Edit tour

Windows Analysis Report
Tftpd64_SE-4.64-setup.exe

Overview

General Information

Sample name:	Tftpd64_SE-4.64-setup.exe
Analysis ID:	1649527
MD5:	e82de432d59c3cc20a0f67e05b4395d4
SHA1:	503c0054c5c542d879278fe1256f3ceb385f49bc
SHA256:	b05eb78f7b65dcea23973055687483d2bb4f6553641cf09d824a5a13a57c5d86
Infos:

Detection

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Changes security center settings (notifications, updates, antivirus, firewall)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

Tftpd64_SE-4.64-setup.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe" MD5: E82DE432D59C3CC20A0F67E05B4395D4)

cmd.exe (PID: 7036 cmdline: C:\Windows\system32\cmd.exe /c sc interrogate "Tftpd32_svc" | find "SERVICE_NAME" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7096 cmdline: sc interrogate "Tftpd32_svc" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

find.exe (PID: 7104 cmdline: find "SERVICE_NAME" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

cmd.exe (PID: 7128 cmdline: C:\Windows\system32\cmd.exe /c sc query "Tftpd32_svc" | find "SERVICE_NAME" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6212 cmdline: sc query "Tftpd32_svc" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

find.exe (PID: 6224 cmdline: find "SERVICE_NAME" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

tftpd64_svc.exe (PID: 1712 cmdline: "C:\Program Files\Tftpd64_SE\tftpd64_svc.exe" -install MD5: 7EA3BBF84F39CC37C208945461230614)

conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3004 cmdline: sc config "Tftpd32_svc" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 2924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6556 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6624 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 6652 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 4232 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1472 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 6996 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 3748 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Sigma Signatures

Sigma detected: SC.EXE Query Execution

Source: Process started

Author: frack113: Data: Command: sc query "Tftpd32_svc" , CommandLine: sc query "Tftpd32_svc" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc query "Tftpd32_svc" | find "SERVICE_NAME", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7128, ParentProcessName: cmd.exe, ProcessCommandLine: sc query "Tftpd32_svc" , ProcessId: 6212, ProcessName: sc.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2924, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• System Summary
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: Tftpd64_SE-4.64-setup.exe

Virustotal: Detection: 9%

Perma Link

Source: Tftpd64_SE-4.64-setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\tftpd64_gui.exe
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\tftpd32.chm
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\EUPL-EN.pdf
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\license-tftpd32_SE.txt
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\tftpd32.ini
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe

File created: C:\Program Files\Tftpd64_SE\license-tftpd32_SE.txt

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: Tftpd64_SE-4.64-setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.evad.winEXE@31/12@0/9

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe

File created: C:\Program Files\Tftpd64_SE

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe

File created: C:\Users\Public\Desktop\Tftpd64_SE Admin.lnk

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7056:120:WilError_03

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsg75A.tmp

Source: Tftpd64_SE-4.64-setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Tftpd64_SE-4.64-setup.exe

Virustotal: Detection: 9%

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe

File read: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe "C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc interrogate "Tftpd32_svc" \| find "SERVICE_NAME"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc interrogate "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc query "Tftpd32_svc" \| find "SERVICE_NAME"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc interrogate "Tftpd32_svc" \| find "SERVICE_NAME"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc query "Tftpd32_svc" \| find "SERVICE_NAME"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc interrogate "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Process created: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe "C:\Program Files\Tftpd64_SE\tftpd64_svc.exe" -install
Source: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc config "Tftpd32_svc" start= auto
Source: C:\Windows\SysWOW64\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Process created: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe "C:\Program Files\Tftpd64_SE\tftpd64_svc.exe" -install
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Process created: C:\Windows\SysWOW64\sc.exe sc config "Tftpd32_svc" start= auto
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: cscapi.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe

File written: C:\Program Files\Tftpd64_SE\tftpd32.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\tftpd64_gui.exe
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\tftpd32.chm
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\EUPL-EN.pdf
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\license-tftpd32_SE.txt
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\tftpd32.ini
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Directory created: C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	File created: C:\Program Files\Tftpd64_SE\tftpd64_gui.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	File created: C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	File created: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe

File created: C:\Program Files\Tftpd64_SE\license-tftpd32_SE.txt

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Uninstall Tftpd64_SE.lnk
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Tftpd64_SE Admin.lnk
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Tftpd64_SE Settings.lnk

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc interrogate "Tftpd32_svc"

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Dropped PE file which has not been started: C:\Program Files\Tftpd64_SE\tftpd64_gui.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Dropped PE file which has not been started: C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe			Jump to dropped file

Source: C:\Windows\System32\svchost.exe TID: 6420

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	File Volume queried: C:\Program Files FullSizeInformation
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	File Volume queried: C:\Program Files FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc interrogate "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"

Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	13 Masquerading	OS Credential Dumping	13 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	3 Virtualization/Sandbox Evasion	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	11 Process Injection	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
Tftpd64_SE-4.64-setup.exe	5%	ReversingLabs
Tftpd64_SE-4.64-setup.exe	10%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe	5%	ReversingLabs
C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe	0%	Virustotal	Browse
C:\Program Files\Tftpd64_SE\tftpd64_gui.exe	0%	ReversingLabs
C:\Program Files\Tftpd64_SE\tftpd64_gui.exe	0%	Virustotal	Browse
C:\Program Files\Tftpd64_SE\tftpd64_svc.exe	7%	Virustotal	Browse
C:\Program Files\Tftpd64_SE\tftpd64_svc.exe	6%	ReversingLabs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.190.190.131	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.9.183.29	unknown	United States		16625	AKAMAI-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1649527
Start date and time:	2025-03-26 21:27:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Tftpd64_SE-4.64-setup.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@31/12@0/9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Created / dropped Files

C:\Program Files\Tftpd64_SE\EUPL-EN.pdf

Download File

Process:	C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:	PDF document, version 1.4, 7 pages
Category:	dropped
Size (bytes):	34312
Entropy (8bit):	7.865880855522421
Encrypted:	false
SSDEEP:
MD5:	254B5DDBC15269E72BA3A0508681A70C
SHA1:	2263AE4C0B71BF7BE09707D8FFE1176807E8C69E
SHA-256:	CD5D9E2A925D8DAA92D083FD8C1CEA48DF1BCFFFD857F4F93E2148FDDC5001EC
SHA-512:	9BB5A4BF1B5167725E2126CE5152E3BE11B7288C743C0D7C71B98D0551E47BCE417B0B1C0A14FF523A7C90EC9D0B930A0879B31B22F10B0A068F635103FAF504
Malicious:	false
Reputation:	unknown
Preview:	%PDF-1.4..%......1 0 obj..<</Type /Catalog /Pages 3 0 R /Metadata 38 0 R >>endobj....2 0 obj..<</Producer (GPL Ghostscript 8.54)/CreationDate (D:20090119165348+02'00')/ModDate (D:20090119165348)/Title (...e.u.p.l. .v. . .1. .1. .-. .E.N. .f.i.n.a.l)/Creator (...P.D.F.C.r.e.a.t.o.r. .V.e.r.s.i.o.n. .0...9...3)/Author (...e.k.a.m.a)/Keywords ()/Subject ()>>endobj....3 0 obj..<</Type /Pages /Kids [4 0 R 11 0 R 16 0 R 20 0 R 24 0 R 28 0 R 32 0 R ]/Count 7 /Rotate 0 >>endobj....4 0 obj..<</Type /Page /MediaBox [0 0 612 792 ]/Rotate 0 /Parent 3 0 R /Resources <</ProcSet [/PDF /Text ]/Font 10 0 R >>/Contents 5 0 R >>endobj....5 0 obj..<</Length 6 0 R /Filter /FlateDecode >>stream..x..\Ys...~.....1.FyJlU*)U....9..%..(..D.....Lcpu.....\.....F._..7. .f....'........'nP.....\|.v......<(..^...<;1.e..Lz.X=..lN.l7.......9O...zs.2~-G5X._<.._N.AJX"/'E\N.q....9(YV\|...i..C/)._.8.13......;.............n...B...^.WZN.....N.S5..Yy\|.\|i..t.'XVn._>X.,z.........&\|.rN...._{...t../...2...<...z.

C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe

Download File

Process:	C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	38510
Entropy (8bit):	6.2422507412013575
Encrypted:	false
SSDEEP:
MD5:	6866C1AE32B8B28DE3FB9E7C4E8FDDFC
SHA1:	4B5FB6FB75F2772EFC190C75FBC89B41AABA04CB
SHA-256:	170A7D4C0848A4C14AFB6D3E3EDD32493407658CBC8E2E3C60F380905238E6D1
SHA-512:	C643B00F37929C9AF0CB070338160BC7702E38E95E05821F20DA5C3541947FAC4AAB7AD36C4989194665DF6C5323BACB0123621A0825CB3541878584F54EBCD2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.^...QF..QG.qQF.^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@.........................................................................$u.......p...............................................................................p..\|............................text...f^.......`.................. ..`.rdata.......p.......d..............@..@.data....]...........x..............@....ndata...................................rsrc........p.......~..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Tftpd64_SE\license-tftpd32_SE.txt

Download File

Process:	C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	4.82882755499305
Encrypted:	false
SSDEEP:
MD5:	7824A4FF97D5683B1E924E852FF7CCC9
SHA1:	9FF17CA6C4F4F2E0800D4E32E182DF3342951F3D
SHA-256:	A3AD235B1C4197623E997EF0FCCEB5F2464EC5913AE1C872C470E6C82FB1B1F3
SHA-512:	B16EDE0158901408B3BA49540AF45596F3422C545684BA7E2369BE7AB8F9DCC758D56A229C8E03A90373C62DC06A236147A6C35A2D139F462F59216278B3D03E
Malicious:	false
Reputation:	unknown
Preview:	TFTPD32 is copyrighted 1998-2011 by Philippe Jounin (philippe@jounin.net) and released under the European Union Public License (see file EUPL-EN.pdf)...

C:\Program Files\Tftpd64_SE\tftpd32.chm

Download File

Process:	C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	364722
Entropy (8bit):	7.965464243492042
Encrypted:	false
SSDEEP:
MD5:	DE0095E371874836FB50CD3400D7B204
SHA1:	8A1000443A71417C6233F277B87CA6585BEBCA2A
SHA-256:	810A0F52703D051B30D5ECD219C72B0599964DE34D1C1912367271C87D4725BF
SHA-512:	0BD27DCF930DF12D4FC2F29CAAE8809BE74D124946561D60A6FA0E8D775AB3BAF34DBDE2560BB483A348D769D39C79B9AF9666DAA6EB87770053736D1DF474DB
Malicious:	false
Reputation:	unknown
Preview:	ITSF....`.........(@.......\|.{.......".....\|.{......."..`...............x.......T.......................................ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...'.../#ITBITS..../#STRINGS...B.@./#SYSTEM..&.T./#TOPICS...'.p./#URLSTR...K.w./#URLTBL.....4./$FIftiMain..../$OBJINST...h.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...d../$WWKeywordLinks/..../$WWKeywordLinks/Property...`../address clipboard.jpg...z..]./dhcp port bound.jpg...5..W./drag and drop.GIF...x..../FAQ.html..e.../file clipboard.jpg...W..!./Getting Started.html..w.../Help Index.html..%.7./History.html..\..../Index.hhk....K./it_works.jpg...D..)./License.html...t..F./overview.html...:.E./Protocols Description.html......./Settings Entries.html...e.P./setup DHCP.html.....(./setup dhcp.jpg...m..../setup global.html.....)./setup global.jpg...l..../setup syslog.html...W.U./setup syslog.jpg...\|..+./setup tftpd.html...,.../setup tftpd.jpg..

C:\Program Files\Tftpd64_SE\tftpd32.ini

Download File

Process:	C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:	Generic INItialization configuration [TFTPD32]
Category:	dropped
Size (bytes):	616
Entropy (8bit):	5.1459656060648875
Encrypted:	false
SSDEEP:
MD5:	C973075D00B0BF2D5C4CB18155AD92FB
SHA1:	0B1D0A6C40DA12B81E6BAB942A6631F19E18F1FC
SHA-256:	0C00CBDAE4E3F2F430CA803E2E08BB3CBBA4E83CF9024DBB64DA212B8034E60D
SHA-512:	B987AA69A90FC14D0C4E7EBCD7DB6A3C9580F705CE6753104163017975B4E8A1F09C302123C83421943E33A591B509F8EDC398A00FE4932132D32C169DB34FC9
Malicious:	false
Reputation:	unknown
Preview:	[DHCP]..Lease_NumLeases=0..[TFTPD32]..BaseDirectory=...TftpPort=69..Hide=0..WinSize=0..Negociate=1..PXECompatibility=0..DirText=0..ShowProgressBar=1..Timeout=3..MaxRetransmit=6..SecurityLevel=1..UnixStrings=1..Beep=0..VirtualRoot=0..MD5=0..LouserP=..Services=15..TftpLogFile=..SaveSyslogFile=..PipeSyslogMsg=0..LowestUDPPort=0..HighestUDPPort=0..MulticastPort=0..MulticastAddress=..PersistantLeases=1..DHCP Ping=1..DHCP LouserP=..Max Simultaneous Transfers=100..UseEventLog=0..Console Password=tftpd32..Support for port Option=0..UseEventLog=0..Keep transfer Gui=5..Ignore ack for last TFTP packet=0..Enable IPv6=0..

C:\Program Files\Tftpd64_SE\tftpd64_gui.exe

Download File

Process:	C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	299008
Entropy (8bit):	6.000375288264343
Encrypted:	false
SSDEEP:
MD5:	3CE2D744A605DACA17AAB7748ABE00C2
SHA1:	129AEDAB12F2399B7E9F46EC7FA926407B619729
SHA-256:	96648250FA97068EB1C54989D7DB18F6A46C304E7A6A017E6EA9A7A7D535DF6B
SHA-512:	C367F57D8A376EC046EA125FED7F2CF3F5AC7E8D983FA25FDA362ED332592C2BBBCA422E537F5CA43CD2A36B7E643F170671FE8861D7F3B46A89A9E3CEB2C6E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t..&0.u0.u0.uU..t:.uU..t6.uU..t..u...t..u...t!.u...t8.u...t:.uU..t!.u0.u..u...t$.u..\u1.u0.4u1.u...t1.uRich0.u........PE..d.....v\.........."......t..........h..........@..................?.......................`..................................................T...............p.......................5..8...........................@5..................0............................text...0s.......t.................. ..`.rdata...............x..............@..@.data........p... ...T..............@....pdata.......p.......t..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Program Files\Tftpd64_SE\tftpd64_svc.exe

Download File

Process:	C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	334336
Entropy (8bit):	6.138396322407685
Encrypted:	false
SSDEEP:
MD5:	7EA3BBF84F39CC37C208945461230614
SHA1:	A2C2C0912F9632024245007083B0F75C4D520AFE
SHA-256:	CFC0FDBF62D6B3BE3960CEE3F27D19D6C81EC125B2856912F331F5413E3F12BE
SHA-512:	D6A39DC4471DA3D8EE57BA4A68342B36C1805B3F9CCABB29809D199F0F99393268C90EDFCB99C9E61B91EA0DE3921C70EAB6F725247E80BF33E17EC68385EC27
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 7%, Browse Antivirus: ReversingLabs, Detection: 6%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e...6...6...6...7...6...7...6...7...6...7...6...7...6...7...6...7...6...7...6...6f..6...7...6...6...6..y6...6...7...6Rich...6................PE..d.....v\.........."............................@..................?.......................`.................................................p........ ..(.......t"......................8............................................................................text...p........................... ..`.rdata..~...........................@..@.data............ ..................@....pdata..t".......$..................@..@_RDATA...............@..............@..@.rsrc...(.... .......B..............@..@.reloc..............................@..B........................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Tftpd64_SE Admin.lnk

Download File

Process:	C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Feb 27 13:07:34 2019, mtime=Wed Mar 26 19:29:38 2025, atime=Wed Feb 27 13:07:34 2019, length=299008, window=hide
Category:	dropped
Size (bytes):	900
Entropy (8bit):	4.585404675296463
Encrypted:	false
SSDEEP:
MD5:	12030D1C74C0DB30E55B8CD011E10DAC
SHA1:	1091AED16EF72DD581A459A5C7DBCCA3F5518BC6
SHA-256:	C1CD496F9A5260701B707ED7E5B7B912654995DB8896D0408DF1A323850C7075
SHA-512:	E8665F720622F4FC558BD78A301BB07EADE9BB973A2063DC2135EF0358FBD4DA177A7E13F4BA7C1BA9906CA97ABB724F05A9903EF078C1DD412385D0458C8CB8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .....".............".................................P.O. .:i.....+00.../C:\.....................1.....zZ....PROGRA~1..t......O.IzZ......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....zZ....TFTPD6~1..F......zZ..zZ................................T.f.t.p.d.6.4._.S.E.....l.2.....[N.p .TFTPD6~1.EXE..P......[N.pzZ................................t.f.t.p.d.6.4._.g.u.i...e.x.e.......Z...............-.......Y....................C:\Program Files\Tftpd64_SE\tftpd64_gui.exe..:.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.\.t.f.t.p.d.6.4._.g.u.i...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.`.......X.......128757...........hT..CrF.f4... .....4....1....%..hT..CrF.f4... .....4....1....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Tftpd64_SE Settings.lnk

Download File

Process:	C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Nov 28 07:08:04 2013, mtime=Wed Mar 26 19:29:38 2025, atime=Thu Nov 28 07:08:04 2013, length=616, window=hide
Category:	dropped
Size (bytes):	878
Entropy (8bit):	4.574438425554531
Encrypted:	false
SSDEEP:
MD5:	F968776A00410BB705F44C0000BDFAAD
SHA1:	93B92010FCBFE6FF6CBC074D8C8EDA37E5682DC4
SHA-256:	6ED3950BDC75AEA40C66D351565044F70016ED61960C3B02862FF2D3227903BA
SHA-512:	AE77F78A30891DCDFB2837119F2F4236B235644ED0882B3A48E53444AE8253DD72C228AA706435703421E33A1CDCCC31E36A064CBDD655B0C733DAFF238F88E2
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ............@.............h.......................{....P.O. .:i.....+00.../C:\.....................1.....zZ....PROGRA~1..t......O.IzZ......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....zZ....TFTPD6~1..F......zZ..zZ................................T.f.t.p.d.6.4._.S.E.....b.2.h...\|C.A .tftpd32.ini.H......\|C.AzZ................................t.f.t.p.d.3.2...i.n.i.......V...............-.......U....................C:\Program Files\Tftpd64_SE\tftpd32.ini..6.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.\.t.f.t.p.d.3.2...i.n.i...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.`.......X.......128757...........hT..CrF.f4... .....4....1....%..hT..CrF.f4... .....4....1....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Uninstall Tftpd64_SE.lnk

Download File

Process:	C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Mar 26 19:29:38 2025, mtime=Wed Mar 26 19:29:38 2025, atime=Wed Mar 26 19:29:38 2025, length=38510, window=hide
Category:	dropped
Size (bytes):	945
Entropy (8bit):	4.622743603666894
Encrypted:	false
SSDEEP:
MD5:	7863631FAAEA7587C09B4561019AE737
SHA1:	301D64543AF2ABD18FB3FB5F68CEB3892D21E480
SHA-256:	826579419DA3C3CD1E5B274CB4D51F0FA91694AAE7BB6B080D80134C452F30D3
SHA-512:	2C446E2DEC6744C8A307BBE1B57BB1C9E39B48297628BC2210B5F66D904E7B759988C97E2D110997D53B3733FEC5E8089CE047D3A03BE77281720313395328F2
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...7......7......7......n............................P.O. .:i.....+00.../C:\.....................1.....zZ....PROGRA~1..t......O.IzZ......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....zZ....TFTPD6~1..F......zZ..zZ................................T.f.t.p.d.6.4._.S.E.....~.2.n...zZ.. .TFTPD6~3.EXE..b......zZ..zZ................................T.f.t.p.d.6.4._.S.E.-.u.n.i.n.s.t.a.l.l...e.x.e.......c...............-.......b....................C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe..C.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.\.T.f.t.p.d.6.4._.S.E.-.u.n.i.n.s.t.a.l.l...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.`.......X.......128757...........hT..CrF.f4... .....4....1....%..hT..CrF.f4... .....4....1....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\Public\Desktop\Tftpd64_SE Admin.lnk

Download File

Process:	C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Feb 27 13:07:34 2019, mtime=Wed Mar 26 19:29:38 2025, atime=Wed Feb 27 13:07:34 2019, length=299008, window=hide
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.602030719696917
Encrypted:	false
SSDEEP:
MD5:	3580EF8EA1832DCC66DC3363CF1E4B87
SHA1:	4C0A48DC5AD634D8CD2D10BE3D2D401B0850D716
SHA-256:	6E1C43E3A8A4A11BF5C7198F8F718418E40231813E257A817A4C881742A6226D
SHA-512:	E4C600462BA26AD90009EBA48B1AC4E7743367509C12C2B20010E264A2CF37115953FBE99CE6DED2AAC58B18F2D7A362FC82790C545CEC449B2B44699AC3A4B9
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .....".....I ......".................................P.O. .:i.....+00.../C:\.....................1.....zZ....PROGRA~1..t......O.IzZ......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....zZ....TFTPD6~1..F......zZ..zZ................................T.f.t.p.d.6.4._.S.E.....l.2.....[N.p .TFTPD6~1.EXE..P......[N.pzZ................................t.f.t.p.d.6.4._.g.u.i...e.x.e.......Z...............-.......Y....................C:\Program Files\Tftpd64_SE\tftpd64_gui.exe..1.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.\.t.f.t.p.d.6.4._.g.u.i...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.`.......X.......128757...........hT..CrF.f4... .....4....1....%..hT..CrF.f4... .....4....1....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

\Device\ConDrv

Download File

Process:	C:\Program Files\Tftpd64_SE\tftpd64_svc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	36
Entropy (8bit):	4.162573265150911
Encrypted:	false
SSDEEP:
MD5:	42C2B43B4BB6B6A8AE1A1CC9C2105D97
SHA1:	3888091B87AE75AB3303C9BA1E5858550FEF4279
SHA-256:	C476CFCD15C70E06B88B7AB35C30603E0CB6E3EF06FAD56AF6CBB75F4CD721B5
SHA-512:	52453D169FB62639CDC82B5A497244B8384A3CFBD7D4277437B2C2AC65E1DEDEE36C96BE72848C56327723E353CECA7CA59164511031F4C2F8E5316CA2B36870
Malicious:	false
Reputation:	unknown
Preview:	Tftpd32 service edition installed...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.983079667091566
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Tftpd64_SE-4.64-setup.exe
File size:	752'999 bytes
MD5:	e82de432d59c3cc20a0f67e05b4395d4
SHA1:	503c0054c5c542d879278fe1256f3ceb385f49bc
SHA256:	b05eb78f7b65dcea23973055687483d2bb4f6553641cf09d824a5a13a57c5d86
SHA512:	e028759045cd3baece135f31d97ecc506b697cd83eaf6dfc354a320a8c9bc75928a60db6ce1b656d8f653696ee977de0af145fa6bebf833f5e0b2d1381cebe19
SSDEEP:	12288:sLkcjGAzLxrYPhMp0/J8hlDZYG5IAeKPOFwTM84qpcy+qtv2tSoTqLQby4+:sLNjGSL0hMpK8hf7IWWFA4qphN28o+Ln
TLSH:	00F423A126700FF6E21C36F1793EBD6AABB9C6405921343B17906E2FD8141CDED49BC6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.^...QF..QG.qQF.^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@

File Icon


Icon Hash:	912763910f8eb370

Static PE Info

General

Entrypoint:	0x40312a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b76363e9cb88bf9390860da8e50999d2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+20h], ebx
mov dword ptr [esp+14h], 00409168h
mov dword ptr [esp+1Ch], ebx
mov byte ptr [esp+18h], 00000020h
call dword ptr [004070B0h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F512D308F43h
push ebx
call 00007F512D30BD24h
cmp eax, ebx
je 00007F512D308F39h
push 00000C00h
call eax
mov esi, 00407280h
push esi
call 00007F512D30BCA0h
push esi
call dword ptr [00407108h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F512D308F1Dh
push 0000000Dh
call 00007F512D30BCF8h
push 0000000Bh
call 00007F512D30BCF1h
mov dword ptr [0042EC24h], eax
call dword ptr [00407038h]
push ebx
call dword ptr [0040726Ch]
mov dword ptr [0042ECD8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429058h
call dword ptr [0040715Ch]
push 0040915Ch
push 0042E420h
call 00007F512D30B924h
call dword ptr [0040710Ch]
mov ebp, 00434000h
push eax
push ebp
call 00007F512D30B912h
push ebx
call dword ptr [00407144h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7524	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x13c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x27c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	d22b359417726295d1d61eaac63c3d95	False	0.6705729166666666	data	6.440655734359132	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x12a2	0x1400	68295528d67e59e0536c9d80519cbe96	False	0.4455078125	data	5.058328787102383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25d18	0x600	82232fd09381275af53acb18fd24a88b	False	0.458984375	data	4.18773476617059	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x8000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0x13c8	0x1400	e2fb08d4b42e6d4b895b270caf7b674b	False	0.3416015625	data	4.289354678693222	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x372c8	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x37630	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.43010752688172044
RT_ICON	0x37918	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.3581081081081081
RT_DIALOG	0x37a40	0xb8	data	English	United States	0.6467391304347826
RT_DIALOG	0x37af8	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x37c40	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x37d80	0x100	data	English	United States	0.5234375
RT_DIALOG	0x37e80	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x37fa0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x38068	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x380c8	0x22	data	English	United States	0.9705882352941176
RT_MANIFEST	0x380f0	0x2d7	XML 1.0 document, ASCII text, with very long lines (727), with no line terminators	English	United States	0.562585969738652

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
USER32.dll	SetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
ADVAPI32.dll	RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Tftpd64_SE-4.64-setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Program Files\Tftpd64_SE\EUPL-EN.pdf

C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe

C:\Program Files\Tftpd64_SE\license-tftpd32_SE.txt

C:\Program Files\Tftpd64_SE\tftpd32.chm

C:\Program Files\Tftpd64_SE\tftpd32.ini

C:\Program Files\Tftpd64_SE\tftpd64_gui.exe

C:\Program Files\Tftpd64_SE\tftpd64_svc.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Tftpd64_SE Admin.lnk

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Tftpd64_SE Settings.lnk

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Uninstall Tftpd64_SE.lnk

C:\Users\Public\Desktop\Tftpd64_SE Admin.lnk

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
Tftpd64_SE-4.64-setup.exe