Edit tour
Windows
Analysis Report
tftpd64.exe
Overview
General Information
| Sample name: | tftpd64.exe |
| Analysis ID: | 1579526 |
| MD5: | 3c1e3215acc69f06f044802ed4695333 |
| SHA1: | ea34a6bad04bc5a1fcb494668347cd302557f327 |
| SHA256: | 34de53b43c32e3ed5231a57683103acad1aebeef08309cf8e770c27acc90e4e7 |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Classification
- System is w11x64_office
tftpd64.exe (PID: 1292 cmdline: "C:\Users\ user\Deskt op\tftpd64 .exe" MD5: 3C1E3215ACC69F06F044802ED4695333)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 1 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 8% | ReversingLabs | |||
| 7% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| sni1gl.wpc.sigmacdn.net | 152.199.21.175 | true | false | high | |
| res.public.onecdn.static.microsoft | unknown | unknown | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|
| IP |
|---|
| 127.0.0.1 |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1579526 |
| Start date and time: | 2024-12-22 21:03:59 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 34s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
| Analysis system description: | Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09 |
| Run name: | Potential for more IOCs and behavior |
| Number of analysed new started processes analysed: | 11 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | tftpd64.exe |
| Detection: | MAL |
| Classification: | mal48.winEXE@1/0@1/1 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe
- Excluded IPs from analysis (whitelisted): 104.18.38.233, 172.64.149.23, 104.126.113.243, 4.175.87.197, 20.223.35.26
- Excluded domains from analysis (whitelisted): res-ocdi-public.trafficmanager.net, cdn-office.azureedge.net, crt.comodoca.com.cdn.cloudflare.net, slscr.update.microsoft.com, store-images.s-microsoft.com, fd.api.iris.microsoft.com, cdn-office.ec.azureedge.net, crt.comodoca.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtSetInformationFile calls found.
⊘No simulations
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| sni1gl.wpc.sigmacdn.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Metasploit | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
|
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.13463524328579 |
| TrID: |
|
| File name: | tftpd64.exe |
| File size: | 392'704 bytes |
| MD5: | 3c1e3215acc69f06f044802ed4695333 |
| SHA1: | ea34a6bad04bc5a1fcb494668347cd302557f327 |
| SHA256: | 34de53b43c32e3ed5231a57683103acad1aebeef08309cf8e770c27acc90e4e7 |
| SHA512: | 82ed2edbb7286aac00b946f7f4c79e59079994fe8385e961abd1291440fdf26e14c724943eaabebb517e921ece4b384b9d50905898d71f2efaa427be7082d2d0 |
| SSDEEP: | 3072:2UANSGQV9/2Q2ZE1nEDBRjDds0FmgMUIpipKfHEZji+jbqLvInpmU9tqx2sFnU59:QsqE1nEDPlTFmkpckZW8qbIZpsX9 |
| TLSH: | 6D844956B396C8E9DC6E81388853C616D6717C140BB18AEB63B0B75EBF33261CD39B11 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............j`..j`..j`...d..j`...c..j`...e.4j`.2.e..j`.2.d..j`.2.c..j`.=.d..j`...a..j`..ja..k`.=.h..j`.=....j`..j...j`.=.b..j`.Rich.j` |
 | |
| Icon Hash: | 060935cc23261860 |
| Entrypoint: | 0x140019f08 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5C76800E [Wed Feb 27 12:18:22 2019 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 2 |
| File Version Major: | 5 |
| File Version Minor: | 2 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 2 |
| Import Hash: | cd339696c8e5d1a47aa69598eea5f5d8 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007FD0109C0574h |
| dec eax |
| add esp, 28h |
| jmp 00007FD0109C00DFh |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| dec ebp |
| mov eax, dword ptr [ecx+38h] |
| dec eax |
| mov ecx, edx |
| dec ecx |
| mov edx, ecx |
| call 00007FD0109C0272h |
| mov eax, 00000001h |
| dec eax |
| add esp, 28h |
| ret |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| inc ebp |
| mov ebx, dword ptr [eax] |
| dec eax |
| mov ebx, edx |
| inc ecx |
| and ebx, FFFFFFF8h |
| dec esp |
| mov ecx, ecx |
| inc ecx |
| test byte ptr [eax], 00000004h |
| dec esp |
| mov edx, ecx |
| je 00007FD0109C0275h |
| inc ecx |
| mov eax, dword ptr [eax+08h] |
| dec ebp |
| arpl word ptr [eax+04h], dx |
| neg eax |
| dec esp |
| add edx, ecx |
| dec eax |
| arpl ax, cx |
| dec esp |
| and edx, ecx |
| dec ecx |
| arpl bx, ax |
| dec edx |
| mov edx, dword ptr [eax+edx] |
| dec eax |
| mov eax, dword ptr [ebx+10h] |
| mov ecx, dword ptr [eax+08h] |
| dec eax |
| mov eax, dword ptr [ebx+08h] |
| test byte ptr [ecx+eax+03h], 0000000Fh |
| je 00007FD0109C026Dh |
| movzx eax, byte ptr [ecx+eax+03h] |
| and eax, FFFFFFF0h |
| dec esp |
| add ecx, eax |
| dec esp |
| xor ecx, edx |
| dec ecx |
| mov ecx, ecx |
| pop ebx |
| jmp 00007FD0109BFCBEh |
| int3 |
| dec eax |
| sub esp, 28h |
| call 00007FD0109C0A1Ch |
| test eax, eax |
| je 00007FD0109C0283h |
| dec eax |
| mov eax, dword ptr [00000030h] |
| dec eax |
| mov ecx, dword ptr [eax+08h] |
| jmp 00007FD0109C0267h |
| dec eax |
| cmp ecx, eax |
| je 00007FD0109C0276h |
| xor eax, eax |
| dec eax |
| cmpxchg dword ptr [00035994h], ecx |
| jne 00007FD0109C0250h |
| xor al, al |
| dec eax |
| add esp, 28h |
| ret |
| mov al, 01h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4a158 | 0xc8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6b000 | 0xf3b0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x67000 | 0x25f8 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7b000 | 0x824 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x47320 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x47360 | 0x108 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x3a000 | 0x8b0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x385f0 | 0x38600 | c270544398209a3a2d52f25a8946f67a | False | 0.565449175443459 | zlib compressed data | 6.461654844462193 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x3a000 | 0x11c0e | 0x11e00 | a7935c60e8d392de7929370d58fa7f70 | False | 0.4387428977272727 | data | 5.343771610036835 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x4c000 | 0x1a280 | 0x3000 | 75c303ab6b320ce8f11c636d553deecc | False | 0.23014322916666666 | data | 2.740224600122874 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x67000 | 0x25f8 | 0x2600 | 30f34053ba313bb5e23c39349a256ebd | False | 0.4953741776315789 | data | 5.582322651430407 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| _RDATA | 0x6a000 | 0x94 | 0x200 | 75333c9895ad9e4ebe1bc543ebf8e6be | False | 0.2109375 | data | 1.4251822591191758 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x6b000 | 0xf3b0 | 0xf400 | 78706b718a05c67bc2e4476b1eefe403 | False | 0.13545402151639344 | data | 3.189242819964901 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x7b000 | 0x824 | 0xa00 | faa181d89f44777d4011b833d0024d8a | False | 0.52265625 | data | 4.943657624907388 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x6d7e8 | 0xa068 | Device independent bitmap graphic, 256 x 512 x 4, image size 32768, 16 important colors | English | United States | 0.060417884278199885 |
| RT_ICON | 0x77850 | 0xa68 | Device independent bitmap graphic, 64 x 128 x 4, image size 2048, 16 important colors | English | United States | 0.23123123123123124 |
| RT_ICON | 0x782b8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors | English | United States | 0.3924731182795699 |
| RT_ICON | 0x785a0 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152, 16 important colors | English | United States | 0.29573170731707316 |
| RT_ICON | 0x78c08 | 0x4c8 | Device independent bitmap graphic, 40 x 80 x 4, image size 800, 16 important colors | English | United States | 0.3276143790849673 |
| RT_ICON | 0x79120 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.09380863039399624 |
| RT_MENU | 0x7a1e0 | 0x2a | data | English | United States | 1.0952380952380953 |
| RT_MENU | 0x7a210 | 0x1c | data | English | United States | 1.1071428571428572 |
| RT_DIALOG | 0x6b648 | 0x91c | data | English | United States | 0.4009433962264151 |
| RT_DIALOG | 0x6bf68 | 0xd0 | data | English | United States | 0.7692307692307693 |
| RT_DIALOG | 0x6c038 | 0x13d8 | data | English | United States | 0.3387795275590551 |
| RT_DIALOG | 0x6d410 | 0xee | data | English | United States | 0.6470588235294118 |
| RT_DIALOG | 0x6d500 | 0x106 | data | English | United States | 0.6870229007633588 |
| RT_DIALOG | 0x6d608 | 0x11a | data | English | United States | 0.6524822695035462 |
| RT_DIALOG | 0x6d728 | 0xbe | data | English | United States | 0.6631578947368421 |
| RT_GROUP_ICON | 0x790d0 | 0x4c | data | English | United States | 0.7894736842105263 |
| RT_GROUP_ICON | 0x7a1c8 | 0x14 | data | English | United States | 1.2 |
| RT_VERSION | 0x6b430 | 0x214 | data | English | United States | 0.5582706766917294 |
| RT_MANIFEST | 0x7a230 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| SHELL32.dll | SHBrowseForFolderA, DragQueryFileA, DragFinish, DragAcceptFiles, ShellExecuteA, SHGetPathFromIDListA, Shell_NotifyIconA |
| WS2_32.dll | listen, accept, select, getsockname, ntohs, WSACloseEvent, WSACreateEvent, WSAEventSelect, gethostbyname, bind, WSAIoctl, ntohl, inet_ntoa, getservbyname, gethostname, htonl, setsockopt, WSACleanup, WSAStartup, getaddrinfo, socket, connect, recvfrom, recv, freeaddrinfo, sendto, WSAGetLastError, closesocket, WSAAsyncSelect, getpeername, getnameinfo, inet_addr, send, htons, WSASetLastError |
| COMCTL32.dll | InitCommonControlsEx |
| IPHLPAPI.DLL | GetIpNetTable, SendARP, GetAdaptersAddresses, DeleteIpNetEntry |
| KERNEL32.dll | MultiByteToWideChar, GetFullPathNameW, GetCurrentDirectoryW, HeapReAlloc, OutputDebugStringW, SetStdHandle, LCMapStringW, CompareStringW, GetCommandLineA, GetCommandLineW, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetModuleFileNameA, lstrlenA, lstrcatA, lstrcpyA, lstrcmpiA, lstrcpynA, OutputDebugStringA, GetEnvironmentVariableA, lstrcmpA, SetLastError, GetCurrentProcess, CreateMutexA, ReleaseMutex, Sleep, GetLastError, CloseHandle, SetProcessWorkingSetSize, GetFullPathNameA, GetVersion, GetLocalTime, CreateProcessA, ReadFile, ReleaseSemaphore, WriteFile, WaitForSingleObject, GetCurrentDirectoryA, SetCurrentDirectoryA, GetFileAttributesA, CreateFileA, DeleteFileA, GetFileSize, CreateSemaphoreA, SetEnvironmentVariableA, SetThreadPriority, SetFilePointer, GetCurrentThread, WideCharToMultiByte, FlushFileBuffers, GetCurrentThreadId, GetTickCount, ResetEvent, GetSystemTime, WaitForMultipleObjects, SetEvent, CreateEventA, CreateThread, SetFilePointerEx, GlobalAlloc, GlobalUnlock, GlobalLock, LocalFree, FormatMessageA, GetSystemTimeAsFileTime, FileTimeToLocalFileTime, FindClose, FindFirstFileA, FindNextFileA, FileTimeToSystemTime, GetDateFormatA, GetPrivateProfileStringA, WritePrivateProfileStringA, GetCPInfo, HeapFree, HeapAlloc, GetTimeZoneInformation, ExitProcess, SystemTimeToTzSpecificLocalTime, PeekNamedPipe, GetFileInformationByHandle, GetDriveTypeW, CreateFileW, FreeLibraryAndExitThread, ResumeThread, ExitThread, WriteConsoleW, GetModuleHandleExW, GetModuleFileNameW, GetFileType, GetStdHandle, RaiseException, LoadLibraryExW, GetProcAddress, FreeLibrary, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RtlUnwindEx, GetEnvironmentStringsW, GetModuleHandleW, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetStringTypeW, GetProcessHeap, GetConsoleCP, GetConsoleMode, GetFileSizeEx, HeapSize, ReadConsoleW, SetEndOfFile, GetThreadPriority |
| USER32.dll | GetFocus, GetWindowLongA, SetWindowLongA, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, DialogBoxParamA, GetClassInfoA, RegisterClassA, GetDesktopWindow, GetClassLongPtrA, DrawIcon, SetFocus, DialogBoxIndirectParamA, CreateWindowExA, SystemParametersInfoA, MessageBeep, wvsprintfA, RedrawWindow, MoveWindow, MapDialogRect, InvalidateRect, GetWindow, GetSystemMetrics, SetDlgItemTextA, SetWindowTextA, IsWindow, SetTimer, DestroyIcon, CallWindowProcA, GetWindowTextA, SetClassLongPtrA, MessageBoxA, GetSysColor, DefWindowProcA, SendDlgItemMessageA, LoadIconA, CheckMenuItem, UnregisterClassA, SetWindowLongPtrA, FindWindowA, SetForegroundWindow, ChildWindowFromPoint, EnableWindow, GetDC, ReleaseDC, GetSystemMenu, GetWindowRect, DestroyWindow, IsWindowVisible, SetWindowPos, ShowWindow, GetTopWindow, GetDialogBaseUnits, CreateDialogParamA, AppendMenuA, GetClientRect, PostMessageA, GetDlgItemTextA, GetDlgItemInt, SetDlgItemInt, LoadMenuA, TrackPopupMenu, wsprintfA, GetSubMenu, DestroyMenu, GetDlgItem, GetWindowLongPtrA, GetParent, GetCursorPos, SendMessageA, EndDialog, KillTimer |
| GDI32.dll | SetBkColor, SetTextColor, LPtoDP, GetTextExtentPoint32A, GetTextMetricsA, ExtTextOutA |
| COMDLG32.dll | GetOpenFileNameA |
| ADVAPI32.dll | RegOpenKeyExA, ReportEventA, RegisterEventSourceA, DeregisterEventSource, RegDeleteKeyA, RegCloseKey, RegSetValueExA, RegCreateKeyExA, RegQueryValueExA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 22, 2024 21:05:33.826863050 CET | 65428 | 53 | 192.168.2.24 | 1.1.1.1 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 22, 2024 21:05:33.826863050 CET | 192.168.2.24 | 1.1.1.1 | 0x3549 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 22, 2024 21:05:33.964329958 CET | 1.1.1.1 | 192.168.2.24 | 0x3549 | No error (0) | res-ocdi-public.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 22, 2024 21:05:33.964329958 CET | 1.1.1.1 | 192.168.2.24 | 0x3549 | No error (0) | cdn-office.azureedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 22, 2024 21:05:33.964329958 CET | 1.1.1.1 | 192.168.2.24 | 0x3549 | No error (0) | sni1gl.wpc.sigmacdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 22, 2024 21:05:33.964329958 CET | 1.1.1.1 | 192.168.2.24 | 0x3549 | No error (0) | 152.199.21.175 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 1 |
| Start time: | 15:05:01 |
| Start date: | 22/12/2024 |
| Path: | C:\Users\user\Desktop\tftpd64.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff748e60000 |
| File size: | 392'704 bytes |
| MD5 hash: | 3C1E3215ACC69F06F044802ED4695333 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
⊘No disassembly