Malware Analysis Report

2024-11-30 06:37

Sample ID 240612-w46fgayfjn
Target 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe
SHA256 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202

Threat Level: Shows suspicious behavior

The file 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Reads data files stored by FTP clients

Executes dropped EXE

Drops file in Program Files directory

Loads dropped DLL

Registers COM server for autorun

Checks installed software on the system

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 18:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20231129-en

Max time kernel

143s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\FileZilla FTP Client\resources\tango\32x32\file.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\48x48\localtreeview.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\localtreeview.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\48x48\processqueue.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\minimal\32x32\file.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\sun\theme.xml C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\16x16\remotetreeview.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\48x48\ascii.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\48x48\disconnect.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\minimal\16x16\refresh.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\minimal\16x16\server.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\downloadadd.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\cyril\16x16\folder.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\minimal\16x16\reconnect.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\compare.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\cyril\16x16\upload.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\16x16\remotetreeview.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\speedlimits.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\32x32\downloadadd.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\32x32\folder.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\32x32\localtreeview.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\sun\48x48\downloadadd.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\sun\48x48\help.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\fzshellext_64.dll C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\download.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\sk_SK\filezilla.mo C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\libsqlite3-0.dll C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\folderup.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\help.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\sk_SK\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\default\480x480\queueview.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\32x32\lock.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\classic\16x16\server.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\disconnect.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\16x16\upload.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\sun\48x48\showhidden.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\32x32\folder.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\16x16\cancel.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\sitemanager.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\compare.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\logview.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\az\filezilla.mo C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\48x48\logview.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\32x32\uploadadd.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\he_IL\filezilla.mo C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\cyril\16x16\ascii.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\ca_ES@valencia\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\hr\libfilezilla.mo C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\filter.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\16x16\auto.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\48x48\find.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\48x48\upload.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\tango\32x32\uploadadd.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\flatzilla\16x16\logview.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\16x16\logview.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\locales\pl_PL\filezilla.mo C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\default\480x480\folder.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\48x48\synchronize.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\upload.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\32x32\reconnect.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\classic\16x16\auto.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\blukis\32x32\bookmark.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\classic\16x16\sitemanager.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
File created C:\Program Files\FileZilla FTP Client\resources\lone\16x16\localtreeview.png C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ = "C:\\Program Files\\FileZilla FTP Client\\fzshellext_64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\directory\shellex\CopyHookHandlers\FileZilla3CopyHook C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileZilla3CopyHook\ = "{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\ = "FileZilla 3 Shell Extension" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32\ = "C:\\Program Files\\FileZilla FTP Client\\fzshellext_64.dll" C:\Windows\system32\regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A
N/A N/A C:\Program Files\FileZilla FTP Client\filezilla.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe C:\Windows\system32\regsvr32.exe
PID 2332 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe C:\Windows\system32\regsvr32.exe
PID 2332 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe C:\Windows\system32\regsvr32.exe
PID 2332 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe C:\Windows\system32\regsvr32.exe
PID 2332 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe C:\Windows\system32\regsvr32.exe
PID 2332 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe C:\Windows\system32\regsvr32.exe
PID 2332 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe C:\Windows\system32\regsvr32.exe
PID 2332 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe C:\Program Files\FileZilla FTP Client\filezilla.exe
PID 2332 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe C:\Program Files\FileZilla FTP Client\filezilla.exe
PID 2332 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe C:\Program Files\FileZilla FTP Client\filezilla.exe
PID 2332 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe C:\Program Files\FileZilla FTP Client\filezilla.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe

"C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\FileZilla FTP Client\fzshellext_64.dll"

C:\Program Files\FileZilla FTP Client\filezilla.exe

"C:\Program Files\FileZilla FTP Client\filezilla.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.filezilla-project.org udp
DE 49.12.121.47:443 update.filezilla-project.org tcp

Files

\Users\Admin\AppData\Local\Temp\nsd743.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

\Users\Admin\AppData\Local\Temp\nsd743.tmp\UserInfo.dll

MD5 d458b8251443536e4a334147e0170e95
SHA1 ba8d4d580f1bc0bb2eaa8b9b02ee9e91b8b50fc3
SHA256 4913d4cccf84cd0534069107cff3e8e2f427160cad841547db9019310ac86cc7
SHA512 6ff523a74c3670b8b5cd92f62dcc6ea50b65a5d0d6e67ee1079bdb8a623b27dd10b9036a41aa8ec928200c85323c1a1f3b5c0948b59c0671de183617b65a96b1

\Users\Admin\AppData\Local\Temp\nsd743.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

\Users\Admin\AppData\Local\Temp\nsd743.tmp\nsDialogs.dll

MD5 1d8f01a83ddd259bc339902c1d33c8f1
SHA1 9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA256 4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA512 28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

\Users\Admin\AppData\Local\Temp\nsd743.tmp\StartMenu.dll

MD5 a8c86996c4230c2209f5927f21321377
SHA1 45ce0ab93cb6a3a594e54878cce05df724024393
SHA256 110545415a59402635e1c9439acba15b44bab268ed02ad2a262ce12604a47855
SHA512 69ee73496b916777936b0dddd2cc4a4f916e393f7d0b167cba77a4a239ee1e3f645d9b90dee1627c42a23eb6c3403e4d086546b9f78b3a2e4999c8f92f6a3bc3

\Program Files\FileZilla FTP Client\uninstall.exe

MD5 fc585e374e752867184d0a43476592f3
SHA1 ac2ced4dffa9b72ab730185f54077acb17f46cd5
SHA256 cbfcc3114ac776f613cf6f4330f6517d72637c40eeb3130b2206caf0af4bdb32
SHA512 513dbe226060cf359b736c39548e65f1925cacc06efb21ddf0c923a9f9e7de919b009f2256a54fb27f98c45b3146d168ea04eaff706a490990fa044145b17f4e

\Program Files\FileZilla FTP Client\filezilla.exe

MD5 79cef3c9de232d1f58f0e26292376584
SHA1 2dd2ab98e8fcf5c720bf3618a3a0b84666ca191d
SHA256 26d717e65101b0ccd5d491c406f76a216381410890508d3d154d5aa073698887
SHA512 2378c3ea857cbf0ff8b14c7984a0237613533c7f6451bed1ba8e09aeb71ab4c35b7f37f7298259a67467d40925cad4a4e8baf556444215ab84ec9ea4856246c4

\Users\Admin\AppData\Local\Temp\nsd743.tmp\nsis_appid.dll

MD5 19071761e91c43c115a16b52458869b7
SHA1 75ddb807157f1aa31a08f87be0270f60990bcbbc
SHA256 e9e1ba410636698d666b328eea71346b8287248d262e44da07ce8b5fa24c5e5f
SHA512 bc0eab51cf27f657cd3fd62a47894ee13f3f561feaa565f16ba15088be39be73c9839a3cf35b538219ec83a03d48970b89258c5f20c37bcaf76438998437786c

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client\FileZilla.lnk

MD5 1f1d59d67c7d95b5e71a2937ec77d49c
SHA1 337b438d8c8f596be6173bcf849e52afa61e3c84
SHA256 689966bf8f2e520030e68ce81d982b8a4508edf748e89d635b737de6726af487
SHA512 a936e60c4a70bee84e8fc83dcdaa1fb1d589361bfd4bc3fe7693039f8b2166f51d4e2a8919d8c0bc93a455ab917c4d8ae48bd309385da9770259f02869e5ad94

C:\Program Files\FileZilla FTP Client\locales\uk_UA\filezilla.mo

MD5 dde0ddcd21a6288977a493dd98fde867
SHA1 d56e3a0b42ccdedceebf9058c3ad10c27d057641
SHA256 e472b782d83fb60cf1bfe30e6d8faa8a122e5e7fa4c8188cc4caf55fe82be9f1
SHA512 1f9c1deabc249ffad3628b7e6c62cae6abcfae4aa5db88c37a4688727000543c1265732f73f0ca15d69e80cce44c4d61374a5e5807abbafdd78b96f1f7ae8c90

\Program Files\FileZilla FTP Client\fzshellext.dll

MD5 c0280971a69869d7a1f3b35793c839f3
SHA1 946356173bdd7d575db1d1b3fb04ed81353e098a
SHA256 c085caea2677b0eeaeecb9afe7e0bad83c2a94fc78d5c3f7819bc7314e54ec69
SHA512 cdd1530aec393c9c07574e9a32214af8fb5eef85a5be02db68e24e05c5e1d88449f064e280d2bcd21aa6921c7545f30965a6724ce810960001964a3c558370ba

C:\Program Files\FileZilla FTP Client\fzshellext_64.dll

MD5 d29ae3155432dedc8b5002133e22ab71
SHA1 f25b6f9ee1ea454e3c00a22d5d000234f3afaf95
SHA256 44ca9c321f266b39b170da0218372b0a0716b9516c36255f600321e7778bc673
SHA512 65adb747cf96b20d63b45f15b00d8d1ea60187a9af6604bee47d9679670edc93cc79009426a92493f2e12b13943298e90df9bb085a0febf9c076d90e01e8396e

\Program Files\FileZilla FTP Client\libstdc++-6.dll

MD5 e6b89548cc7dc9f9dad16e285110a45b
SHA1 189a2bd6672bc7321371f76e6d29a06fe1e885c7
SHA256 d1bc20acf8dffd5d682badf966dd884a3f4373abf509995ebc24f8fb7b15a30d
SHA512 0fdee53763751bd47560a6147b915e95bc629c6f79cd821dd13e48df50899d61822a5a7cd089ef0190b3ab25ff90d5adead488687b2c8093b125daa7b7db695f

\Program Files\FileZilla FTP Client\libgcc_s_seh-1.dll

MD5 3fed2de912b37afefa8288cf6d287570
SHA1 3e215b74b3fee54771301dedf7e118af9e67b2ec
SHA256 7b108e6a2ac50fb4599940058be5c6eed8b74691cdfe4c082aa6d47b341ade67
SHA512 edf83e3485235a4f7655b8c8f1e15e3382fdd34e1241a84a8d555d16fe339fb55c12cad5b87b0884ff55c4cc6b1920d57c5a74972296740a7beb48efe1471e19

C:\Program Files\FileZilla FTP Client\wxbase32u_gcc_custom.dll

MD5 5cc9be3f1890c173c9c63410f356c09a
SHA1 2eeb5a4f53c669cd324254fe7aa2876d1626f695
SHA256 a89efa9a7bd855e2063246ed6d60c3d84330ccdaba98904720587a2c24c9dd31
SHA512 19da61eea609e243490ee3e2aa8bef2d665fd9f028897be7f9e7334becf1efbe2d7d89091d43ae6bc0d5ccd521b5b0fd7d20257e2826aa665ae29d7a8423cc0f

\Program Files\FileZilla FTP Client\zlib1.dll

MD5 939ae6c45ee1b81e9a734d594137f6c5
SHA1 941abb6e3e0ba4d65fe4315f5624e30ea3604e75
SHA256 c86bae1e3aed5223a591cf555fb441f89151ca1b4fd285535887bef4e25fe0e8
SHA512 7ce19c2e992be4de671fddd732360fe9ba4425e0842a2481cc614a9f51a424b08581d30c1aeaa1116ec61221f158964c2a7c660f77796b072dd19b782f64d948

C:\Program Files\FileZilla FTP Client\wxmsw32u_aui_gcc_custom.dll

MD5 17f252efa82208ac31378e3a4f333ed9
SHA1 d722f47111f8dd81e0891c433a9cfc583ff76589
SHA256 17305a8db2b3d3c65dda7a22e918f13fec041e95feb56715c46d1fa20569fdb2
SHA512 8ea148d881309bd08bf99d8f39f5b01dcd4d779388b40d168576b5cdaed422b0cc5a23e4f4f65ac8820ca7bc8c22ba49590223579da3be17481812f18dd57f11

C:\Program Files\FileZilla FTP Client\wxmsw32u_core_gcc_custom.dll

MD5 90a9eb91e52116843329b5a75c93c08e
SHA1 874534a834d59a1955a467860fc66c908627f039
SHA256 5a8d63246000f4e53a60612ee34613d7f54e5ac9e8bace7d0c71737ace30f653
SHA512 defd32468af25905e7cbf35ebe14db25dc1cb886793afeb0faeb867716f65f8b9ee321d06001e2c1af19a07b83d5c9b325d4b6ca5f864e1aa3050077b6787d37

C:\Program Files\FileZilla FTP Client\wxmsw32u_xrc_gcc_custom.dll

MD5 923e97f86b22abcb602f6ab16d2b0293
SHA1 b14cd14ce8b2c4cd2fe29395679210ba662cd26e
SHA256 95e36f082ac1bd2ee75c7c3d7371c8332cd5f36b3af0e4146689ee8790e7f244
SHA512 d4ddbaaccb26c2e531437b16162489fa0690ab704d711dc3fb99746835cac12f5289eab1d099582acd2d333f8c1a85f096002f0ea10713311b43c38598fea21e

C:\Program Files\FileZilla FTP Client\libsqlite3-0.dll

MD5 f027b75ee14492d9cd45002ac949615b
SHA1 be10480065d7bf0461940f618393528ec0b51092
SHA256 10562c70d79f84541a10158b22ba2d0be587551235a27ae7c1028f58e6d8f521
SHA512 c0fdb6a09614d3189b727869c20198d3a88be542b2555302d65e18e2b185d7bfa135fb93a93df0786902dee75d67d16c2f7c27ff62038566a3753d170932334c

C:\Program Files\FileZilla FTP Client\resources\default\theme.xml

MD5 75a54b0f2673d762239bc479579af93d
SHA1 13bb8fea1c2e296ad1516df1d565e2ceaf2d9484
SHA256 209f8abd4d06ba609d1d92943ccd2b7ef8918e88ca3f159ab8d1d6fa82ebcda1
SHA512 8f4ad697b0073307a9dd5559c702f30bb52aadf48f875707691a2480a9baed48eec34089ed1be784358ff7ea213b68c62b972cc24278e6c32b0ffd397c2a0e0a

C:\Program Files\FileZilla FTP Client\resources\default\480x480\leds.png

MD5 87363ed4937b5b1633e6c756268a46a6
SHA1 c4bf71f9307a897fc9b44ed740dbf2797750e90a
SHA256 1d6c546397e8ebf71503279d0d8da8a9343908fec4b9b1d97926ec5532efb365
SHA512 3bf66caca161d6ac8ed60236ddb6618b910a485e4dd69797ced2f057792b2757f634606e94c7dfff28ea26c261e23b3cad9ea063eb056e648ab9b2cb83c173f9

C:\Program Files\FileZilla FTP Client\resources\default\480x480\cancel.png

MD5 4c2c126f11ce45b698336b49b24f8afe
SHA1 7cd96f7e9a6fd3ca36336764ecdfe8a317590d1d
SHA256 314d5ec0dbea36c3b37d48438e7bdd50178811b7ba04e46f438873de3a5c1fe0
SHA512 5ab9e12dba7eca3d9bf63c7def45427040dc39938606555f8d3d47a06750cf8e3808099581c99c3a059f6874028a646e18b3f56dc179533fc7c3f6ed0557aead

C:\Program Files\FileZilla FTP Client\resources\default\480x480\reconnect.png

MD5 c19505c35182fbc2d2c81ed60e62926b
SHA1 d415f48879875f94cbe9dd7fdb7a7dade6603eb1
SHA256 981892d7fd00d58c2ed41e33bfe1cc35fda8f66d3ea1a533063cba3058331683
SHA512 8125bc3c108bf846be6aa38fbac89e0683fd784a239858fa23e71e533944521410ef925525cc3fe32bffc28d2de47353555fd727d69e7408eb7ce10d65a664d1

C:\Program Files\FileZilla FTP Client\resources\default\480x480\disconnect.png

MD5 e7a7e89f12dd8d49f9afb73eb52e0466
SHA1 c4b57e0f2b6d286309e4a962c504abd1a602d971
SHA256 bf0f361801f7dd78c748d611daeb2180d50dbd9e3a284758bc4a5e6f773758d5
SHA512 139df2a8fc3e6331ec5e8a0b3daec852a484ff5e59c54a6f72eb0a257432146e56d73ac86c4bc222b5daf16270a0a910fd3e9b9796485394282151ae93c62eb4

C:\Program Files\FileZilla FTP Client\resources\default\480x480\processqueue.png

MD5 dc267d9678aff17e9a8a557f0c9e690f
SHA1 a6aee93ab4c750b297b1b3995924b383b9be7875
SHA256 930281b5e99bcf3c891b48a2830f5bcfd19d2ab03f9a2cffc2594016233ccd14
SHA512 b918863336196eb55584655d44ac328cfbcb08bd8c8e3b8896567a91791f746329b7832cdac81a996eebfc81c35208d408cb126d518c766d15aaaac1384af503

C:\Program Files\FileZilla FTP Client\resources\default\480x480\refresh.png

MD5 f95d73543381834fd6aad987df30f157
SHA1 29b81a5613c3a7b73260f2579b23b1cdaffe4fc9
SHA256 e72e2057afe1c9c449c2f43a83129dc24d4349e34f40ce957b56f7f87aba927a
SHA512 095924c202a73ff4d91668ad9ff6efec9d5f12d410487669ac2518d7caeb12651284d051ba8afd692bf0e0cb059c70bbc590d265b38fa1243242385e50262b0d

C:\Program Files\FileZilla FTP Client\resources\default\480x480\queueview.png

MD5 247cc463ec1c836c2388317b8c5fd91b
SHA1 28e00529f0a265ce1ee9cf0d346bde59a8ac695c
SHA256 444b408a816c39e965a7c960c44c8976ed99b1ef3263088b41b6a170f3747d9c
SHA512 8bb9472a75b0f9671cee6de747f346a7f56d497c9cb42ccd60f61724bb8ffc8ba733e395a79e0af2984291a9e2f92fbd3bd23a49e6db4130220dd90efaf2cfca

C:\Program Files\FileZilla FTP Client\resources\default\480x480\remotetreeview.png

MD5 3daed236d7df410ff02684080378572d
SHA1 b7427a30e75c4aad0a8b031bbeeb16e57ba7b8b4
SHA256 75a915c0caf149c46df534577f1fb089fac8cf0efda8fbe6115b5118942391e5
SHA512 2a4c7659795b6c497ae657cf287dc8580769e3d7a91c130f0e559f45c1e55e60324e80c4c2b0c2722e7bd0158d8779151b0a80177eeea5babfe277fe9870b55d

C:\Program Files\FileZilla FTP Client\resources\default\480x480\localtreeview.png

MD5 e21443d7cad7e6927fd6d798a4232bb4
SHA1 0c4b2f6e709822c59f884f960471009408782d09
SHA256 a67af84c06743847ffc0edbc79ffc4a3ce93c89ff57c03c0f18c3782b5347988
SHA512 052428edcc9d026eda6ccb32ea2e7104b68d9d346f016b82aeade8b7fb191d704e21cec084721dd35aaeb51bedb06babd4097f7f7623e58834805de2bc3cc47a

C:\Program Files\FileZilla FTP Client\resources\default\480x480\logview.png

MD5 a5c2e72f7c61158a6e17aea666de99fd
SHA1 83f0e6816c8735ac340335209d6c02916f4c019c
SHA256 9bf88f5a0f4deb7035cfd2930225596b4e0767010d34f01c3ee093c17164033f
SHA512 712a0e1a5d098be686f2a897a12f8a41d8b2254d30f2539094a6fc8e334238aaeba16562e2bc8dab81cbb31fc8858b936e134d5ef6479170fd2ecf10af75f61c

C:\Program Files\FileZilla FTP Client\resources\default\480x480\sitemanager.png

MD5 810967a850e0f96f44874651f649a952
SHA1 dd51af31b2883dd27f3ba2ea4b8e572e1340261b
SHA256 66d6c15dd8e819e7b62d277aa237ff77c8c595f65582a368cbbc15427f82bfd2
SHA512 48595fb92e30ad7ffee8237a37cb6c2f6a1603de8eae73da8529d828888759da3f74b0cc56d8e6a787f25749e5af74ea07de698e6178a6175b25b530d9f5d0f3

C:\Program Files\FileZilla FTP Client\resources\defaultfilters.xml

MD5 9994a10e6ee72a5afd26cbb582e946e8
SHA1 c4b507e64a476a260974c17f2e13e6c41ef19cb9
SHA256 27b4c87e3f1a75ce58cce51086d8445e3c33590111a258be8344b842f74c05d0
SHA512 776ef79c8e72695d3a142438f441a85bb5043d584f6dd5216d4d8e7357dfe19871f775059212d3c7dd2d8679463056222224a27ee7d544beadb1a2a921a27ec5

C:\Program Files\FileZilla FTP Client\resources\default\480x480\speedlimits.png

MD5 b5aa21c3f5d77d5d55982fed0f46e12e
SHA1 d0540523e377726b1a936980a2ee968d8fd63de2
SHA256 d42aad945404d1a5f66a168f6af3a89d34be856fca13911ee0a5d3da8ab7b084
SHA512 39641960860c6628b0cbe68fb66c1a2294f66f19d019d37b3385bd95190d1a636e39848fd0b1394a671cb04f5ced1a1d4f16f76a0dd0e40cc8948d521e7170c7

C:\Program Files\FileZilla FTP Client\locales\en\filezilla.mo

MD5 807d27e041dd3ed1cd2c872c283a6e52
SHA1 c94a40db0cbe1efa783a463526c423dea89f500f
SHA256 dd0b523740c89630994264359e1eccef53c6848928efc7c034f993c1b3e4b22f
SHA512 21657b5b353a53bbda7370d863cdc0003e21761add65737d3c6de49294b44e28c9c35b61be3c9a06e5e78b5a65f6c11546865d778509863f266092c7b72ea2ca

\Program Files\FileZilla FTP Client\wxbase32u_xml_gcc_custom.dll

MD5 8bd725973fb63685557cb0a90addf0a9
SHA1 124b6eba99e87a77ce7ebd349e05ac7423166f3c
SHA256 85f7a0df6b7ebaa46f6a255de0db92f939441fd509c5dbd605d01b6c1bc98115
SHA512 37799a8e7366b55cbe8689a4b560421b4adbb731de893705c71367c54f4848de1351fa4d93b531cb134cc155ffb4a16117dc619687a96f6d6df3f50d2e0bec3d

\Program Files\FileZilla FTP Client\libpng16-16.dll

MD5 0ff719ab13a1cf91cde12b50b6cc0d49
SHA1 47f9e148f4b754d68d0ab7050da1e74cd1ae54f9
SHA256 66141f686a865780e8e6e240ccba68b4442b5fb50faa0a9297f1e42dda20f752
SHA512 d43f4f7cabf47462869bdc637f8dc5df1b8257ceb29d81192898e36b231beb04fba5bd2704ee36a9b830c13dbe547373bde67dbffb903846f5396cde798378d0

\Program Files\FileZilla FTP Client\libnettle-8.dll

MD5 a93be40ca4bef4f6295ce732a0547739
SHA1 e020157060b2040c67b5c074307f1ec003eabdc8
SHA256 173ddb2a966a153d9e21cba1b222d3ba3e461ea4793bbd6f8bbbc9447a59cc81
SHA512 73efee1e08a0848d7e4cc3585aaca065aff7af8741a2280481af332ad48bf6ce2800e8925ed266872e7851b3fd3b855d7bb4f5165708236d79be7321bd935970

\Program Files\FileZilla FTP Client\libhogweed-6.dll

MD5 81ff0445ef95824de5e2667bee1bc664
SHA1 208b25b576b4db478a50dd701b392d46380cf94f
SHA256 3dcef7e1f8a7d6b89d32f5d7ee79d085c1a51a2b9adbe9862cc2bc88a72a3b36
SHA512 ec572e73aa61d43b15d8c4a8d0582d2aa8e52f663adf3e5f515532ddf66badcab63fb2dc79e73a47b37a81fbef83280b7c97d8144d68e64b55d703dcf607d63c

\Program Files\FileZilla FTP Client\libgnutls-30.dll

MD5 a88c50c2ec280701c1b391fb0e251b57
SHA1 09b4546ef9e50fd67789efc2b35bd11b4aeb097f
SHA256 3b3ac6b039cbf6013dae1dac0d4d8394535994bd4b97cc2ee3de546f0891df92
SHA512 af5fa49f913145a54f84f7196938ee59a75330bce3bfa6e6a1f344fe2c14a9fd21dd995bc24c1879a4d0031004f29d260a1258444ea1478ff869cdafc63d609d

\Program Files\FileZilla FTP Client\libgmp-10.dll

MD5 8c379d5323f086363f0d0f85410e029c
SHA1 63a390ec2046a8dfe6fc10366690f08df95c2d97
SHA256 dcfe75f06ff67b0e94035831f8a7f5e23757535235ffea2350b64783841a8f27
SHA512 a922242f45acb0640ededde1d4991a564c75ab742310a48b77f8366d3c299674c61108d1befbe1d90b97dd7cb6a52673b5d5bf29eaba39594fc13ab4076bbcfc

\Program Files\FileZilla FTP Client\libfilezilla-43.dll

MD5 85bd74a17c53eec4cd39fc4fadadc3c6
SHA1 1f5e48cada5a99b1a0d4364e4091489d4504c606
SHA256 bdc1ea011a343b36b19411cbab592936432ecec8f0d91ec6f74e10f4f10ddb09
SHA512 27b4668cad4a30a25f22ac57d35e91609ccf1558a499292ea7637a4829228a9f2a01f918e082a50680a5d4d158e25deb3eca7b1dbc20d1ca6dfeddd418bc14b5

\Program Files\FileZilla FTP Client\libfzclient-private-3-67-0.dll

MD5 492f5c5d895b5c6df72cce4a3cffd081
SHA1 e3bcdf4c1c4d383f0aab7a6f362e91edbd1eb072
SHA256 b563c8e74a44ee3303f45f5fe4c992d82dc259653636f49ca681bf34fb7e794f
SHA512 d23d831b9745d15b9db9d22bbdd010c4e4b6ef655e2d4b681f367e62f285a83f57d3ebd58d165ab8d53ff42bd38ea95d07b8ff95572e747f8e3ddaacbff1f297

\Program Files\FileZilla FTP Client\libfzclient-commonui-private-3-67-0.dll

MD5 bcb38d316fbaea52928113c15d34e4f9
SHA1 aa9acb9b154e9e9bc9142fd72f395b2c5ec6c645
SHA256 204f83f6bbdb707ddad08949403512035f30c10dea6f034b2d41c065f0255f3e
SHA512 d962d466ab4af8d9434d4ed1888331effaf6a1a0dc5d091c01a054c50283c7a739bfb615b762e1e806a9a70f8451d08e5ffdaba3393fabf6f2a6c878fa4e19f0

memory/1208-990-0x000000011F870000-0x000000011FC7E000-memory.dmp

memory/1208-999-0x000007FEF5210000-0x000007FEF53F7000-memory.dmp

memory/1208-1006-0x000007FEF4940000-0x000007FEF4980000-memory.dmp

memory/1208-1003-0x000007FEF4AA0000-0x000007FEF4FA1000-memory.dmp

memory/1208-1007-0x0000000066380000-0x00000000664BB000-memory.dmp

memory/1208-1005-0x000007FEF4980000-0x000007FEF4A3A000-memory.dmp

memory/1208-1004-0x00000000749E0000-0x0000000074A1F000-memory.dmp

memory/1208-1002-0x000007FEF4FB0000-0x000007FEF5032000-memory.dmp

memory/1208-1001-0x0000000074AB0000-0x0000000074AD9000-memory.dmp

memory/1208-1000-0x000007FEF5040000-0x000007FEF5204000-memory.dmp

memory/1208-998-0x000007FEF5400000-0x000007FEF5421000-memory.dmp

memory/1208-997-0x000007FEF5430000-0x000007FEF5485000-memory.dmp

memory/1208-996-0x000007FEF6BC0000-0x000007FEF6C09000-memory.dmp

memory/1208-995-0x000007FEF5490000-0x000007FEF56A3000-memory.dmp

memory/1208-994-0x000007FEF56B0000-0x000007FEF5754000-memory.dmp

memory/1208-993-0x000007FEF5760000-0x000007FEF584F000-memory.dmp

memory/1208-992-0x000007FEF5850000-0x000007FEF59AD000-memory.dmp

memory/1208-991-0x000007FEF59B0000-0x000007FEF5A4E000-memory.dmp

memory/1208-1019-0x000007FEF5040000-0x000007FEF5204000-memory.dmp

memory/1208-1022-0x000007FEF4AA0000-0x000007FEF4FA1000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4240 wrote to memory of 4664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4240 wrote to memory of 4664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4240 wrote to memory of 4664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4664 -ip 4664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 612

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 220

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 240

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240611-en

Max time kernel

119s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4164 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4164 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4164 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5064 -ip 5064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 195.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240508-en

Max time kernel

119s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 2056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 2056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 2056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 2056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 2056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 2056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 2056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$R0.dll

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

153s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4232 wrote to memory of 3952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4232 wrote to memory of 3952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4232 wrote to memory of 3952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$R0.dll

Network

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240611-en

Max time kernel

129s

Max time network

139s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\GPL.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\GPL.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4716,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=2028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4876,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5308,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5364,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5400,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6008,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5740,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5860,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 2.20.12.101:443 bzib.nelreports.net tcp
GB 2.21.189.233:443 www.microsoft.com tcp
BE 88.221.83.235:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 101.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 233.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 235.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
N/A 224.0.0.251:5353 udp
BE 88.221.83.241:443 www.bing.com udp
US 8.8.8.8:53 241.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 88.221.83.201:443 www.bing.com udp
US 8.8.8.8:53 201.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20231129-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe

"C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe"

Network

N/A

Files

memory/2148-1-0x000007FEF7BB0000-0x000007FEF7C05000-memory.dmp

memory/2148-0-0x000000011F800000-0x000000011F85F000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240220-en

Max time kernel

140s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzsftp.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzsftp.exe

"C:\Users\Admin\AppData\Local\Temp\fzsftp.exe"

Network

N/A

Files

memory/2948-0-0x000000011F1A0000-0x000000011F247000-memory.dmp

memory/2948-1-0x000007FEF7670000-0x000007FEF76C5000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzsftp.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzsftp.exe

"C:\Users\Admin\AppData\Local\Temp\fzsftp.exe"

Network

Files

memory/3776-0-0x00007FF75BBC0000-0x00007FF75BC67000-memory.dmp

memory/3776-1-0x00007FFE40290000-0x00007FFE402E5000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240508-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 236

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 224

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe

"C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240221-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\filezilla.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\filezilla.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\filezilla.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\filezilla.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\filezilla.exe

"C:\Users\Admin\AppData\Local\Temp\filezilla.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.filezilla-project.org udp
DE 49.12.121.47:443 update.filezilla-project.org tcp

Files

memory/1796-38-0x000007FEF6C50000-0x000007FEF6CEE000-memory.dmp

memory/1796-42-0x000007FEF58C0000-0x000007FEF5AD3000-memory.dmp

memory/1796-37-0x000000011FFF0000-0x00000001203FE000-memory.dmp

memory/1796-53-0x000007FEF4E00000-0x000007FEF4E40000-memory.dmp

memory/1796-54-0x0000000066380000-0x00000000664BB000-memory.dmp

memory/1796-52-0x000007FEF4E40000-0x000007FEF4EFA000-memory.dmp

memory/1796-51-0x0000000074780000-0x00000000747BF000-memory.dmp

memory/1796-50-0x000007FEF4F60000-0x000007FEF5461000-memory.dmp

memory/1796-49-0x000007FEF5470000-0x000007FEF54F2000-memory.dmp

memory/1796-48-0x00000000747C0000-0x00000000747E9000-memory.dmp

memory/1796-47-0x000007FEF5500000-0x000007FEF56C4000-memory.dmp

memory/1796-46-0x000007FEF56D0000-0x000007FEF58B7000-memory.dmp

memory/1796-45-0x000007FEFA230000-0x000007FEFA251000-memory.dmp

memory/1796-44-0x000007FEF5FB0000-0x000007FEF6005000-memory.dmp

memory/1796-43-0x000007FEF7A20000-0x000007FEF7A69000-memory.dmp

memory/1796-41-0x000007FEF6010000-0x000007FEF60B4000-memory.dmp

memory/1796-40-0x000007FEF6B60000-0x000007FEF6C4F000-memory.dmp

memory/1796-39-0x000007FEF5AE0000-0x000007FEF5C3D000-memory.dmp

memory/1796-66-0x000007FEF5500000-0x000007FEF56C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe

"C:\Users\Admin\AppData\Local\Temp\9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.194:443 www.bing.com tcp
US 8.8.8.8:53 194.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nshD6BB.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

C:\Users\Admin\AppData\Local\Temp\nshD6BB.tmp\UserInfo.dll

MD5 d458b8251443536e4a334147e0170e95
SHA1 ba8d4d580f1bc0bb2eaa8b9b02ee9e91b8b50fc3
SHA256 4913d4cccf84cd0534069107cff3e8e2f427160cad841547db9019310ac86cc7
SHA512 6ff523a74c3670b8b5cd92f62dcc6ea50b65a5d0d6e67ee1079bdb8a623b27dd10b9036a41aa8ec928200c85323c1a1f3b5c0948b59c0671de183617b65a96b1

C:\Users\Admin\AppData\Local\Temp\nshD6BB.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 220

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\filezilla.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\filezilla.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\filezilla.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\filezilla.exe

"C:\Users\Admin\AppData\Local\Temp\filezilla.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 update.filezilla-project.org udp

Files

memory/2904-44-0x00007FFA42640000-0x00007FFA42661000-memory.dmp

memory/2904-47-0x00007FFA2B170000-0x00007FFA2B214000-memory.dmp

memory/2904-52-0x00007FFA3AC00000-0x00007FFA3AC40000-memory.dmp

memory/2904-54-0x000000005A990000-0x000000005A9CF000-memory.dmp

memory/2904-53-0x00007FFA2AA40000-0x00007FFA2AC53000-memory.dmp

memory/2904-51-0x000000005A9D0000-0x000000005A9F9000-memory.dmp

memory/2904-50-0x00007FFA3AF90000-0x00007FFA3AFE5000-memory.dmp

memory/2904-49-0x00007FFA3B070000-0x00007FFA3B0B9000-memory.dmp

memory/2904-48-0x00007FFA2AC60000-0x00007FFA2B161000-memory.dmp

memory/2904-45-0x0000000066380000-0x00000000664BB000-memory.dmp

memory/2904-43-0x00007FFA2B410000-0x00007FFA2B4CA000-memory.dmp

memory/2904-42-0x00007FFA3AC40000-0x00007FFA3ACC2000-memory.dmp

memory/2904-41-0x00007FFA2B4D0000-0x00007FFA2B694000-memory.dmp

memory/2904-40-0x00007FFA2B6A0000-0x00007FFA2B7FD000-memory.dmp

memory/2904-46-0x00007FFA2B220000-0x00007FFA2B407000-memory.dmp

memory/2904-39-0x00007FFA2B800000-0x00007FFA2B8EF000-memory.dmp

memory/2904-38-0x00007FFA3ACD0000-0x00007FFA3AD6E000-memory.dmp

memory/2904-37-0x00007FF6BCC50000-0x00007FF6BD05E000-memory.dmp

memory/2904-72-0x00007FFA2AA40000-0x00007FFA2AC53000-memory.dmp

memory/2904-60-0x00007FFA2B4D0000-0x00007FFA2B694000-memory.dmp

memory/2904-59-0x00007FFA2B6A0000-0x00007FFA2B7FD000-memory.dmp

memory/2904-58-0x00007FFA2B800000-0x00007FFA2B8EF000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 712 -ip 712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe

"C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v3.$_106_.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 4672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 864 wrote to memory of 4672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 864 wrote to memory of 4672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

Network

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240611-en

Max time kernel

95s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3580 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3580 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis_appid.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1520 -ip 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
BE 88.221.83.216:443 www.bing.com tcp
US 8.8.8.8:53 216.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 195.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240611-en

Max time kernel

142s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzstorj.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzstorj.exe

"C:\Users\Admin\AppData\Local\Temp\fzstorj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
BE 88.221.83.216:443 www.bing.com tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 216.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 195.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3336-3-0x00007FFB33090000-0x00007FFB33277000-memory.dmp

memory/3336-6-0x00007FFB32FE0000-0x00007FFB33084000-memory.dmp

memory/3336-5-0x00007FFB425A0000-0x00007FFB425E9000-memory.dmp

memory/3336-4-0x00007FFB42760000-0x00007FFB427B5000-memory.dmp

memory/3336-0-0x00007FF77E910000-0x00007FF77F32D000-memory.dmp

memory/3336-2-0x00007FFB4C060000-0x00007FFB4C081000-memory.dmp

memory/3336-1-0x00007FFB33280000-0x00007FFB3336F000-memory.dmp

memory/3336-7-0x00007FFB32DC0000-0x00007FFB32FD3000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 32 wrote to memory of 932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 32 wrote to memory of 932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 32 wrote to memory of 932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 932 -ip 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

56s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1776 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1776 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2520 -ip 2520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 612

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240611-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_36_.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

55s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3316 wrote to memory of 3360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3316 wrote to memory of 3360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3316 wrote to memory of 3360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3360 -ip 3360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 624

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 220

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240611-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 224

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\GPL.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000001bec3f4bc025213d3e0c93c7c5364f654dd42666f3a5e5346d594793e8702673000000000e80000000020000200000005fb20ca67e209f1125210e0f1e86b88a7497b2a3670ec3a17e2e8f42d73a1f259000000003b9557d744b2c526b6f41694bd15b1d7efa2cd4307af80b2358b88d8015846eeb509b27c112d64c65ff8e53ae8902d1fcb46e7cc95bd9183f07ecda51752c55d9d7cfbdff9631b4d8017285478481c89ba6b30ff8c8b5ad6bafd707fd96463ac86d76a07091db82847530f9804c439829346576faef6dc48efbf11c3c8bdadcc72b56f425e63171240bf3fec3cf7eb3400000007961974698955b30df914a4e2e77c321430b7f348ba9cf644bfcddf1fc4b6fcd1708496259ba1abe3c8cbe62b812d9cd66c1861f3796d2104846f131c0b9ad20 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a00dcf9df6bcda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C9509841-28E9-11EF-B8F6-D6B84878A518} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424378894" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000005530e185c97c962396e72090425a954ed0146ad6f146d72731585bb3c250a0d9000000000e80000000020000200000008d8fb93258c26032707e6717d1c8b6e8655a6872abd21efbf42ceb3c46a59699200000000cc3c4328a562da92259690c19caf2e0ae0711d4a57a178dad6244957f27c93f40000000444f138a86671be2725c9be6fe5b6e7a45f70502ea9207cb45269dfb9d4daea85e2ca3c0bbe3f6a02dd9cc31ec74cd960d94a3f094f297491ab45f809c82875a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\GPL.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe

"C:\Users\Admin\AppData\Local\Temp\fzputtygen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4068-0-0x00007FF6675F0000-0x00007FF66764F000-memory.dmp

memory/4068-1-0x00007FFDBA0C0000-0x00007FFDBA115000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-12 18:29

Reported

2024-06-12 18:32

Platform

win7-20240508-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fzstorj.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fzstorj.exe

"C:\Users\Admin\AppData\Local\Temp\fzstorj.exe"

Network

N/A

Files

memory/2116-1-0x000007FEF6F70000-0x000007FEF705F000-memory.dmp

memory/2116-6-0x000007FEF7AF0000-0x000007FEF7B11000-memory.dmp

memory/2116-7-0x000007FEF5A80000-0x000007FEF5C67000-memory.dmp

memory/2116-5-0x000007FEF62A0000-0x000007FEF62F5000-memory.dmp

memory/2116-4-0x000007FEF7A80000-0x000007FEF7AC9000-memory.dmp

memory/2116-3-0x000007FEF5C70000-0x000007FEF5E83000-memory.dmp

memory/2116-2-0x000007FEF6EC0000-0x000007FEF6F64000-memory.dmp

memory/2116-0-0x000000011F8D0000-0x00000001202ED000-memory.dmp