QFML.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-OVIG9.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-H4KKL.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-B4BVM.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-90813.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-VG0RE.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-9G3VC.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-6EUK9.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-EA331.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-I4TC5.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-BHSLV.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-5PCKA.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-5L5E8.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-3PMR7.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-940K7.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-RPNAI.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-4IDOF.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-GGULB.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-ONUPS.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-3V1LO.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-242RF.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-87ER9.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-GMHAL.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-7H68L.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-5S1KV.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-7CG1Q.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-8OREA.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-4DDA0.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-0BB6O.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-VEVHM.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-AA7GK.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-RG2KI.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-8IIMH.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-OFL7K.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-U351B.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-JRBN3.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-23BE3.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-T89KD.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-FD6K5.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-8ATK9.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-N2MR5.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-BNRSO.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-4000T.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-T4J2V.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-PSIFG.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-B3NPD.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-G7439.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-2M2DR.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-9O60R.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-GTRN5.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-N12R1.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-JFJJL.tmp
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Directory created: C:\Program Files\Softdeluxe\Free Download Manager\is-TTH8V.tmp

Source: fdm_x64_setup.exe

Static PE information: certificate valid

Source: fdm_x64_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Obfuscated command line found

Source: C:\Users\alfredo\Desktop\fdm_x64_setup.exe	Process created: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp "C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp" /SL5="$2038C,34713263,780288,C:\Users\alfredo\Desktop\fdm_x64_setup.exe"
Source: C:\Users\alfredo\Desktop\fdm_x64_setup.exe	Process created: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp "C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp" /SL5="$2038C,34713263,780288,C:\Users\alfredo\Desktop\fdm_x64_setup.exe"

Source: fdm_x64_setup.exe

Static PE information: section name: .didata

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-2M2DR.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-RG2KI.tmp	Jump to dropped file
Source: C:\Users\alfredo\Desktop\fdm_x64_setup.exe	File created: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-AA7GK.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-VEVHM.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\ffmpeg.exe (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-G7439.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\importwizard.exe (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-9O60R.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-B3NPD.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-0BB6O.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-GTRN5.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-7CG1Q.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-4DDA0.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Users\alfredo\AppData\Local\Temp\is-IHEBO.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\is-8OREA.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\libcrypto-1_1-x64.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	File created: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp

Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /end /tn FreeDownloadManagerHelperService

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\fdm_x64_setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-2M2DR.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-RG2KI.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-AA7GK.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-VEVHM.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\ffmpeg.exe (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-G7439.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\importwizard.exe (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-9O60R.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-B3NPD.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-0BB6O.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-GTRN5.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-7CG1Q.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-4DDA0.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Users\alfredo\AppData\Local\Temp\is-IHEBO.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\is-8OREA.tmp	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\libcrypto-1_1-x64.dll (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	Dropped PE file which has not been started: C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Process Injection	3 Masquerading	OS Credential Dumping	2 System Owner/User Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Source	Detection	Scanner	Link
fdm_x64_setup.exe	0%	Virustotal	Browse
fdm_x64_setup.exe	0%	Metadefender	Browse
fdm_x64_setup.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	0%	Virustotal	Browse
C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp	2%	ReversingLabs
C:\Users\alfredo\AppData\Local\Temp\is-IHEBO.tmp\_isetup\_setup64.tmp	0%	Virustotal	Browse
C:\Users\alfredo\AppData\Local\Temp\is-IHEBO.tmp\_isetup\_setup64.tmp	0%	Metadefender	Browse
C:\Users\alfredo\AppData\Local\Temp\is-IHEBO.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Program Files\Softdeluxe\Free Download Manager\is-0BB6O.tmp	0%	Virustotal	Browse
C:\Program Files\Softdeluxe\Free Download Manager\is-0BB6O.tmp	0%	Metadefender	Browse
C:\Program Files\Softdeluxe\Free Download Manager\is-0BB6O.tmp	0%	ReversingLabs
C:\Program Files\Softdeluxe\Free Download Manager\is-4DDA0.tmp	0%	Virustotal	Browse
C:\Program Files\Softdeluxe\Free Download Manager\is-4DDA0.tmp	0%	Metadefender	Browse
C:\Program Files\Softdeluxe\Free Download Manager\is-4DDA0.tmp	0%	ReversingLabs
C:\Program Files\Softdeluxe\Free Download Manager\is-7CG1Q.tmp	0%	Virustotal	Browse
C:\Program Files\Softdeluxe\Free Download Manager\is-7CG1Q.tmp	0%	Metadefender	Browse
C:\Program Files\Softdeluxe\Free Download Manager\is-7CG1Q.tmp	0%	ReversingLabs
C:\Program Files\Softdeluxe\Free Download Manager\is-8OREA.tmp	0%	Virustotal	Browse
C:\Program Files\Softdeluxe\Free Download Manager\is-8OREA.tmp	0%	Metadefender	Browse
C:\Program Files\Softdeluxe\Free Download Manager\is-8OREA.tmp	0%	ReversingLabs
C:\Program Files\Softdeluxe\Free Download Manager\is-AA7GK.tmp	0%	Metadefender	Browse
C:\Program Files\Softdeluxe\Free Download Manager\is-AA7GK.tmp	0%	ReversingLabs
C:\Program Files\Softdeluxe\Free Download Manager\is-RG2KI.tmp	0%	Metadefender	Browse
C:\Program Files\Softdeluxe\Free Download Manager\is-RG2KI.tmp	0%	ReversingLabs
C:\Program Files\Softdeluxe\Free Download Manager\is-VEVHM.tmp	0%	Metadefender	Browse
C:\Program Files\Softdeluxe\Free Download Manager\is-VEVHM.tmp	0%	ReversingLabs
C:\Program Files\Softdeluxe\Free Download Manager\ffmpeg.exe (copy)	2%	ReversingLabs
C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe (copy)	0%	ReversingLabs
C:\Program Files\Softdeluxe\Free Download Manager\importwizard.exe (copy)	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
accounts.google.com	172.217.16.205	true	false	high
www.freedownloadmanager.org	199.101.132.243	true	false	high
clients.l.google.com	142.250.186.46	true	false	high
clients2.google.com	unknown	unknown	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	690704
Start date and time:	2022-08-26 08:38:21 +02:00
Joe Sandbox Product:	CloudBasic
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	fdm_x64_setup.exe
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus24.winEXE@6/26@3/0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.36.131, 34.104.35.123
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, slscr.update.microsoft.com, nexusrules.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: C:\Program Files\Softdeluxe\Free Download Manager\is-AA7GK.tmp

Process:	C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.03021960345049
Encrypted:	false
SSDEEP:
MD5:	1D821D741CFAF0D322F2483114D93188
SHA1:	AA6ECD604D207BBAE869225A1A7738433A4417D6
SHA-256:	9B299B18FE97191E3875D173B2D89295CFA8D006A0C9328FAE867B8DA9BDC23B
SHA-512:	3FF35106664FED3746DC00ED0BF85DB853B047F736708C9A2587D9550581642A6837F1FF4A0275C54A42F6033FBD7567B233D3F832F25A241B321820BFF8A971
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d....3.V.........." .........................................................0......C.....`.........................................`...e............ ...................<..............8............................................................................rdata..\|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\alfredo\Desktop\fdm_x64_setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2570752
Entropy (8bit):	6.387948436036898
Encrypted:	false
SSDEEP:
MD5:	3C90C4DAABD5AFA78392EA879FA341A6
SHA1:	F45D424B3D9D859D3524AFFE5D2EDEB5FF2C81BC
SHA-256:	C9DCF0E3F679469EE4A35083A115C671C37BE19E7EC5721E1F2F3FF1F6E09B0C
SHA-512:	A6E33FBB48C80F8CACB23CCAD2BAC1C4EA27F665447F22A6E45F1135687BBDBA5752FCE4D33B9374E1E3C4AC793548B7C188A4B2DC10C88ABE3C3CE36B42110A
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....m^..................%...........%.......%...@.......................... (...........@......@....................'.......&..5...0'...................................................... '.....................L.&.H.....&......................text.....%.......%................. ..`.itext...&....%..(....%............. ..`.data...dZ....%..\....%.............@....bss.....x...0&..........................idata...5....&..6....&.............@....didata.......&......@&.............@....edata........'......J&.............@..@.tls....D.....'..........................rdata..].... '......L&.............@..@.rsrc........0'......N&.............@..@............. (......:'.............@..@........................................................

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5E6D1B8D [Sat Mar 14 17:59:41 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5a594319a0d69dbc452e748bcf05892e

Signature Valid:	true
Signature Issuer:	CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	7/19/2020 5:00:00 PM 8/18/2022 4:59:59 PM
Subject Chain	CN=Softdeluxe Ltd., O=Softdeluxe Ltd., STREET="Universitetskaya St., 19", L=Dubna, PostalCode=141980, C=RU
Version:	3
Thumbprint MD5:	3AAC0AA93E2ED65917ADA968712E5829
Thumbprint SHA-1:	0ADD9C997572DA93D4D6478BD57E1F931C7C4328
Thumbprint SHA-256:	7B8685C6C289A1195F26993ADFE0C7331701695346BF4610A40ADAE7B2876D80
Serial:	009D94DF2E075539EBE7F0AAF27135A533

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xf36	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x4600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x21cf248	0x24c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22e4	0x244	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb3604	0xb3800	False	0.34484761272632314	data	6.354329115342966	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1684	0x1800	False	0.5445963541666666	data	5.970901565517897	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	False	0.36104910714285715	data	5.0421620677813435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6da0	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xf36	0x1000	False	0.3681640625	data	4.8987046479600425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	False	0.345703125	data	2.7563628682496506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	False	0.2578125	data	1.8722228665884297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x4600	0x4600	False	0.32260044642857144	data	4.437327489999006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc74c8	0x128	GLS_BINARY_LSB_FIRST	Dutch	Netherlands
RT_ICON	0xc75f0	0x568	GLS_BINARY_LSB_FIRST	Dutch	Netherlands
RT_ICON	0xc7b58	0x2e8	data	Dutch	Netherlands
RT_ICON	0xc7e40	0x8a8	data	Dutch	Netherlands
RT_STRING	0xc86e8	0x360	data
RT_STRING	0xc8a48	0x260	data
RT_STRING	0xc8ca8	0x45c	data
RT_STRING	0xc9104	0x40c	data
RT_STRING	0xc9510	0x2d4	data
RT_STRING	0xc97e4	0xb8	data
RT_STRING	0xc989c	0x9c	data
RT_STRING	0xc9938	0x374	data
RT_STRING	0xc9cac	0x398	data
RT_STRING	0xca044	0x368	data
RT_STRING	0xca3ac	0x2a4	data
RT_RCDATA	0xca650	0x10	data
RT_RCDATA	0xca660	0x2c4	data
RT_RCDATA	0xca924	0x2c	data
RT_GROUP_ICON	0xca950	0x3e	data	English	United States
RT_VERSION	0xca990	0x584	data	English	United States
RT_MANIFEST	0xcaf14	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x454058
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fdm_x64_setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-locale-l1-1-0.dll (copy)

C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-math-l1-1-0.dll (copy)

C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-multibyte-l1-1-0.dll (copy)

C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-private-l1-1-0.dll (copy)

C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-process-l1-1-0.dll (copy)

C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-runtime-l1-1-0.dll (copy)

C:\Program Files\Softdeluxe\Free Download Manager\api-ms-win-crt-stdio-l1-1-0.dll (copy)

C:\Program Files\Softdeluxe\Free Download Manager\ffmpeg.exe (copy)

C:\Program Files\Softdeluxe\Free Download Manager\helperservice.exe (copy)

C:\Program Files\Softdeluxe\Free Download Manager\importwizard.exe (copy)

C:\Program Files\Softdeluxe\Free Download Manager\is-0BB6O.tmp

C:\Program Files\Softdeluxe\Free Download Manager\is-2M2DR.tmp

C:\Program Files\Softdeluxe\Free Download Manager\is-4DDA0.tmp

C:\Program Files\Softdeluxe\Free Download Manager\is-7CG1Q.tmp

C:\Program Files\Softdeluxe\Free Download Manager\is-8OREA.tmp

C:\Program Files\Softdeluxe\Free Download Manager\is-9O60R.tmp

C:\Program Files\Softdeluxe\Free Download Manager\is-AA7GK.tmp

C:\Program Files\Softdeluxe\Free Download Manager\is-B3NPD.tmp

C:\Program Files\Softdeluxe\Free Download Manager\is-G7439.tmp

C:\Program Files\Softdeluxe\Free Download Manager\is-GTRN5.tmp

C:\Program Files\Softdeluxe\Free Download Manager\is-RG2KI.tmp

C:\Program Files\Softdeluxe\Free Download Manager\is-VEVHM.tmp

C:\Program Files\Softdeluxe\Free Download Manager\libEGL.dll (copy)

C:\Program Files\Softdeluxe\Free Download Manager\libcrypto-1_1-x64.dll (copy)

C:\Users\alfredo\AppData\Local\Temp\is-IHEBO.tmp\_isetup\_setup64.tmp

C:\Users\alfredo\AppData\Local\Temp\is-N1RHV.tmp\fdm_x64_setup.tmp

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
fdm_x64_setup.exe