Malware Analysis Report

2024-11-30 06:11

Sample ID 240612-r2knrsydre
Target FileZilla_3.67.0_win64_sponsored2-setup.exe
SHA256 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202

Threat Level: Shows suspicious behavior

The file FileZilla_3.67.0_win64_sponsored2-setup.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Reads data files stored by FTP clients

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Checks installed software on the system

Registers COM server for autorun

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\16x16\remotetreeview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\logview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\16x16\disconnect.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\48x48\showhidden.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\lock.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\is\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\16x16\binary.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\synchronize.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\48x48\cancel.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\sun\48x48\localtreeview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\lo_LA\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\synchronize.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\folderclosed.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\classic\16x16\logview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\binary.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\minimal\16x16\auto.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\download.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\16x16\folderclosed.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\an\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\sr\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\default\480x480\help.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\disconnect.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\16x16\find.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\download.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\localtreeview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\default\theme.xml C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\classic\16x16\ascii.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\libfzclient-commonui-private-3-67-0.dll C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\48x48\upload.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\folderclosed.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\fzshellext.dll C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\queueview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\cyril\16x16\uploadadd.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\minimal\16x16\filter.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\16x16\auto.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\oc\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\oc\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\folder.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\48x48\folderclosed.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\32x32\logview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\48x48\bookmark.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\bg_BG\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\classic\16x16\file.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\48x48\refresh.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\minimal\16x16\speedlimits.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\32x32\uploadadd.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\48x48\ascii.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\classic\16x16\folder.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\minimal\16x16\bookmarks.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\sun\48x48\disconnect.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\sun\48x48\remotetreeview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\32x32\bookmarks.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\sun\48x48\sitemanager.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\16x16\filter.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\48x48\file.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\find.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\az\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\sun\48x48\compare.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\48x48\logview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\hu_HU\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\id_ID\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\sv\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\48x48\compare.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\lock.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ = "C:\\Program Files\\FileZilla FTP Client\\fzshellext_64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ = "C:\\Program Files\\FileZilla FTP Client\\fzshellext_64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\directory\shellex\CopyHookHandlers\FileZilla3CopyHook C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileZilla3CopyHook\ = "{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\ = "FileZilla 3 Shell Extension" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe C:\Windows\system32\regsvr32.exe
PID 3028 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe C:\Windows\system32\regsvr32.exe
PID 3028 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe C:\Windows\system32\regsvr32.exe
PID 3028 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe C:\Windows\system32\regsvr32.exe
PID 3028 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe C:\Windows\system32\regsvr32.exe
PID 3028 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe C:\Windows\system32\regsvr32.exe
PID 3028 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe C:\Windows\system32\regsvr32.exe
PID 3028 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe C:\Program Files\FileZilla FTP Client\filezilla.exe
PID 3028 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe C:\Program Files\FileZilla FTP Client\filezilla.exe
PID 3028 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe C:\Program Files\FileZilla FTP Client\filezilla.exe
PID 3028 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe C:\Program Files\FileZilla FTP Client\filezilla.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe

"C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\FileZilla FTP Client\fzshellext_64.dll"

C:\Program Files\FileZilla FTP Client\filezilla.exe

"C:\Program Files\FileZilla FTP Client\filezilla.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.filezilla-project.org udp

Files

\Users\Admin\AppData\Local\Temp\nsd1595.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

\Users\Admin\AppData\Local\Temp\nsd1595.tmp\UserInfo.dll

MD5 d458b8251443536e4a334147e0170e95
SHA1 ba8d4d580f1bc0bb2eaa8b9b02ee9e91b8b50fc3
SHA256 4913d4cccf84cd0534069107cff3e8e2f427160cad841547db9019310ac86cc7
SHA512 6ff523a74c3670b8b5cd92f62dcc6ea50b65a5d0d6e67ee1079bdb8a623b27dd10b9036a41aa8ec928200c85323c1a1f3b5c0948b59c0671de183617b65a96b1

\Users\Admin\AppData\Local\Temp\nsd1595.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nsd1595.tmp\nsDialogs.dll

MD5 1d8f01a83ddd259bc339902c1d33c8f1
SHA1 9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA256 4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA512 28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

\Users\Admin\AppData\Local\Temp\nsd1595.tmp\StartMenu.dll

MD5 a8c86996c4230c2209f5927f21321377
SHA1 45ce0ab93cb6a3a594e54878cce05df724024393
SHA256 110545415a59402635e1c9439acba15b44bab268ed02ad2a262ce12604a47855
SHA512 69ee73496b916777936b0dddd2cc4a4f916e393f7d0b167cba77a4a239ee1e3f645d9b90dee1627c42a23eb6c3403e4d086546b9f78b3a2e4999c8f92f6a3bc3

\Program Files\FileZilla FTP Client\uninstall.exe

MD5 fc585e374e752867184d0a43476592f3
SHA1 ac2ced4dffa9b72ab730185f54077acb17f46cd5
SHA256 cbfcc3114ac776f613cf6f4330f6517d72637c40eeb3130b2206caf0af4bdb32
SHA512 513dbe226060cf359b736c39548e65f1925cacc06efb21ddf0c923a9f9e7de919b009f2256a54fb27f98c45b3146d168ea04eaff706a490990fa044145b17f4e

\Program Files\FileZilla FTP Client\filezilla.exe

MD5 79cef3c9de232d1f58f0e26292376584
SHA1 2dd2ab98e8fcf5c720bf3618a3a0b84666ca191d
SHA256 26d717e65101b0ccd5d491c406f76a216381410890508d3d154d5aa073698887
SHA512 2378c3ea857cbf0ff8b14c7984a0237613533c7f6451bed1ba8e09aeb71ab4c35b7f37f7298259a67467d40925cad4a4e8baf556444215ab84ec9ea4856246c4

C:\Users\Admin\AppData\Local\Temp\nsd1595.tmp\nsis_appid.dll

MD5 19071761e91c43c115a16b52458869b7
SHA1 75ddb807157f1aa31a08f87be0270f60990bcbbc
SHA256 e9e1ba410636698d666b328eea71346b8287248d262e44da07ce8b5fa24c5e5f
SHA512 bc0eab51cf27f657cd3fd62a47894ee13f3f561feaa565f16ba15088be39be73c9839a3cf35b538219ec83a03d48970b89258c5f20c37bcaf76438998437786c

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client\FileZilla.lnk

MD5 1133e861d723ec340ee09321071c13a6
SHA1 9b84d33fba2a71d225a4adf8955a7d560f352b3c
SHA256 69a0f05d55786c61cf4a14da162ef19d88ea2db2b89cc736aa8c7503d1363202
SHA512 a296242431c1eef25f1b27ab2c3cbe93557ae280aea3ec7f19c09a32914b77e6b39fd05adb6f598878e321c2bd2dfd2d0dc816c1f60b8ea2b26697329c1bc7eb

C:\Program Files\FileZilla FTP Client\locales\uk_UA\filezilla.mo

MD5 dde0ddcd21a6288977a493dd98fde867
SHA1 d56e3a0b42ccdedceebf9058c3ad10c27d057641
SHA256 e472b782d83fb60cf1bfe30e6d8faa8a122e5e7fa4c8188cc4caf55fe82be9f1
SHA512 1f9c1deabc249ffad3628b7e6c62cae6abcfae4aa5db88c37a4688727000543c1265732f73f0ca15d69e80cce44c4d61374a5e5807abbafdd78b96f1f7ae8c90

\Program Files\FileZilla FTP Client\fzshellext.dll

MD5 c0280971a69869d7a1f3b35793c839f3
SHA1 946356173bdd7d575db1d1b3fb04ed81353e098a
SHA256 c085caea2677b0eeaeecb9afe7e0bad83c2a94fc78d5c3f7819bc7314e54ec69
SHA512 cdd1530aec393c9c07574e9a32214af8fb5eef85a5be02db68e24e05c5e1d88449f064e280d2bcd21aa6921c7545f30965a6724ce810960001964a3c558370ba

C:\Program Files\FileZilla FTP Client\fzshellext_64.dll

MD5 d29ae3155432dedc8b5002133e22ab71
SHA1 f25b6f9ee1ea454e3c00a22d5d000234f3afaf95
SHA256 44ca9c321f266b39b170da0218372b0a0716b9516c36255f600321e7778bc673
SHA512 65adb747cf96b20d63b45f15b00d8d1ea60187a9af6604bee47d9679670edc93cc79009426a92493f2e12b13943298e90df9bb085a0febf9c076d90e01e8396e

C:\Program Files\FileZilla FTP Client\wxbase32u_gcc_custom.dll

MD5 5cc9be3f1890c173c9c63410f356c09a
SHA1 2eeb5a4f53c669cd324254fe7aa2876d1626f695
SHA256 a89efa9a7bd855e2063246ed6d60c3d84330ccdaba98904720587a2c24c9dd31
SHA512 19da61eea609e243490ee3e2aa8bef2d665fd9f028897be7f9e7334becf1efbe2d7d89091d43ae6bc0d5ccd521b5b0fd7d20257e2826aa665ae29d7a8423cc0f

\Program Files\FileZilla FTP Client\libsqlite3-0.dll

MD5 f027b75ee14492d9cd45002ac949615b
SHA1 be10480065d7bf0461940f618393528ec0b51092
SHA256 10562c70d79f84541a10158b22ba2d0be587551235a27ae7c1028f58e6d8f521
SHA512 c0fdb6a09614d3189b727869c20198d3a88be542b2555302d65e18e2b185d7bfa135fb93a93df0786902dee75d67d16c2f7c27ff62038566a3753d170932334c

\Program Files\FileZilla FTP Client\wxbase32u_xml_gcc_custom.dll

MD5 8bd725973fb63685557cb0a90addf0a9
SHA1 124b6eba99e87a77ce7ebd349e05ac7423166f3c
SHA256 85f7a0df6b7ebaa46f6a255de0db92f939441fd509c5dbd605d01b6c1bc98115
SHA512 37799a8e7366b55cbe8689a4b560421b4adbb731de893705c71367c54f4848de1351fa4d93b531cb134cc155ffb4a16117dc619687a96f6d6df3f50d2e0bec3d

\Program Files\FileZilla FTP Client\wxmsw32u_xrc_gcc_custom.dll

MD5 923e97f86b22abcb602f6ab16d2b0293
SHA1 b14cd14ce8b2c4cd2fe29395679210ba662cd26e
SHA256 95e36f082ac1bd2ee75c7c3d7371c8332cd5f36b3af0e4146689ee8790e7f244
SHA512 d4ddbaaccb26c2e531437b16162489fa0690ab704d711dc3fb99746835cac12f5289eab1d099582acd2d333f8c1a85f096002f0ea10713311b43c38598fea21e

\Program Files\FileZilla FTP Client\libpng16-16.dll

MD5 0ff719ab13a1cf91cde12b50b6cc0d49
SHA1 47f9e148f4b754d68d0ab7050da1e74cd1ae54f9
SHA256 66141f686a865780e8e6e240ccba68b4442b5fb50faa0a9297f1e42dda20f752
SHA512 d43f4f7cabf47462869bdc637f8dc5df1b8257ceb29d81192898e36b231beb04fba5bd2704ee36a9b830c13dbe547373bde67dbffb903846f5396cde798378d0

\Program Files\FileZilla FTP Client\wxmsw32u_core_gcc_custom.dll

MD5 90a9eb91e52116843329b5a75c93c08e
SHA1 874534a834d59a1955a467860fc66c908627f039
SHA256 5a8d63246000f4e53a60612ee34613d7f54e5ac9e8bace7d0c71737ace30f653
SHA512 defd32468af25905e7cbf35ebe14db25dc1cb886793afeb0faeb867716f65f8b9ee321d06001e2c1af19a07b83d5c9b325d4b6ca5f864e1aa3050077b6787d37

\Program Files\FileZilla FTP Client\wxmsw32u_aui_gcc_custom.dll

MD5 17f252efa82208ac31378e3a4f333ed9
SHA1 d722f47111f8dd81e0891c433a9cfc583ff76589
SHA256 17305a8db2b3d3c65dda7a22e918f13fec041e95feb56715c46d1fa20569fdb2
SHA512 8ea148d881309bd08bf99d8f39f5b01dcd4d779388b40d168576b5cdaed422b0cc5a23e4f4f65ac8820ca7bc8c22ba49590223579da3be17481812f18dd57f11

C:\Program Files\FileZilla FTP Client\resources\default\theme.xml

MD5 75a54b0f2673d762239bc479579af93d
SHA1 13bb8fea1c2e296ad1516df1d565e2ceaf2d9484
SHA256 209f8abd4d06ba609d1d92943ccd2b7ef8918e88ca3f159ab8d1d6fa82ebcda1
SHA512 8f4ad697b0073307a9dd5559c702f30bb52aadf48f875707691a2480a9baed48eec34089ed1be784358ff7ea213b68c62b972cc24278e6c32b0ffd397c2a0e0a

C:\Program Files\FileZilla FTP Client\resources\default\480x480\remotetreeview.png

MD5 3daed236d7df410ff02684080378572d
SHA1 b7427a30e75c4aad0a8b031bbeeb16e57ba7b8b4
SHA256 75a915c0caf149c46df534577f1fb089fac8cf0efda8fbe6115b5118942391e5
SHA512 2a4c7659795b6c497ae657cf287dc8580769e3d7a91c130f0e559f45c1e55e60324e80c4c2b0c2722e7bd0158d8779151b0a80177eeea5babfe277fe9870b55d

C:\Program Files\FileZilla FTP Client\resources\default\480x480\reconnect.png

MD5 c19505c35182fbc2d2c81ed60e62926b
SHA1 d415f48879875f94cbe9dd7fdb7a7dade6603eb1
SHA256 981892d7fd00d58c2ed41e33bfe1cc35fda8f66d3ea1a533063cba3058331683
SHA512 8125bc3c108bf846be6aa38fbac89e0683fd784a239858fa23e71e533944521410ef925525cc3fe32bffc28d2de47353555fd727d69e7408eb7ce10d65a664d1

C:\Program Files\FileZilla FTP Client\resources\default\480x480\disconnect.png

MD5 e7a7e89f12dd8d49f9afb73eb52e0466
SHA1 c4b57e0f2b6d286309e4a962c504abd1a602d971
SHA256 bf0f361801f7dd78c748d611daeb2180d50dbd9e3a284758bc4a5e6f773758d5
SHA512 139df2a8fc3e6331ec5e8a0b3daec852a484ff5e59c54a6f72eb0a257432146e56d73ac86c4bc222b5daf16270a0a910fd3e9b9796485394282151ae93c62eb4

C:\Program Files\FileZilla FTP Client\resources\default\480x480\cancel.png

MD5 4c2c126f11ce45b698336b49b24f8afe
SHA1 7cd96f7e9a6fd3ca36336764ecdfe8a317590d1d
SHA256 314d5ec0dbea36c3b37d48438e7bdd50178811b7ba04e46f438873de3a5c1fe0
SHA512 5ab9e12dba7eca3d9bf63c7def45427040dc39938606555f8d3d47a06750cf8e3808099581c99c3a059f6874028a646e18b3f56dc179533fc7c3f6ed0557aead

C:\Program Files\FileZilla FTP Client\resources\default\480x480\processqueue.png

MD5 dc267d9678aff17e9a8a557f0c9e690f
SHA1 a6aee93ab4c750b297b1b3995924b383b9be7875
SHA256 930281b5e99bcf3c891b48a2830f5bcfd19d2ab03f9a2cffc2594016233ccd14
SHA512 b918863336196eb55584655d44ac328cfbcb08bd8c8e3b8896567a91791f746329b7832cdac81a996eebfc81c35208d408cb126d518c766d15aaaac1384af503

C:\Program Files\FileZilla FTP Client\resources\default\480x480\refresh.png

MD5 f95d73543381834fd6aad987df30f157
SHA1 29b81a5613c3a7b73260f2579b23b1cdaffe4fc9
SHA256 e72e2057afe1c9c449c2f43a83129dc24d4349e34f40ce957b56f7f87aba927a
SHA512 095924c202a73ff4d91668ad9ff6efec9d5f12d410487669ac2518d7caeb12651284d051ba8afd692bf0e0cb059c70bbc590d265b38fa1243242385e50262b0d

C:\Program Files\FileZilla FTP Client\resources\default\480x480\queueview.png

MD5 247cc463ec1c836c2388317b8c5fd91b
SHA1 28e00529f0a265ce1ee9cf0d346bde59a8ac695c
SHA256 444b408a816c39e965a7c960c44c8976ed99b1ef3263088b41b6a170f3747d9c
SHA512 8bb9472a75b0f9671cee6de747f346a7f56d497c9cb42ccd60f61724bb8ffc8ba733e395a79e0af2984291a9e2f92fbd3bd23a49e6db4130220dd90efaf2cfca

C:\Program Files\FileZilla FTP Client\resources\default\480x480\localtreeview.png

MD5 e21443d7cad7e6927fd6d798a4232bb4
SHA1 0c4b2f6e709822c59f884f960471009408782d09
SHA256 a67af84c06743847ffc0edbc79ffc4a3ce93c89ff57c03c0f18c3782b5347988
SHA512 052428edcc9d026eda6ccb32ea2e7104b68d9d346f016b82aeade8b7fb191d704e21cec084721dd35aaeb51bedb06babd4097f7f7623e58834805de2bc3cc47a

C:\Program Files\FileZilla FTP Client\resources\default\480x480\logview.png

MD5 a5c2e72f7c61158a6e17aea666de99fd
SHA1 83f0e6816c8735ac340335209d6c02916f4c019c
SHA256 9bf88f5a0f4deb7035cfd2930225596b4e0767010d34f01c3ee093c17164033f
SHA512 712a0e1a5d098be686f2a897a12f8a41d8b2254d30f2539094a6fc8e334238aaeba16562e2bc8dab81cbb31fc8858b936e134d5ef6479170fd2ecf10af75f61c

C:\Program Files\FileZilla FTP Client\resources\default\480x480\sitemanager.png

MD5 810967a850e0f96f44874651f649a952
SHA1 dd51af31b2883dd27f3ba2ea4b8e572e1340261b
SHA256 66d6c15dd8e819e7b62d277aa237ff77c8c595f65582a368cbbc15427f82bfd2
SHA512 48595fb92e30ad7ffee8237a37cb6c2f6a1603de8eae73da8529d828888759da3f74b0cc56d8e6a787f25749e5af74ea07de698e6178a6175b25b530d9f5d0f3

C:\Program Files\FileZilla FTP Client\resources\defaultfilters.xml

MD5 9994a10e6ee72a5afd26cbb582e946e8
SHA1 c4b507e64a476a260974c17f2e13e6c41ef19cb9
SHA256 27b4c87e3f1a75ce58cce51086d8445e3c33590111a258be8344b842f74c05d0
SHA512 776ef79c8e72695d3a142438f441a85bb5043d584f6dd5216d4d8e7357dfe19871f775059212d3c7dd2d8679463056222224a27ee7d544beadb1a2a921a27ec5

C:\Program Files\FileZilla FTP Client\resources\default\480x480\speedlimits.png

MD5 b5aa21c3f5d77d5d55982fed0f46e12e
SHA1 d0540523e377726b1a936980a2ee968d8fd63de2
SHA256 d42aad945404d1a5f66a168f6af3a89d34be856fca13911ee0a5d3da8ab7b084
SHA512 39641960860c6628b0cbe68fb66c1a2294f66f19d019d37b3385bd95190d1a636e39848fd0b1394a671cb04f5ced1a1d4f16f76a0dd0e40cc8948d521e7170c7

C:\Program Files\FileZilla FTP Client\resources\default\480x480\leds.png

MD5 87363ed4937b5b1633e6c756268a46a6
SHA1 c4bf71f9307a897fc9b44ed740dbf2797750e90a
SHA256 1d6c546397e8ebf71503279d0d8da8a9343908fec4b9b1d97926ec5532efb365
SHA512 3bf66caca161d6ac8ed60236ddb6618b910a485e4dd69797ced2f057792b2757f634606e94c7dfff28ea26c261e23b3cad9ea063eb056e648ab9b2cb83c173f9

C:\Program Files\FileZilla FTP Client\locales\en\filezilla.mo

MD5 807d27e041dd3ed1cd2c872c283a6e52
SHA1 c94a40db0cbe1efa783a463526c423dea89f500f
SHA256 dd0b523740c89630994264359e1eccef53c6848928efc7c034f993c1b3e4b22f
SHA512 21657b5b353a53bbda7370d863cdc0003e21761add65737d3c6de49294b44e28c9c35b61be3c9a06e5e78b5a65f6c11546865d778509863f266092c7b72ea2ca

\Program Files\FileZilla FTP Client\zlib1.dll

MD5 939ae6c45ee1b81e9a734d594137f6c5
SHA1 941abb6e3e0ba4d65fe4315f5624e30ea3604e75
SHA256 c86bae1e3aed5223a591cf555fb441f89151ca1b4fd285535887bef4e25fe0e8
SHA512 7ce19c2e992be4de671fddd732360fe9ba4425e0842a2481cc614a9f51a424b08581d30c1aeaa1116ec61221f158964c2a7c660f77796b072dd19b782f64d948

\Program Files\FileZilla FTP Client\libstdc++-6.dll

MD5 e6b89548cc7dc9f9dad16e285110a45b
SHA1 189a2bd6672bc7321371f76e6d29a06fe1e885c7
SHA256 d1bc20acf8dffd5d682badf966dd884a3f4373abf509995ebc24f8fb7b15a30d
SHA512 0fdee53763751bd47560a6147b915e95bc629c6f79cd821dd13e48df50899d61822a5a7cd089ef0190b3ab25ff90d5adead488687b2c8093b125daa7b7db695f

\Program Files\FileZilla FTP Client\libgcc_s_seh-1.dll

MD5 3fed2de912b37afefa8288cf6d287570
SHA1 3e215b74b3fee54771301dedf7e118af9e67b2ec
SHA256 7b108e6a2ac50fb4599940058be5c6eed8b74691cdfe4c082aa6d47b341ade67
SHA512 edf83e3485235a4f7655b8c8f1e15e3382fdd34e1241a84a8d555d16fe339fb55c12cad5b87b0884ff55c4cc6b1920d57c5a74972296740a7beb48efe1471e19

\Program Files\FileZilla FTP Client\libnettle-8.dll

MD5 a93be40ca4bef4f6295ce732a0547739
SHA1 e020157060b2040c67b5c074307f1ec003eabdc8
SHA256 173ddb2a966a153d9e21cba1b222d3ba3e461ea4793bbd6f8bbbc9447a59cc81
SHA512 73efee1e08a0848d7e4cc3585aaca065aff7af8741a2280481af332ad48bf6ce2800e8925ed266872e7851b3fd3b855d7bb4f5165708236d79be7321bd935970

\Program Files\FileZilla FTP Client\libhogweed-6.dll

MD5 81ff0445ef95824de5e2667bee1bc664
SHA1 208b25b576b4db478a50dd701b392d46380cf94f
SHA256 3dcef7e1f8a7d6b89d32f5d7ee79d085c1a51a2b9adbe9862cc2bc88a72a3b36
SHA512 ec572e73aa61d43b15d8c4a8d0582d2aa8e52f663adf3e5f515532ddf66badcab63fb2dc79e73a47b37a81fbef83280b7c97d8144d68e64b55d703dcf607d63c

\Program Files\FileZilla FTP Client\libgnutls-30.dll

MD5 a88c50c2ec280701c1b391fb0e251b57
SHA1 09b4546ef9e50fd67789efc2b35bd11b4aeb097f
SHA256 3b3ac6b039cbf6013dae1dac0d4d8394535994bd4b97cc2ee3de546f0891df92
SHA512 af5fa49f913145a54f84f7196938ee59a75330bce3bfa6e6a1f344fe2c14a9fd21dd995bc24c1879a4d0031004f29d260a1258444ea1478ff869cdafc63d609d

\Program Files\FileZilla FTP Client\libgmp-10.dll

MD5 8c379d5323f086363f0d0f85410e029c
SHA1 63a390ec2046a8dfe6fc10366690f08df95c2d97
SHA256 dcfe75f06ff67b0e94035831f8a7f5e23757535235ffea2350b64783841a8f27
SHA512 a922242f45acb0640ededde1d4991a564c75ab742310a48b77f8366d3c299674c61108d1befbe1d90b97dd7cb6a52673b5d5bf29eaba39594fc13ab4076bbcfc

\Program Files\FileZilla FTP Client\libfilezilla-43.dll

MD5 85bd74a17c53eec4cd39fc4fadadc3c6
SHA1 1f5e48cada5a99b1a0d4364e4091489d4504c606
SHA256 bdc1ea011a343b36b19411cbab592936432ecec8f0d91ec6f74e10f4f10ddb09
SHA512 27b4668cad4a30a25f22ac57d35e91609ccf1558a499292ea7637a4829228a9f2a01f918e082a50680a5d4d158e25deb3eca7b1dbc20d1ca6dfeddd418bc14b5

\Program Files\FileZilla FTP Client\libfzclient-private-3-67-0.dll

MD5 492f5c5d895b5c6df72cce4a3cffd081
SHA1 e3bcdf4c1c4d383f0aab7a6f362e91edbd1eb072
SHA256 b563c8e74a44ee3303f45f5fe4c992d82dc259653636f49ca681bf34fb7e794f
SHA512 d23d831b9745d15b9db9d22bbdd010c4e4b6ef655e2d4b681f367e62f285a83f57d3ebd58d165ab8d53ff42bd38ea95d07b8ff95572e747f8e3ddaacbff1f297

\Program Files\FileZilla FTP Client\libfzclient-commonui-private-3-67-0.dll

MD5 bcb38d316fbaea52928113c15d34e4f9
SHA1 aa9acb9b154e9e9bc9142fd72f395b2c5ec6c645
SHA256 204f83f6bbdb707ddad08949403512035f30c10dea6f034b2d41c065f0255f3e
SHA512 d962d466ab4af8d9434d4ed1888331effaf6a1a0dc5d091c01a054c50283c7a739bfb615b762e1e806a9a70f8451d08e5ffdaba3393fabf6f2a6c878fa4e19f0

memory/2364-990-0x000000011F8D0000-0x000000011FCDE000-memory.dmp

memory/2364-994-0x000007FEF6C40000-0x000007FEF6CE4000-memory.dmp

memory/2364-998-0x000007FEFA270000-0x000007FEFA291000-memory.dmp

memory/2364-997-0x000007FEF58A0000-0x000007FEF58F5000-memory.dmp

memory/2364-1002-0x000007FEF5450000-0x000007FEF54D2000-memory.dmp

memory/2364-1006-0x000007FEF52F0000-0x000007FEF5330000-memory.dmp

memory/2364-1005-0x000007FEF5330000-0x000007FEF53EA000-memory.dmp

memory/2364-1007-0x0000000066380000-0x00000000664BB000-memory.dmp

memory/2364-1004-0x00000000747C0000-0x00000000747FF000-memory.dmp

memory/2364-1003-0x000007FEF4980000-0x000007FEF4E81000-memory.dmp

memory/2364-1001-0x0000000074800000-0x0000000074829000-memory.dmp

memory/2364-1000-0x000007FEF54E0000-0x000007FEF56A4000-memory.dmp

memory/2364-999-0x000007FEF56B0000-0x000007FEF5897000-memory.dmp

memory/2364-996-0x000007FEF7A60000-0x000007FEF7AA9000-memory.dmp

memory/2364-995-0x000007FEF5900000-0x000007FEF5B13000-memory.dmp

memory/2364-993-0x000007FEF6010000-0x000007FEF60FF000-memory.dmp

memory/2364-992-0x000007FEF5B20000-0x000007FEF5C7D000-memory.dmp

memory/2364-991-0x000007FEFA7C0000-0x000007FEFA85E000-memory.dmp

memory/2364-1014-0x000000011F8D0000-0x000000011FCDE000-memory.dmp

memory/2364-1031-0x0000000066380000-0x00000000664BB000-memory.dmp

memory/2364-1030-0x000007FEF52F0000-0x000007FEF5330000-memory.dmp

memory/2364-1029-0x000007FEF5330000-0x000007FEF53EA000-memory.dmp

memory/2364-1028-0x00000000747C0000-0x00000000747FF000-memory.dmp

memory/2364-1026-0x000007FEF5450000-0x000007FEF54D2000-memory.dmp

memory/2364-1025-0x0000000074800000-0x0000000074829000-memory.dmp

memory/2364-1024-0x000007FEF54E0000-0x000007FEF56A4000-memory.dmp

memory/2364-1023-0x000007FEF56B0000-0x000007FEF5897000-memory.dmp

memory/2364-1022-0x000007FEFA270000-0x000007FEFA291000-memory.dmp

memory/2364-1021-0x000007FEF58A0000-0x000007FEF58F5000-memory.dmp

memory/2364-1020-0x000007FEF7A60000-0x000007FEF7AA9000-memory.dmp

memory/2364-1019-0x000007FEF5900000-0x000007FEF5B13000-memory.dmp

memory/2364-1018-0x000007FEF6C40000-0x000007FEF6CE4000-memory.dmp

memory/2364-1017-0x000007FEF6010000-0x000007FEF60FF000-memory.dmp

memory/2364-1016-0x000007FEF5B20000-0x000007FEF5C7D000-memory.dmp

memory/2364-1015-0x000007FEFA7C0000-0x000007FEFA85E000-memory.dmp

memory/2364-1027-0x000007FEF4980000-0x000007FEF4E81000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 4888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 4888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 4888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4888 -ip 4888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 5068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 5068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 5068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5068 -ip 5068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzsftp.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzsftp.exe

"C:\Users\Admin\AppData\Local\Temp\fzsftp.exe"

Network

Country Destination Domain Proto
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3084-0-0x00007FF626000000-0x00007FF6260A7000-memory.dmp

memory/3084-1-0x00007FFC0DF10000-0x00007FFC0DF65000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

96s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\FileZilla FTP Client\resources\blukis\32x32\queueview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\32x32\download.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\minimal\16x16\help.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\ca_ES@valencia\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\32x32\upload.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\compare.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\32x32\localtreeview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\classic\16x16\remotetreeview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\cyril\16x16\server.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\minimal\16x16\binary.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\filter.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\file.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\32x32\bookmark.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\compare.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\32x32\compare.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\upload.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\pt_BR\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\48x48\upload.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\find.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\16x16\processqueue.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\ascii.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\32x32\folder.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\48x48\sitemanager.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\id_ID\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\nl\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\download.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\symlink.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\folderclosed.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\az\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\default\480x480\symlink.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\32x32\bookmark.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\bookmark.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\sun\48x48\binary.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\ca\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\hy\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\classic\16x16\reconnect.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\folder.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\queueview.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\folder.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\32x32\folderclosed.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\fa_IR\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\folderback.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\uploadadd.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\32x32\compare.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\32x32\folderup.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\bg_BG\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\id_ID\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\downloadadd.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\32x32\cancel.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\cyril\16x16\binary.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\cyril\16x16\download.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\32x32\find.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\ar\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\pl_PL\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\16x16\help.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\48x48\unknown.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\reconnect.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\vi_VN\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\32x32\synchronize.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\48x48\showhidden.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\16x16\uploadadd.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\32x32\cancel.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\lt_LT\filezilla.mo C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\auto.png C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ = "C:\\Program Files\\FileZilla FTP Client\\fzshellext_64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileZilla3CopyHook\ = "{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\ = "FileZilla 3 Shell Extension" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ = "C:\\Program Files\\FileZilla FTP Client\\fzshellext_64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\directory\shellex\CopyHookHandlers\FileZilla3CopyHook C:\Windows\system32\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe

"C:\Users\Admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\FileZilla FTP Client\fzshellext_64.dll"

C:\Program Files\FileZilla FTP Client\filezilla.exe

"C:\Program Files\FileZilla FTP Client\filezilla.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49204 tcp
N/A 127.0.0.1:49205 tcp
N/A 127.0.0.1:49208 tcp
N/A 127.0.0.1:49210 tcp
US 8.8.8.8:53 offers.playanext.com udp
US 8.8.8.8:53 api.playanext.com udp
US 8.8.8.8:53 api.playanext.com udp
N/A 127.0.0.1:49212 tcp
N/A 127.0.0.1:49214 tcp
US 8.8.8.8:53 update.filezilla-project.org udp

Files

C:\Users\Admin\AppData\Local\Temp\nst4335.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

C:\Users\Admin\AppData\Local\Temp\nst4335.tmp\UserInfo.dll

MD5 d458b8251443536e4a334147e0170e95
SHA1 ba8d4d580f1bc0bb2eaa8b9b02ee9e91b8b50fc3
SHA256 4913d4cccf84cd0534069107cff3e8e2f427160cad841547db9019310ac86cc7
SHA512 6ff523a74c3670b8b5cd92f62dcc6ea50b65a5d0d6e67ee1079bdb8a623b27dd10b9036a41aa8ec928200c85323c1a1f3b5c0948b59c0671de183617b65a96b1

C:\Users\Admin\AppData\Local\Temp\nst4335.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nst4335.tmp\nsDialogs.dll

MD5 1d8f01a83ddd259bc339902c1d33c8f1
SHA1 9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA256 4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA512 28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

C:\Users\Admin\AppData\Local\Temp\nso26F.tmp

MD5 610f4eb991ae0db08785dc4a6c1b1fb2
SHA1 0b28c35f1569eec2dd1cd6c8cfdabb349f6e0866
SHA256 6872cf401483b46c9b0456f676cc6f7e810fe11b7831567b187c6228ec4c0857
SHA512 327647555d35f4dcf567579c4750299d8fe8ead866bfc304efd7f2b855bfd659da407c344c8077041310e214d0395d2f0c85c7d504ecf0403b970aca72496f7a

C:\Users\Admin\AppData\Local\Temp\nst4335.tmp\StartMenu.dll

MD5 a8c86996c4230c2209f5927f21321377
SHA1 45ce0ab93cb6a3a594e54878cce05df724024393
SHA256 110545415a59402635e1c9439acba15b44bab268ed02ad2a262ce12604a47855
SHA512 69ee73496b916777936b0dddd2cc4a4f916e393f7d0b167cba77a4a239ee1e3f645d9b90dee1627c42a23eb6c3403e4d086546b9f78b3a2e4999c8f92f6a3bc3

C:\Users\Admin\AppData\Local\Temp\nst4335.tmp\nsis_appid.dll

MD5 19071761e91c43c115a16b52458869b7
SHA1 75ddb807157f1aa31a08f87be0270f60990bcbbc
SHA256 e9e1ba410636698d666b328eea71346b8287248d262e44da07ce8b5fa24c5e5f
SHA512 bc0eab51cf27f657cd3fd62a47894ee13f3f561feaa565f16ba15088be39be73c9839a3cf35b538219ec83a03d48970b89258c5f20c37bcaf76438998437786c

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client\FileZilla.lnk~RFe585a7f.TMP

MD5 2f94a44c3dff72f7e5e495d9e70ae450
SHA1 c0a39557d800098016615de893e55fc6c316c8d7
SHA256 2342515ed6802d192f111882289e05e7dc62d2954599b405da1a863da74ec116
SHA512 2c444b1b783c6d48f4d2a31081b14faa8c9ee9a4451436e62d998d1160e53b207e3357f33fa48d791a9c25c8bdcbe1957778ebe1ff23dd9b5bed9135faad00ec

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client\FileZilla.lnk

MD5 685ad1114f71474b7d25a02ef1b789d0
SHA1 368979f0d0174945e04cc22755c65cf69dcfba0c
SHA256 b1ecdd6df5e531aabf81225d8e9f83c04aa16cab9b67a83f5d3cf78e14ab3d01
SHA512 4d973684b78c7e4b022bdcb2ef7cdae1976f61a1d9cae0352472f8b1258967e4addf64a661d2d2ebcc4753efc4988fdb7b191fe62faa89c16fc652f64497392c

C:\Program Files\FileZilla FTP Client\locales\uk_UA\filezilla.mo

MD5 dde0ddcd21a6288977a493dd98fde867
SHA1 d56e3a0b42ccdedceebf9058c3ad10c27d057641
SHA256 e472b782d83fb60cf1bfe30e6d8faa8a122e5e7fa4c8188cc4caf55fe82be9f1
SHA512 1f9c1deabc249ffad3628b7e6c62cae6abcfae4aa5db88c37a4688727000543c1265732f73f0ca15d69e80cce44c4d61374a5e5807abbafdd78b96f1f7ae8c90

C:\Program Files\FileZilla FTP Client\fzshellext.dll

MD5 c0280971a69869d7a1f3b35793c839f3
SHA1 946356173bdd7d575db1d1b3fb04ed81353e098a
SHA256 c085caea2677b0eeaeecb9afe7e0bad83c2a94fc78d5c3f7819bc7314e54ec69
SHA512 cdd1530aec393c9c07574e9a32214af8fb5eef85a5be02db68e24e05c5e1d88449f064e280d2bcd21aa6921c7545f30965a6724ce810960001964a3c558370ba

C:\Program Files\FileZilla FTP Client\fzshellext_64.dll

MD5 d29ae3155432dedc8b5002133e22ab71
SHA1 f25b6f9ee1ea454e3c00a22d5d000234f3afaf95
SHA256 44ca9c321f266b39b170da0218372b0a0716b9516c36255f600321e7778bc673
SHA512 65adb747cf96b20d63b45f15b00d8d1ea60187a9af6604bee47d9679670edc93cc79009426a92493f2e12b13943298e90df9bb085a0febf9c076d90e01e8396e

C:\Program Files\FileZilla FTP Client\filezilla.exe

MD5 79cef3c9de232d1f58f0e26292376584
SHA1 2dd2ab98e8fcf5c720bf3618a3a0b84666ca191d
SHA256 26d717e65101b0ccd5d491c406f76a216381410890508d3d154d5aa073698887
SHA512 2378c3ea857cbf0ff8b14c7984a0237613533c7f6451bed1ba8e09aeb71ab4c35b7f37f7298259a67467d40925cad4a4e8baf556444215ab84ec9ea4856246c4

C:\Program Files\FileZilla FTP Client\libfzclient-commonui-private-3-67-0.dll

MD5 bcb38d316fbaea52928113c15d34e4f9
SHA1 aa9acb9b154e9e9bc9142fd72f395b2c5ec6c645
SHA256 204f83f6bbdb707ddad08949403512035f30c10dea6f034b2d41c065f0255f3e
SHA512 d962d466ab4af8d9434d4ed1888331effaf6a1a0dc5d091c01a054c50283c7a739bfb615b762e1e806a9a70f8451d08e5ffdaba3393fabf6f2a6c878fa4e19f0

C:\Program Files\FileZilla FTP Client\wxbase32u_xml_gcc_custom.dll

MD5 8bd725973fb63685557cb0a90addf0a9
SHA1 124b6eba99e87a77ce7ebd349e05ac7423166f3c
SHA256 85f7a0df6b7ebaa46f6a255de0db92f939441fd509c5dbd605d01b6c1bc98115
SHA512 37799a8e7366b55cbe8689a4b560421b4adbb731de893705c71367c54f4848de1351fa4d93b531cb134cc155ffb4a16117dc619687a96f6d6df3f50d2e0bec3d

C:\Program Files\FileZilla FTP Client\libpng16-16.dll

MD5 0ff719ab13a1cf91cde12b50b6cc0d49
SHA1 47f9e148f4b754d68d0ab7050da1e74cd1ae54f9
SHA256 66141f686a865780e8e6e240ccba68b4442b5fb50faa0a9297f1e42dda20f752
SHA512 d43f4f7cabf47462869bdc637f8dc5df1b8257ceb29d81192898e36b231beb04fba5bd2704ee36a9b830c13dbe547373bde67dbffb903846f5396cde798378d0

C:\Program Files\FileZilla FTP Client\zlib1.dll

MD5 939ae6c45ee1b81e9a734d594137f6c5
SHA1 941abb6e3e0ba4d65fe4315f5624e30ea3604e75
SHA256 c86bae1e3aed5223a591cf555fb441f89151ca1b4fd285535887bef4e25fe0e8
SHA512 7ce19c2e992be4de671fddd732360fe9ba4425e0842a2481cc614a9f51a424b08581d30c1aeaa1116ec61221f158964c2a7c660f77796b072dd19b782f64d948

C:\Program Files\FileZilla FTP Client\libnettle-8.dll

MD5 a93be40ca4bef4f6295ce732a0547739
SHA1 e020157060b2040c67b5c074307f1ec003eabdc8
SHA256 173ddb2a966a153d9e21cba1b222d3ba3e461ea4793bbd6f8bbbc9447a59cc81
SHA512 73efee1e08a0848d7e4cc3585aaca065aff7af8741a2280481af332ad48bf6ce2800e8925ed266872e7851b3fd3b855d7bb4f5165708236d79be7321bd935970

C:\Program Files\FileZilla FTP Client\libhogweed-6.dll

MD5 81ff0445ef95824de5e2667bee1bc664
SHA1 208b25b576b4db478a50dd701b392d46380cf94f
SHA256 3dcef7e1f8a7d6b89d32f5d7ee79d085c1a51a2b9adbe9862cc2bc88a72a3b36
SHA512 ec572e73aa61d43b15d8c4a8d0582d2aa8e52f663adf3e5f515532ddf66badcab63fb2dc79e73a47b37a81fbef83280b7c97d8144d68e64b55d703dcf607d63c

C:\Program Files\FileZilla FTP Client\libgnutls-30.dll

MD5 a88c50c2ec280701c1b391fb0e251b57
SHA1 09b4546ef9e50fd67789efc2b35bd11b4aeb097f
SHA256 3b3ac6b039cbf6013dae1dac0d4d8394535994bd4b97cc2ee3de546f0891df92
SHA512 af5fa49f913145a54f84f7196938ee59a75330bce3bfa6e6a1f344fe2c14a9fd21dd995bc24c1879a4d0031004f29d260a1258444ea1478ff869cdafc63d609d

C:\Program Files\FileZilla FTP Client\libgmp-10.dll

MD5 8c379d5323f086363f0d0f85410e029c
SHA1 63a390ec2046a8dfe6fc10366690f08df95c2d97
SHA256 dcfe75f06ff67b0e94035831f8a7f5e23757535235ffea2350b64783841a8f27
SHA512 a922242f45acb0640ededde1d4991a564c75ab742310a48b77f8366d3c299674c61108d1befbe1d90b97dd7cb6a52673b5d5bf29eaba39594fc13ab4076bbcfc

C:\Program Files\FileZilla FTP Client\libstdc++-6.dll

MD5 e6b89548cc7dc9f9dad16e285110a45b
SHA1 189a2bd6672bc7321371f76e6d29a06fe1e885c7
SHA256 d1bc20acf8dffd5d682badf966dd884a3f4373abf509995ebc24f8fb7b15a30d
SHA512 0fdee53763751bd47560a6147b915e95bc629c6f79cd821dd13e48df50899d61822a5a7cd089ef0190b3ab25ff90d5adead488687b2c8093b125daa7b7db695f

C:\Program Files\FileZilla FTP Client\libgcc_s_seh-1.dll

MD5 3fed2de912b37afefa8288cf6d287570
SHA1 3e215b74b3fee54771301dedf7e118af9e67b2ec
SHA256 7b108e6a2ac50fb4599940058be5c6eed8b74691cdfe4c082aa6d47b341ade67
SHA512 edf83e3485235a4f7655b8c8f1e15e3382fdd34e1241a84a8d555d16fe339fb55c12cad5b87b0884ff55c4cc6b1920d57c5a74972296740a7beb48efe1471e19

C:\Program Files\FileZilla FTP Client\libsqlite3-0.dll

MD5 f027b75ee14492d9cd45002ac949615b
SHA1 be10480065d7bf0461940f618393528ec0b51092
SHA256 10562c70d79f84541a10158b22ba2d0be587551235a27ae7c1028f58e6d8f521
SHA512 c0fdb6a09614d3189b727869c20198d3a88be542b2555302d65e18e2b185d7bfa135fb93a93df0786902dee75d67d16c2f7c27ff62038566a3753d170932334c

C:\Program Files\FileZilla FTP Client\wxmsw32u_xrc_gcc_custom.dll

MD5 923e97f86b22abcb602f6ab16d2b0293
SHA1 b14cd14ce8b2c4cd2fe29395679210ba662cd26e
SHA256 95e36f082ac1bd2ee75c7c3d7371c8332cd5f36b3af0e4146689ee8790e7f244
SHA512 d4ddbaaccb26c2e531437b16162489fa0690ab704d711dc3fb99746835cac12f5289eab1d099582acd2d333f8c1a85f096002f0ea10713311b43c38598fea21e

C:\Program Files\FileZilla FTP Client\wxmsw32u_core_gcc_custom.dll

MD5 90a9eb91e52116843329b5a75c93c08e
SHA1 874534a834d59a1955a467860fc66c908627f039
SHA256 5a8d63246000f4e53a60612ee34613d7f54e5ac9e8bace7d0c71737ace30f653
SHA512 defd32468af25905e7cbf35ebe14db25dc1cb886793afeb0faeb867716f65f8b9ee321d06001e2c1af19a07b83d5c9b325d4b6ca5f864e1aa3050077b6787d37

C:\Program Files\FileZilla FTP Client\wxmsw32u_aui_gcc_custom.dll

MD5 17f252efa82208ac31378e3a4f333ed9
SHA1 d722f47111f8dd81e0891c433a9cfc583ff76589
SHA256 17305a8db2b3d3c65dda7a22e918f13fec041e95feb56715c46d1fa20569fdb2
SHA512 8ea148d881309bd08bf99d8f39f5b01dcd4d779388b40d168576b5cdaed422b0cc5a23e4f4f65ac8820ca7bc8c22ba49590223579da3be17481812f18dd57f11

C:\Program Files\FileZilla FTP Client\wxbase32u_gcc_custom.dll

MD5 5cc9be3f1890c173c9c63410f356c09a
SHA1 2eeb5a4f53c669cd324254fe7aa2876d1626f695
SHA256 a89efa9a7bd855e2063246ed6d60c3d84330ccdaba98904720587a2c24c9dd31
SHA512 19da61eea609e243490ee3e2aa8bef2d665fd9f028897be7f9e7334becf1efbe2d7d89091d43ae6bc0d5ccd521b5b0fd7d20257e2826aa665ae29d7a8423cc0f

C:\Program Files\FileZilla FTP Client\libfilezilla-43.dll

MD5 85bd74a17c53eec4cd39fc4fadadc3c6
SHA1 1f5e48cada5a99b1a0d4364e4091489d4504c606
SHA256 bdc1ea011a343b36b19411cbab592936432ecec8f0d91ec6f74e10f4f10ddb09
SHA512 27b4668cad4a30a25f22ac57d35e91609ccf1558a499292ea7637a4829228a9f2a01f918e082a50680a5d4d158e25deb3eca7b1dbc20d1ca6dfeddd418bc14b5

C:\Program Files\FileZilla FTP Client\libfzclient-private-3-67-0.dll

MD5 492f5c5d895b5c6df72cce4a3cffd081
SHA1 e3bcdf4c1c4d383f0aab7a6f362e91edbd1eb072
SHA256 b563c8e74a44ee3303f45f5fe4c992d82dc259653636f49ca681bf34fb7e794f
SHA512 d23d831b9745d15b9db9d22bbdd010c4e4b6ef655e2d4b681f367e62f285a83f57d3ebd58d165ab8d53ff42bd38ea95d07b8ff95572e747f8e3ddaacbff1f297

C:\Program Files\FileZilla FTP Client\locales\en\filezilla.mo

MD5 807d27e041dd3ed1cd2c872c283a6e52
SHA1 c94a40db0cbe1efa783a463526c423dea89f500f
SHA256 dd0b523740c89630994264359e1eccef53c6848928efc7c034f993c1b3e4b22f
SHA512 21657b5b353a53bbda7370d863cdc0003e21761add65737d3c6de49294b44e28c9c35b61be3c9a06e5e78b5a65f6c11546865d778509863f266092c7b72ea2ca

C:\Program Files\FileZilla FTP Client\resources\default\theme.xml

MD5 75a54b0f2673d762239bc479579af93d
SHA1 13bb8fea1c2e296ad1516df1d565e2ceaf2d9484
SHA256 209f8abd4d06ba609d1d92943ccd2b7ef8918e88ca3f159ab8d1d6fa82ebcda1
SHA512 8f4ad697b0073307a9dd5559c702f30bb52aadf48f875707691a2480a9baed48eec34089ed1be784358ff7ea213b68c62b972cc24278e6c32b0ffd397c2a0e0a

C:\Program Files\FileZilla FTP Client\resources\default\480x480\leds.png

MD5 87363ed4937b5b1633e6c756268a46a6
SHA1 c4bf71f9307a897fc9b44ed740dbf2797750e90a
SHA256 1d6c546397e8ebf71503279d0d8da8a9343908fec4b9b1d97926ec5532efb365
SHA512 3bf66caca161d6ac8ed60236ddb6618b910a485e4dd69797ced2f057792b2757f634606e94c7dfff28ea26c261e23b3cad9ea063eb056e648ab9b2cb83c173f9

C:\Program Files\FileZilla FTP Client\resources\defaultfilters.xml

MD5 9994a10e6ee72a5afd26cbb582e946e8
SHA1 c4b507e64a476a260974c17f2e13e6c41ef19cb9
SHA256 27b4c87e3f1a75ce58cce51086d8445e3c33590111a258be8344b842f74c05d0
SHA512 776ef79c8e72695d3a142438f441a85bb5043d584f6dd5216d4d8e7357dfe19871f775059212d3c7dd2d8679463056222224a27ee7d544beadb1a2a921a27ec5

C:\Program Files\FileZilla FTP Client\resources\default\480x480\speedlimits.png

MD5 b5aa21c3f5d77d5d55982fed0f46e12e
SHA1 d0540523e377726b1a936980a2ee968d8fd63de2
SHA256 d42aad945404d1a5f66a168f6af3a89d34be856fca13911ee0a5d3da8ab7b084
SHA512 39641960860c6628b0cbe68fb66c1a2294f66f19d019d37b3385bd95190d1a636e39848fd0b1394a671cb04f5ced1a1d4f16f76a0dd0e40cc8948d521e7170c7

C:\Program Files\FileZilla FTP Client\resources\default\480x480\sitemanager.png

MD5 810967a850e0f96f44874651f649a952
SHA1 dd51af31b2883dd27f3ba2ea4b8e572e1340261b
SHA256 66d6c15dd8e819e7b62d277aa237ff77c8c595f65582a368cbbc15427f82bfd2
SHA512 48595fb92e30ad7ffee8237a37cb6c2f6a1603de8eae73da8529d828888759da3f74b0cc56d8e6a787f25749e5af74ea07de698e6178a6175b25b530d9f5d0f3

C:\Program Files\FileZilla FTP Client\resources\default\480x480\logview.png

MD5 a5c2e72f7c61158a6e17aea666de99fd
SHA1 83f0e6816c8735ac340335209d6c02916f4c019c
SHA256 9bf88f5a0f4deb7035cfd2930225596b4e0767010d34f01c3ee093c17164033f
SHA512 712a0e1a5d098be686f2a897a12f8a41d8b2254d30f2539094a6fc8e334238aaeba16562e2bc8dab81cbb31fc8858b936e134d5ef6479170fd2ecf10af75f61c

C:\Program Files\FileZilla FTP Client\resources\default\480x480\localtreeview.png

MD5 e21443d7cad7e6927fd6d798a4232bb4
SHA1 0c4b2f6e709822c59f884f960471009408782d09
SHA256 a67af84c06743847ffc0edbc79ffc4a3ce93c89ff57c03c0f18c3782b5347988
SHA512 052428edcc9d026eda6ccb32ea2e7104b68d9d346f016b82aeade8b7fb191d704e21cec084721dd35aaeb51bedb06babd4097f7f7623e58834805de2bc3cc47a

C:\Program Files\FileZilla FTP Client\resources\default\480x480\remotetreeview.png

MD5 3daed236d7df410ff02684080378572d
SHA1 b7427a30e75c4aad0a8b031bbeeb16e57ba7b8b4
SHA256 75a915c0caf149c46df534577f1fb089fac8cf0efda8fbe6115b5118942391e5
SHA512 2a4c7659795b6c497ae657cf287dc8580769e3d7a91c130f0e559f45c1e55e60324e80c4c2b0c2722e7bd0158d8779151b0a80177eeea5babfe277fe9870b55d

C:\Program Files\FileZilla FTP Client\resources\default\480x480\queueview.png

MD5 247cc463ec1c836c2388317b8c5fd91b
SHA1 28e00529f0a265ce1ee9cf0d346bde59a8ac695c
SHA256 444b408a816c39e965a7c960c44c8976ed99b1ef3263088b41b6a170f3747d9c
SHA512 8bb9472a75b0f9671cee6de747f346a7f56d497c9cb42ccd60f61724bb8ffc8ba733e395a79e0af2984291a9e2f92fbd3bd23a49e6db4130220dd90efaf2cfca

C:\Program Files\FileZilla FTP Client\resources\default\480x480\refresh.png

MD5 f95d73543381834fd6aad987df30f157
SHA1 29b81a5613c3a7b73260f2579b23b1cdaffe4fc9
SHA256 e72e2057afe1c9c449c2f43a83129dc24d4349e34f40ce957b56f7f87aba927a
SHA512 095924c202a73ff4d91668ad9ff6efec9d5f12d410487669ac2518d7caeb12651284d051ba8afd692bf0e0cb059c70bbc590d265b38fa1243242385e50262b0d

C:\Program Files\FileZilla FTP Client\resources\default\480x480\processqueue.png

MD5 dc267d9678aff17e9a8a557f0c9e690f
SHA1 a6aee93ab4c750b297b1b3995924b383b9be7875
SHA256 930281b5e99bcf3c891b48a2830f5bcfd19d2ab03f9a2cffc2594016233ccd14
SHA512 b918863336196eb55584655d44ac328cfbcb08bd8c8e3b8896567a91791f746329b7832cdac81a996eebfc81c35208d408cb126d518c766d15aaaac1384af503

C:\Program Files\FileZilla FTP Client\resources\default\480x480\cancel.png

MD5 4c2c126f11ce45b698336b49b24f8afe
SHA1 7cd96f7e9a6fd3ca36336764ecdfe8a317590d1d
SHA256 314d5ec0dbea36c3b37d48438e7bdd50178811b7ba04e46f438873de3a5c1fe0
SHA512 5ab9e12dba7eca3d9bf63c7def45427040dc39938606555f8d3d47a06750cf8e3808099581c99c3a059f6874028a646e18b3f56dc179533fc7c3f6ed0557aead

C:\Program Files\FileZilla FTP Client\resources\default\480x480\disconnect.png

MD5 e7a7e89f12dd8d49f9afb73eb52e0466
SHA1 c4b57e0f2b6d286309e4a962c504abd1a602d971
SHA256 bf0f361801f7dd78c748d611daeb2180d50dbd9e3a284758bc4a5e6f773758d5
SHA512 139df2a8fc3e6331ec5e8a0b3daec852a484ff5e59c54a6f72eb0a257432146e56d73ac86c4bc222b5daf16270a0a910fd3e9b9796485394282151ae93c62eb4

C:\Program Files\FileZilla FTP Client\resources\default\480x480\reconnect.png

MD5 c19505c35182fbc2d2c81ed60e62926b
SHA1 d415f48879875f94cbe9dd7fdb7a7dade6603eb1
SHA256 981892d7fd00d58c2ed41e33bfe1cc35fda8f66d3ea1a533063cba3058331683
SHA512 8125bc3c108bf846be6aa38fbac89e0683fd784a239858fa23e71e533944521410ef925525cc3fe32bffc28d2de47353555fd727d69e7408eb7ce10d65a664d1

C:\Program Files\FileZilla FTP Client\resources\default\480x480\filter.png

MD5 8ba37ba851fad91b76c7c9b5ddac18bf
SHA1 77e44925b19b19247ebcbe16ce0b65bef533d67b
SHA256 5e67131effde188b8c27d92982ecbfe9aaa313d0641243e69de7eb982a97a782
SHA512 a58c01bfe9a4f0b7db826d739d69a5cddc57d8fbb890995d659d4a2f740f2c26bf33c8de84ff1d3b7bc0cc0fabdcab9ba0f586ccbb0941c7f68a1254264475de

memory/4596-1003-0x00007FFA72A40000-0x00007FFA72F41000-memory.dmp

memory/4596-1008-0x00007FFA726E0000-0x00007FFA72784000-memory.dmp

memory/4596-1014-0x00007FFA7E050000-0x00007FFA7E090000-memory.dmp

memory/4596-1013-0x0000000075A40000-0x0000000075A7F000-memory.dmp

memory/4596-1012-0x0000000075A80000-0x0000000075AA9000-memory.dmp

memory/4596-1009-0x00007FFA724C0000-0x00007FFA726D3000-memory.dmp

memory/4596-1007-0x00007FFA72790000-0x00007FFA72977000-memory.dmp

memory/4596-1006-0x00007FFA82CC0000-0x00007FFA82CE1000-memory.dmp

memory/4596-1005-0x0000000066380000-0x00000000664BB000-memory.dmp

memory/4596-1002-0x00007FFA72F50000-0x00007FFA72FD2000-memory.dmp

memory/4596-1001-0x00007FFA72FE0000-0x00007FFA731A4000-memory.dmp

memory/4596-1000-0x00007FFA731B0000-0x00007FFA7329F000-memory.dmp

memory/4596-999-0x00007FFA73460000-0x00007FFA735BD000-memory.dmp

memory/4596-1011-0x00007FFA829C0000-0x00007FFA82A15000-memory.dmp

memory/4596-1010-0x00007FFA82BD0000-0x00007FFA82C19000-memory.dmp

memory/4596-997-0x00007FF6B3A60000-0x00007FF6B3E6E000-memory.dmp

memory/4596-1004-0x00007FFA72980000-0x00007FFA72A3A000-memory.dmp

memory/4596-998-0x00007FFA735C0000-0x00007FFA7365E000-memory.dmp

memory/4596-1023-0x00007FFA72A40000-0x00007FFA72F41000-memory.dmp

memory/4596-1034-0x00007FFA7E050000-0x00007FFA7E090000-memory.dmp

memory/4596-1033-0x0000000075A40000-0x0000000075A7F000-memory.dmp

memory/4596-1032-0x0000000075A80000-0x0000000075AA9000-memory.dmp

memory/4596-1031-0x00007FFA829C0000-0x00007FFA82A15000-memory.dmp

memory/4596-1030-0x00007FFA82BD0000-0x00007FFA82C19000-memory.dmp

memory/4596-1029-0x00007FFA724C0000-0x00007FFA726D3000-memory.dmp

memory/4596-1028-0x00007FFA726E0000-0x00007FFA72784000-memory.dmp

memory/4596-1027-0x00007FFA72790000-0x00007FFA72977000-memory.dmp

memory/4596-1026-0x00007FFA82CC0000-0x00007FFA82CE1000-memory.dmp

memory/4596-1025-0x0000000066380000-0x00000000664BB000-memory.dmp

memory/4596-1024-0x00007FFA72980000-0x00007FFA72A3A000-memory.dmp

memory/4596-1022-0x00007FFA72F50000-0x00007FFA72FD2000-memory.dmp

memory/4596-1021-0x00007FFA72FE0000-0x00007FFA731A4000-memory.dmp

memory/4596-1020-0x00007FFA731B0000-0x00007FFA7329F000-memory.dmp

memory/4596-1019-0x00007FFA73460000-0x00007FFA735BD000-memory.dmp

memory/4596-1018-0x00007FFA735C0000-0x00007FFA7365E000-memory.dmp

memory/4596-1017-0x00007FF6B3A60000-0x00007FF6B3E6E000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 224

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240508-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\GPL.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000a280670bbc34bc164653cbc685a91309ee5490cf264a41bf380e7596a84cf993000000000e8000000002000020000000446badca45bd2ccf6d4dc80ddfea87785349a49f231dcaaed37a69fa83b76d9720000000647037d1cd3e976d58bb81b52be66fcedde71a8fa7f6c1d7ea7120241a07d60740000000e9bc0fef9586937c665dc2df091e45937e2e5bd4e1968a9fd1237ca5c2dd9708cd7d0739def20af82ad1eb70f2ab0e170eb987cd6a3b2ce1f6fbf4b0e92c9cb6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424365212" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EE598361-28C9-11EF-B21B-FA9381F5F0AB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a027d8c2d6bcda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000027192554d195789d7b2c0c8c58de1949545e91bac4b413f8992d2e73f45e7aa9000000000e8000000002000020000000c67543accffcd892eca567b843b3292473ee9bf3bef221038d85b6f0295b771a9000000025573483feca183d44fa6a5cea8a21701e1724760952b69f23f3be3676c7b2125feb3bcb56189ab529a1bb399ec5bf51a1372e6e5d2f0fcef6563d74b4c45b5fa5c0d0ef443f0f8ef57e3eaa2a4b3f88cf83b5142c08b8e5854e9f5362a747cf4b234a930a6812a6fc6f7972dac4897d9f1c30d39bf4f5815b814507bcde171ff93cdd3841333dd74f773b1f6cd59f0f400000000d5f36659f267dacc12e8867e77ab648e43dd582f0be0f956f95c05cc868169b5d733a4f9201087c000d81c3e1cead747acec95faf1e3b5d2dce1a7a7cf12fae C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\GPL.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

58s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1424 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1424 wrote to memory of 1584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1584 -ip 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 612

Network

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240221-en

Max time kernel

140s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\filezilla.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\filezilla.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\filezilla.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\filezilla.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\filezilla.exe

"C:\Users\Admin\AppData\Local\Temp\filezilla.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.filezilla-project.org udp
DE 49.12.121.47:443 update.filezilla-project.org tcp

Files

memory/1244-38-0x000007FEF6E20000-0x000007FEF6EBE000-memory.dmp

memory/1244-46-0x000007FEF5DD0000-0x000007FEF5FB7000-memory.dmp

memory/1244-45-0x000007FEF7930000-0x000007FEF7951000-memory.dmp

memory/1244-44-0x000007FEF6880000-0x000007FEF68D5000-memory.dmp

memory/1244-43-0x000007FEF78C0000-0x000007FEF7909000-memory.dmp

memory/1244-42-0x000007FEF5FC0000-0x000007FEF61D3000-memory.dmp

memory/1244-41-0x000007FEF6710000-0x000007FEF67B4000-memory.dmp

memory/1244-40-0x000007FEF6D30000-0x000007FEF6E1F000-memory.dmp

memory/1244-39-0x000007FEF61E0000-0x000007FEF633D000-memory.dmp

memory/1244-37-0x000000011F540000-0x000000011F94E000-memory.dmp

memory/1244-54-0x0000000066380000-0x00000000664BB000-memory.dmp

memory/1244-53-0x000007FEF5560000-0x000007FEF55A0000-memory.dmp

memory/1244-52-0x000007FEF55A0000-0x000007FEF565A000-memory.dmp

memory/1244-51-0x0000000075030000-0x000000007506F000-memory.dmp

memory/1244-50-0x000007FEF5660000-0x000007FEF5B61000-memory.dmp

memory/1244-49-0x000007FEF5B70000-0x000007FEF5BF2000-memory.dmp

memory/1244-48-0x0000000075070000-0x0000000075099000-memory.dmp

memory/1244-47-0x000007FEF5C00000-0x000007FEF5DC4000-memory.dmp

memory/1244-66-0x000007FEF5C00000-0x000007FEF5DC4000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240611-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe

"C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe"

Network

N/A

Files

memory/2924-0-0x000000011F0C0000-0x000000011F11F000-memory.dmp

memory/2924-1-0x000007FEF6E90000-0x000007FEF6EE5000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 220

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240220-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 220

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$R0.dll

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240508-en

Max time kernel

140s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzsftp.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzsftp.exe

"C:\Users\Admin\AppData\Local\Temp\fzsftp.exe"

Network

N/A

Files

memory/884-0-0x000000011FB20000-0x000000011FBC7000-memory.dmp

memory/884-1-0x000007FEF66A0000-0x000007FEF66F5000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 764 wrote to memory of 544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 764 wrote to memory of 544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 544 -ip 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240611-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2368 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4576 wrote to memory of 2800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4576 wrote to memory of 2800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4576 wrote to memory of 2800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2800 -ip 2800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 612

Network

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 2832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 2832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$R0.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240611-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe

"C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe"

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\filezilla.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\filezilla.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\filezilla.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\filezilla.exe

"C:\Users\Admin\AppData\Local\Temp\filezilla.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.filezilla-project.org udp

Files

memory/4044-47-0x00007FF841660000-0x00007FF841847000-memory.dmp

memory/4044-50-0x00007FF841440000-0x00007FF841653000-memory.dmp

memory/4044-52-0x0000000064450000-0x0000000064479000-memory.dmp

memory/4044-51-0x00007FF840F30000-0x00007FF841431000-memory.dmp

memory/4044-49-0x00007FF851110000-0x00007FF851159000-memory.dmp

memory/4044-48-0x00007FF8513F0000-0x00007FF851445000-memory.dmp

memory/4044-46-0x00007FF841850000-0x00007FF8418F4000-memory.dmp

memory/4044-45-0x0000000066380000-0x00000000664BB000-memory.dmp

memory/4044-43-0x00007FF841900000-0x00007FF8419BA000-memory.dmp

memory/4044-42-0x00007FF8419C0000-0x00007FF841B84000-memory.dmp

memory/4044-53-0x00007FF8509C0000-0x00007FF850A00000-memory.dmp

memory/4044-41-0x00007FF841B90000-0x00007FF841CED000-memory.dmp

memory/4044-40-0x00007FF841DE0000-0x00007FF841E62000-memory.dmp

memory/4044-39-0x00007FF841CF0000-0x00007FF841DDF000-memory.dmp

memory/4044-38-0x00007FF851160000-0x00007FF8511FE000-memory.dmp

memory/4044-37-0x00007FF72AB70000-0x00007FF72AF7E000-memory.dmp

memory/4044-44-0x00007FF854E10000-0x00007FF854E31000-memory.dmp

memory/4044-54-0x0000000064410000-0x000000006444F000-memory.dmp

memory/4044-61-0x00007FF8419C0000-0x00007FF841B84000-memory.dmp

memory/4044-69-0x00007FF841440000-0x00007FF841653000-memory.dmp

memory/4044-60-0x00007FF841B90000-0x00007FF841CED000-memory.dmp

memory/4044-58-0x00007FF841CF0000-0x00007FF841DDF000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe

"C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe"

Network

Files

memory/3928-0-0x00007FF622B90000-0x00007FF622BEF000-memory.dmp

memory/3928-1-0x00007FFCCA6F0000-0x00007FFCCA745000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 4488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 4488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 4488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 4488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 624

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240508-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 240

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe

"C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe"

Network

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

131s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\GPL.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4332 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 3092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4332 wrote to memory of 2228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\GPL.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1b1646f8,0x7ffb1b164708,0x7ffb1b164718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,686521618824084821,4199424542808160882,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4104 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c39b3aa574c0c938c80eb263bb450311
SHA1 f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA256 66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512 eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

\??\pipe\LOCAL\crashpad_4332_MHTCUANIDTUPFZVX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dabfafd78687947a9de64dd5b776d25f
SHA1 16084c74980dbad713f9d332091985808b436dea
SHA256 c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512 dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 10c1dcbc31c11d43e2f2b6fd95db9152
SHA1 89c7bf8e94ec287518feb21cf691b79e7c4d67b3
SHA256 035747423e33f16b9bdc7af8aa5fcf89a2921ff779f992059162ef33906ed445
SHA512 b3c2060c78bce60bbdbd81f2a1f3325505b68d6ad76cbca94a2bc257fdbc6e83dd2b53df28e712e7eb643524ff3cc2eb2cf71e1404f7b127b9f9b6e343cdca96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2697a589-9185-459c-a4c2-ac5030e00533.tmp

MD5 e2ad80f6ff63209803d9569f1dcb508f
SHA1 872d560ab03695d1d6d92151c5fddbe3a1366711
SHA256 5f3c07b6f938eb8d0b3989c5b609cb1c17b454a4312a7ab6a613eddbb2659560
SHA512 a0081c87748eb56cb0909ed0ff6b14bc72a936fe7afec4053079c730921ef3a21a728379a4a04e6b140cad0f20dfa9c91eb36aa81366e4355217a881f3c67486

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e73e4defe86b7489a6cb6852c9075d54
SHA1 ccbe312b861ad73b42f9cec4623084d9b91762b8
SHA256 d572deda7972711e727b15031a85a9facfae3297e2a42abb003f2be7cb46c18c
SHA512 192e2895f1d0f7b051384b1a7593944e41cd6afc99d73f64d3f940e623ed43ce39ee9728f2e4d0acc6a81b097db58d7399180207dba66e827c484f7e37c5d587

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240611-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 236

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240508-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 220

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win7-20240419-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1224 -ip 1224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 612

Network

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:43

Platform

win7-20240611-en

Max time kernel

100s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzstorj.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzstorj.exe

"C:\Users\Admin\AppData\Local\Temp\fzstorj.exe"

Network

N/A

Files

memory/1856-7-0x000007FEF5DA0000-0x000007FEF5F87000-memory.dmp

memory/1856-6-0x000007FEF7730000-0x000007FEF7751000-memory.dmp

memory/1856-5-0x000007FEF70E0000-0x000007FEF7135000-memory.dmp

memory/1856-4-0x000007FEF76C0000-0x000007FEF7709000-memory.dmp

memory/1856-3-0x000007FEF5F90000-0x000007FEF61A3000-memory.dmp

memory/1856-2-0x000007FEF6B20000-0x000007FEF6BC4000-memory.dmp

memory/1856-1-0x000007FEF6BD0000-0x000007FEF6CBF000-memory.dmp

memory/1856-0-0x000000011FF70000-0x000000012098D000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-12 14:41

Reported

2024-06-12 14:44

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzstorj.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzstorj.exe

"C:\Users\Admin\AppData\Local\Temp\fzstorj.exe"

Network

Files

memory/1596-0-0x00007FF6A61D0000-0x00007FF6A6BED000-memory.dmp

memory/1596-7-0x00007FF9B3E90000-0x00007FF9B3EE5000-memory.dmp

memory/1596-6-0x00007FF9B3890000-0x00007FF9B3AA3000-memory.dmp

memory/1596-5-0x00007FF9B3AB0000-0x00007FF9B3C97000-memory.dmp

memory/1596-4-0x00007FF9B3FA0000-0x00007FF9B4044000-memory.dmp

memory/1596-3-0x00007FF9B43E0000-0x00007FF9B4429000-memory.dmp

memory/1596-2-0x00007FF9B4130000-0x00007FF9B421F000-memory.dmp

memory/1596-1-0x00007FF9B7E20000-0x00007FF9B7E41000-memory.dmp