Edit tour

Windows Analysis Report
Tftpd64_SE-4.64-setup.exe

Overview

General Information

Sample name:Tftpd64_SE-4.64-setup.exe
Analysis ID:1649527
MD5:e82de432d59c3cc20a0f67e05b4395d4
SHA1:503c0054c5c542d879278fe1256f3ceb385f49bc
SHA256:b05eb78f7b65dcea23973055687483d2bb4f6553641cf09d824a5a13a57c5d86
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • Tftpd64_SE-4.64-setup.exe (PID: 7008 cmdline: "C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe" MD5: E82DE432D59C3CC20A0F67E05B4395D4)
    • cmd.exe (PID: 7036 cmdline: C:\Windows\system32\cmd.exe /c sc interrogate "Tftpd32_svc" | find "SERVICE_NAME" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7096 cmdline: sc interrogate "Tftpd32_svc" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • find.exe (PID: 7104 cmdline: find "SERVICE_NAME" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 7128 cmdline: C:\Windows\system32\cmd.exe /c sc query "Tftpd32_svc" | find "SERVICE_NAME" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 6212 cmdline: sc query "Tftpd32_svc" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • find.exe (PID: 6224 cmdline: find "SERVICE_NAME" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • tftpd64_svc.exe (PID: 1712 cmdline: "C:\Program Files\Tftpd64_SE\tftpd64_svc.exe" -install MD5: 7EA3BBF84F39CC37C208945461230614)
      • conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3004 cmdline: sc config "Tftpd32_svc" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 2924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6556 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 6624 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 6652 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 4232 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1472 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 6996 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 3748 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
No yara matches
Source: Process startedAuthor: frack113: Data: Command: sc query "Tftpd32_svc" , CommandLine: sc query "Tftpd32_svc" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc query "Tftpd32_svc" | find "SERVICE_NAME", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7128, ParentProcessName: cmd.exe, ProcessCommandLine: sc query "Tftpd32_svc" , ProcessId: 6212, ProcessName: sc.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2924, ProcessName: svchost.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Program Files\Tftpd64_SE\tftpd64_svc.exeVirustotal: Detection: 6%Perma Link
Source: Tftpd64_SE-4.64-setup.exeVirustotal: Detection: 9%Perma Link
Source: Tftpd64_SE-4.64-setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\tftpd64_gui.exe
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\tftpd32.chm
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\EUPL-EN.pdf
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\license-tftpd32_SE.txt
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\tftpd32.ini
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\Program Files\Tftpd64_SE\license-tftpd32_SE.txt
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: Tftpd64_SE-4.64-setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal60.evad.winEXE@31/12@0/9
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\Program Files\Tftpd64_SE
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\Users\Public\Desktop\Tftpd64_SE Admin.lnk
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsg75A.tmp
Source: Tftpd64_SE-4.64-setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile read: C:\Users\desktop.ini
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: Tftpd64_SE-4.64-setup.exeVirustotal: Detection: 9%
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile read: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
Source: unknownProcess created: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe "C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc interrogate "Tftpd32_svc" | find "SERVICE_NAME"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc interrogate "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc query "Tftpd32_svc" | find "SERVICE_NAME"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc query "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc interrogate "Tftpd32_svc" | find "SERVICE_NAME"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc query "Tftpd32_svc" | find "SERVICE_NAME"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc interrogate "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc query "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeProcess created: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe "C:\Program Files\Tftpd64_SE\tftpd64_svc.exe" -install
Source: C:\Program Files\Tftpd64_SE\tftpd64_svc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config "Tftpd32_svc" start= auto
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeProcess created: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe "C:\Program Files\Tftpd64_SE\tftpd64_svc.exe" -install
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config "Tftpd32_svc" start= auto
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: propsys.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: shfolder.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: riched20.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: usp10.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: msls31.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: textshaping.dll
Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: linkinfo.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: ntshrui.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: srvcli.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: cscapi.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
Source: C:\Program Files\Tftpd64_SE\tftpd64_svc.exeSection loaded: apphelp.dll
Source: C:\Program Files\Tftpd64_SE\tftpd64_svc.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\Tftpd64_SE\tftpd64_svc.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile written: C:\Program Files\Tftpd64_SE\tftpd32.ini
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\tftpd64_gui.exe
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\tftpd32.chm
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\EUPL-EN.pdf
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\license-tftpd32_SE.txt
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\tftpd32.ini
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDirectory created: C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\Program Files\Tftpd64_SE\tftpd64_gui.exeJump to dropped file
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exeJump to dropped file
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\Program Files\Tftpd64_SE\tftpd64_svc.exeJump to dropped file
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\Program Files\Tftpd64_SE\license-tftpd32_SE.txt
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Uninstall Tftpd64_SE.lnk
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Tftpd64_SE Admin.lnk
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tftpd64_SE\Tftpd64_SE Settings.lnk
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc interrogate "Tftpd32_svc"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDropped PE file which has not been started: C:\Program Files\Tftpd64_SE\tftpd64_gui.exeJump to dropped file
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeDropped PE file which has not been started: C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exeJump to dropped file
Source: C:\Windows\System32\svchost.exe TID: 6420Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile Volume queried: C:\Program Files FullSizeInformation
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeFile Volume queried: C:\Program Files FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc interrogate "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc query "Tftpd32_svc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find "SERVICE_NAME"
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
Windows Service
1
Windows Service
13
Masquerading
OS Credential Dumping13
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
11
Process Injection
1
Disable or Modify Tools
LSASS Memory3
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Registry Run Keys / Startup Folder
1
DLL Side-Loading
3
Virtualization/Sandbox Evasion
Security Account Manager2
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Registry Run Keys / Startup Folder
11
Process Injection
NTDS22
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Tftpd64_SE-4.64-setup.exe5%ReversingLabs
Tftpd64_SE-4.64-setup.exe10%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe5%ReversingLabs
C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe0%VirustotalBrowse
C:\Program Files\Tftpd64_SE\tftpd64_gui.exe0%ReversingLabs
C:\Program Files\Tftpd64_SE\tftpd64_gui.exe0%VirustotalBrowse
C:\Program Files\Tftpd64_SE\tftpd64_svc.exe7%VirustotalBrowse
C:\Program Files\Tftpd64_SE\tftpd64_svc.exe6%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
20.190.190.131
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
23.9.183.29
unknownUnited States
16625AKAMAI-ASUSfalse
IP
127.0.0.1
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1649527
Start date and time:2025-03-26 21:27:18 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:26
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:Tftpd64_SE-4.64-setup.exe
Detection:MAL
Classification:mal60.evad.winEXE@31/12@0/9
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 4.245.163.56
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryValueKey calls found.
Process:C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:PDF document, version 1.4, 7 pages
Category:dropped
Size (bytes):34312
Entropy (8bit):7.865880855522421
Encrypted:false
SSDEEP:
MD5:254B5DDBC15269E72BA3A0508681A70C
SHA1:2263AE4C0B71BF7BE09707D8FFE1176807E8C69E
SHA-256:CD5D9E2A925D8DAA92D083FD8C1CEA48DF1BCFFFD857F4F93E2148FDDC5001EC
SHA-512:9BB5A4BF1B5167725E2126CE5152E3BE11B7288C743C0D7C71B98D0551E47BCE417B0B1C0A14FF523A7C90EC9D0B930A0879B31B22F10B0A068F635103FAF504
Malicious:false
Reputation:unknown
Preview:%PDF-1.4..%......1 0 obj..<</Type /Catalog /Pages 3 0 R /Metadata 38 0 R >>endobj....2 0 obj..<</Producer (GPL Ghostscript 8.54)/CreationDate (D:20090119165348+02'00')/ModDate (D:20090119165348)/Title (...e.u.p.l. .v. . .1. .1. .-. .E.N. .f.i.n.a.l)/Creator (...P.D.F.C.r.e.a.t.o.r. .V.e.r.s.i.o.n. .0...9...3)/Author (...e.k.a.m.a)/Keywords ()/Subject ()>>endobj....3 0 obj..<</Type /Pages /Kids [4 0 R 11 0 R 16 0 R 20 0 R 24 0 R 28 0 R 32 0 R ]/Count 7 /Rotate 0 >>endobj....4 0 obj..<</Type /Page /MediaBox [0 0 612 792 ]/Rotate 0 /Parent 3 0 R /Resources <</ProcSet [/PDF /Text ]/Font 10 0 R >>/Contents 5 0 R >>endobj....5 0 obj..<</Length 6 0 R /Filter /FlateDecode >>stream..x..\Ys...~.....1.FyJlU*)U....9..%..(..D.....Lcpu.....\.....F._..7. .f....'........'nP.....|.v......<(..^...<;1.e..Lz.X=..lN.l7.......9O...zs.2~-G5X._<.._N.AJX"/'E\N.q....9(YV|...i..C/)._.8.13......;.............n...B...^.WZN.....N.S5..Yy|.|i..t.'XVn._>X.,z.........&|.rN...._{...t../...2...<...z.
Process:C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:dropped
Size (bytes):38510
Entropy (8bit):6.2422507412013575
Encrypted:false
SSDEEP:
MD5:6866C1AE32B8B28DE3FB9E7C4E8FDDFC
SHA1:4B5FB6FB75F2772EFC190C75FBC89B41AABA04CB
SHA-256:170A7D4C0848A4C14AFB6D3E3EDD32493407658CBC8E2E3C60F380905238E6D1
SHA-512:C643B00F37929C9AF0CB070338160BC7702E38E95E05821F20DA5C3541947FAC4AAB7AD36C4989194665DF6C5323BACB0123621A0825CB3541878584F54EBCD2
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 5%
  • Antivirus: Virustotal, Detection: 0%, Browse
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@.........................................................................$u.......p...............................................................................p..|............................text...f^.......`.................. ..`.rdata.......p.......d..............@..@.data....]...........x..............@....ndata...................................rsrc........p.......~..............@..@................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):152
Entropy (8bit):4.82882755499305
Encrypted:false
SSDEEP:
MD5:7824A4FF97D5683B1E924E852FF7CCC9
SHA1:9FF17CA6C4F4F2E0800D4E32E182DF3342951F3D
SHA-256:A3AD235B1C4197623E997EF0FCCEB5F2464EC5913AE1C872C470E6C82FB1B1F3
SHA-512:B16EDE0158901408B3BA49540AF45596F3422C545684BA7E2369BE7AB8F9DCC758D56A229C8E03A90373C62DC06A236147A6C35A2D139F462F59216278B3D03E
Malicious:false
Reputation:unknown
Preview:TFTPD32 is copyrighted 1998-2011 by Philippe Jounin (philippe@jounin.net) and released under the European Union Public License (see file EUPL-EN.pdf)...
Process:C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:MS Windows HtmlHelp Data
Category:dropped
Size (bytes):364722
Entropy (8bit):7.965464243492042
Encrypted:false
SSDEEP:
MD5:DE0095E371874836FB50CD3400D7B204
SHA1:8A1000443A71417C6233F277B87CA6585BEBCA2A
SHA-256:810A0F52703D051B30D5ECD219C72B0599964DE34D1C1912367271C87D4725BF
SHA-512:0BD27DCF930DF12D4FC2F29CAAE8809BE74D124946561D60A6FA0E8D775AB3BAF34DBDE2560BB483A348D769D39C79B9AF9666DAA6EB87770053736D1DF474DB
Malicious:false
Reputation:unknown
Preview:ITSF....`.........(@.......|.{.......".....|.{......."..`...............x.......T.......................................ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...'.../#ITBITS..../#STRINGS...B.@./#SYSTEM..&.T./#TOPICS...'.p./#URLSTR...K.w./#URLTBL.....4./$FIftiMain..../$OBJINST...h.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...d../$WWKeywordLinks/..../$WWKeywordLinks/Property...`../address clipboard.jpg...z..]./dhcp port bound.jpg...5..W./drag and drop.GIF...x..../FAQ.html..e.../file clipboard.jpg...W..!./Getting Started.html..w.../Help Index.html..%.7./History.html..\..../Index.hhk....K./it_works.jpg...D..)./License.html...t..F./overview.html...:.E./Protocols Description.html......./Settings Entries.html...e.P./setup DHCP.html.....(./setup dhcp.jpg...m..../setup global.html.....)./setup global.jpg...l..../setup syslog.html...W.U./setup syslog.jpg...|..+./setup tftpd.html...,.../setup tftpd.jpg..
Process:C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:Generic INItialization configuration [TFTPD32]
Category:dropped
Size (bytes):616
Entropy (8bit):5.1459656060648875
Encrypted:false
SSDEEP:
MD5:C973075D00B0BF2D5C4CB18155AD92FB
SHA1:0B1D0A6C40DA12B81E6BAB942A6631F19E18F1FC
SHA-256:0C00CBDAE4E3F2F430CA803E2E08BB3CBBA4E83CF9024DBB64DA212B8034E60D
SHA-512:B987AA69A90FC14D0C4E7EBCD7DB6A3C9580F705CE6753104163017975B4E8A1F09C302123C83421943E33A591B509F8EDC398A00FE4932132D32C169DB34FC9
Malicious:false
Reputation:unknown
Preview:[DHCP]..Lease_NumLeases=0..[TFTPD32]..BaseDirectory=...TftpPort=69..Hide=0..WinSize=0..Negociate=1..PXECompatibility=0..DirText=0..ShowProgressBar=1..Timeout=3..MaxRetransmit=6..SecurityLevel=1..UnixStrings=1..Beep=0..VirtualRoot=0..MD5=0..LouserP=..Services=15..TftpLogFile=..SaveSyslogFile=..PipeSyslogMsg=0..LowestUDPPort=0..HighestUDPPort=0..MulticastPort=0..MulticastAddress=..PersistantLeases=1..DHCP Ping=1..DHCP LouserP=..Max Simultaneous Transfers=100..UseEventLog=0..Console Password=tftpd32..Support for port Option=0..UseEventLog=0..Keep transfer Gui=5..Ignore ack for last TFTP packet=0..Enable IPv6=0..
Process:C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:PE32+ executable (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):299008
Entropy (8bit):6.000375288264343
Encrypted:false
SSDEEP:
MD5:3CE2D744A605DACA17AAB7748ABE00C2
SHA1:129AEDAB12F2399B7E9F46EC7FA926407B619729
SHA-256:96648250FA97068EB1C54989D7DB18F6A46C304E7A6A017E6EA9A7A7D535DF6B
SHA-512:C367F57D8A376EC046EA125FED7F2CF3F5AC7E8D983FA25FDA362ED332592C2BBBCA422E537F5CA43CD2A36B7E643F170671FE8861D7F3B46A89A9E3CEB2C6E8
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
  • Antivirus: Virustotal, Detection: 0%, Browse
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t..&0.u0.u0.uU..t:.uU..t6.uU..t..u...t..u...t!.u...t8.u...t:.uU..t!.u0.u..u...t$.u..\u1.u0.4u1.u...t1.uRich0.u........PE..d.....v\.........."......t..........h..........@..................?.......................`..................................................T...............p.......................5..8...........................@5..................0............................text...0s.......t.................. ..`.rdata...............x..............@..@.data........p... ...T..............@....pdata.......p.......t..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................
Process:C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:PE32+ executable (console) x86-64, for MS Windows
Category:dropped
Size (bytes):334336
Entropy (8bit):6.138396322407685
Encrypted:false
SSDEEP:
MD5:7EA3BBF84F39CC37C208945461230614
SHA1:A2C2C0912F9632024245007083B0F75C4D520AFE
SHA-256:CFC0FDBF62D6B3BE3960CEE3F27D19D6C81EC125B2856912F331F5413E3F12BE
SHA-512:D6A39DC4471DA3D8EE57BA4A68342B36C1805B3F9CCABB29809D199F0F99393268C90EDFCB99C9E61B91EA0DE3921C70EAB6F725247E80BF33E17EC68385EC27
Malicious:true
Antivirus:
  • Antivirus: Virustotal, Detection: 7%, Browse
  • Antivirus: ReversingLabs, Detection: 6%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e...6...6...6...7...6...7...6...7...6...7...6...7...6...7...6...7...6...7...6...6f..6...7...6...6...6..y6...6...7...6Rich...6................PE..d.....v\.........."............................@..................?.......................`.................................................p........ ..(.......t"......................8............................................................................text...p........................... ..`.rdata..~...........................@..@.data............ ..................@....pdata..t".......$..................@..@_RDATA...............@..............@..@.rsrc...(.... .......B..............@..@.reloc..............................@..B........................................................................................................................................................................................
Process:C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Feb 27 13:07:34 2019, mtime=Wed Mar 26 19:29:38 2025, atime=Wed Feb 27 13:07:34 2019, length=299008, window=hide
Category:dropped
Size (bytes):900
Entropy (8bit):4.585404675296463
Encrypted:false
SSDEEP:
MD5:12030D1C74C0DB30E55B8CD011E10DAC
SHA1:1091AED16EF72DD581A459A5C7DBCCA3F5518BC6
SHA-256:C1CD496F9A5260701B707ED7E5B7B912654995DB8896D0408DF1A323850C7075
SHA-512:E8665F720622F4FC558BD78A301BB07EADE9BB973A2063DC2135EF0358FBD4DA177A7E13F4BA7C1BA9906CA97ABB724F05A9903EF078C1DD412385D0458C8CB8
Malicious:false
Reputation:unknown
Preview:L..................F.... .....".............".................................P.O. .:i.....+00.../C:\.....................1.....zZ....PROGRA~1..t......O.IzZ......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....zZ....TFTPD6~1..F......zZ..zZ................................T.f.t.p.d.6.4._.S.E.....l.2.....[N.p .TFTPD6~1.EXE..P......[N.pzZ................................t.f.t.p.d.6.4._.g.u.i...e.x.e.......Z...............-.......Y....................C:\Program Files\Tftpd64_SE\tftpd64_gui.exe..:.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.\.t.f.t.p.d.6.4._.g.u.i...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.`.......X.......128757...........hT..CrF.f4... .....4....1....%..hT..CrF.f4... .....4....1....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................
Process:C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Nov 28 07:08:04 2013, mtime=Wed Mar 26 19:29:38 2025, atime=Thu Nov 28 07:08:04 2013, length=616, window=hide
Category:dropped
Size (bytes):878
Entropy (8bit):4.574438425554531
Encrypted:false
SSDEEP:
MD5:F968776A00410BB705F44C0000BDFAAD
SHA1:93B92010FCBFE6FF6CBC074D8C8EDA37E5682DC4
SHA-256:6ED3950BDC75AEA40C66D351565044F70016ED61960C3B02862FF2D3227903BA
SHA-512:AE77F78A30891DCDFB2837119F2F4236B235644ED0882B3A48E53444AE8253DD72C228AA706435703421E33A1CDCCC31E36A064CBDD655B0C733DAFF238F88E2
Malicious:false
Reputation:unknown
Preview:L..................F.... ............@.............h.......................{....P.O. .:i.....+00.../C:\.....................1.....zZ....PROGRA~1..t......O.IzZ......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....zZ....TFTPD6~1..F......zZ..zZ................................T.f.t.p.d.6.4._.S.E.....b.2.h...|C.A .tftpd32.ini.H......|C.AzZ................................t.f.t.p.d.3.2...i.n.i.......V...............-.......U....................C:\Program Files\Tftpd64_SE\tftpd32.ini..6.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.\.t.f.t.p.d.3.2...i.n.i...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.`.......X.......128757...........hT..CrF.f4... .....4....1....%..hT..CrF.f4... .....4....1....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................
Process:C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Mar 26 19:29:38 2025, mtime=Wed Mar 26 19:29:38 2025, atime=Wed Mar 26 19:29:38 2025, length=38510, window=hide
Category:dropped
Size (bytes):945
Entropy (8bit):4.622743603666894
Encrypted:false
SSDEEP:
MD5:7863631FAAEA7587C09B4561019AE737
SHA1:301D64543AF2ABD18FB3FB5F68CEB3892D21E480
SHA-256:826579419DA3C3CD1E5B274CB4D51F0FA91694AAE7BB6B080D80134C452F30D3
SHA-512:2C446E2DEC6744C8A307BBE1B57BB1C9E39B48297628BC2210B5F66D904E7B759988C97E2D110997D53B3733FEC5E8089CE047D3A03BE77281720313395328F2
Malicious:false
Reputation:unknown
Preview:L..................F.... ...7......7......7......n............................P.O. .:i.....+00.../C:\.....................1.....zZ....PROGRA~1..t......O.IzZ......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....zZ....TFTPD6~1..F......zZ..zZ................................T.f.t.p.d.6.4._.S.E.....~.2.n...zZ.. .TFTPD6~3.EXE..b......zZ..zZ................................T.f.t.p.d.6.4._.S.E.-.u.n.i.n.s.t.a.l.l...e.x.e.......c...............-.......b....................C:\Program Files\Tftpd64_SE\Tftpd64_SE-uninstall.exe..C.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.\.T.f.t.p.d.6.4._.S.E.-.u.n.i.n.s.t.a.l.l...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.`.......X.......128757...........hT..CrF.f4... .....4....1....%..hT..CrF.f4... .....4....1....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................
Process:C:\Users\user\Desktop\Tftpd64_SE-4.64-setup.exe
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Feb 27 13:07:34 2019, mtime=Wed Mar 26 19:29:38 2025, atime=Wed Feb 27 13:07:34 2019, length=299008, window=hide
Category:dropped
Size (bytes):882
Entropy (8bit):4.602030719696917
Encrypted:false
SSDEEP:
MD5:3580EF8EA1832DCC66DC3363CF1E4B87
SHA1:4C0A48DC5AD634D8CD2D10BE3D2D401B0850D716
SHA-256:6E1C43E3A8A4A11BF5C7198F8F718418E40231813E257A817A4C881742A6226D
SHA-512:E4C600462BA26AD90009EBA48B1AC4E7743367509C12C2B20010E264A2CF37115953FBE99CE6DED2AAC58B18F2D7A362FC82790C545CEC449B2B44699AC3A4B9
Malicious:false
Reputation:unknown
Preview:L..................F.... .....".....I ......".................................P.O. .:i.....+00.../C:\.....................1.....zZ....PROGRA~1..t......O.IzZ......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....zZ....TFTPD6~1..F......zZ..zZ................................T.f.t.p.d.6.4._.S.E.....l.2.....[N.p .TFTPD6~1.EXE..P......[N.pzZ................................t.f.t.p.d.6.4._.g.u.i...e.x.e.......Z...............-.......Y....................C:\Program Files\Tftpd64_SE\tftpd64_gui.exe..1.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.\.t.f.t.p.d.6.4._.g.u.i...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.f.t.p.d.6.4._.S.E.`.......X.......128757...........hT..CrF.f4... .....4....1....%..hT..CrF.f4... .....4....1....%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................
Process:C:\Program Files\Tftpd64_SE\tftpd64_svc.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):36
Entropy (8bit):4.162573265150911
Encrypted:false
SSDEEP:
MD5:42C2B43B4BB6B6A8AE1A1CC9C2105D97
SHA1:3888091B87AE75AB3303C9BA1E5858550FEF4279
SHA-256:C476CFCD15C70E06B88B7AB35C30603E0CB6E3EF06FAD56AF6CBB75F4CD721B5
SHA-512:52453D169FB62639CDC82B5A497244B8384A3CFBD7D4277437B2C2AC65E1DEDEE36C96BE72848C56327723E353CECA7CA59164511031F4C2F8E5316CA2B36870
Malicious:false
Reputation:unknown
Preview:Tftpd32 service edition installed...
File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):7.983079667091566
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Tftpd64_SE-4.64-setup.exe
File size:752'999 bytes
MD5:e82de432d59c3cc20a0f67e05b4395d4
SHA1:503c0054c5c542d879278fe1256f3ceb385f49bc
SHA256:b05eb78f7b65dcea23973055687483d2bb4f6553641cf09d824a5a13a57c5d86
SHA512:e028759045cd3baece135f31d97ecc506b697cd83eaf6dfc354a320a8c9bc75928a60db6ce1b656d8f653696ee977de0af145fa6bebf833f5e0b2d1381cebe19
SSDEEP:12288:sLkcjGAzLxrYPhMp0/J8hlDZYG5IAeKPOFwTM84qpcy+qtv2tSoTqLQby4+:sLNjGSL0hMpK8hf7IWWFA4qphN28o+Ln
TLSH:00F423A126700FF6E21C36F1793EBD6AABB9C6405921343B17906E2FD8141CDED49BC6
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@
Icon Hash:912763910f8eb370
Entrypoint:0x40312a
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:b76363e9cb88bf9390860da8e50999d2
Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+20h], ebx
mov dword ptr [esp+14h], 00409168h
mov dword ptr [esp+1Ch], ebx
mov byte ptr [esp+18h], 00000020h
call dword ptr [004070B0h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F512D308F43h
push ebx
call 00007F512D30BD24h
cmp eax, ebx
je 00007F512D308F39h
push 00000C00h
call eax
mov esi, 00407280h
push esi
call 00007F512D30BCA0h
push esi
call dword ptr [00407108h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F512D308F1Dh
push 0000000Dh
call 00007F512D30BCF8h
push 0000000Bh
call 00007F512D30BCF1h
mov dword ptr [0042EC24h], eax
call dword ptr [00407038h]
push ebx
call dword ptr [0040726Ch]
mov dword ptr [0042ECD8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429058h
call dword ptr [0040715Ch]
push 0040915Ch
push 0042E420h
call 00007F512D30B924h
call dword ptr [0040710Ch]
mov ebp, 00434000h
push eax
push ebp
call 00007F512D30B912h
push ebx
call dword ptr [00407144h]
Programming Language:
  • [EXP] VC++ 6.0 SP5 build 8804
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x75240xa0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x13c8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x5e660x6000d22b359417726295d1d61eaac63c3d95False0.6705729166666666data6.440655734359132IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x70000x12a20x140068295528d67e59e0536c9d80519cbe96False0.4455078125data5.058328787102383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x90000x25d180x60082232fd09381275af53acb18fd24a88bFalse0.458984375data4.18773476617059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata0x2f0000x80000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x370000x13c80x1400e2fb08d4b42e6d4b895b270caf7b674bFalse0.3416015625data4.289354678693222IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_BITMAP0x372c80x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
RT_ICON0x376300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.43010752688172044
RT_ICON0x379180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.3581081081081081
RT_DIALOG0x37a400xb8dataEnglishUnited States0.6467391304347826
RT_DIALOG0x37af80x144dataEnglishUnited States0.5216049382716049
RT_DIALOG0x37c400x13cdataEnglishUnited States0.5506329113924051
RT_DIALOG0x37d800x100dataEnglishUnited States0.5234375
RT_DIALOG0x37e800x11cdataEnglishUnited States0.6091549295774648
RT_DIALOG0x37fa00xc4dataEnglishUnited States0.5918367346938775
RT_DIALOG0x380680x60dataEnglishUnited States0.7291666666666666
RT_GROUP_ICON0x380c80x22dataEnglishUnited States0.9705882352941176
RT_MANIFEST0x380f00x2d7XML 1.0 document, ASCII text, with very long lines (727), with no line terminatorsEnglishUnited States0.562585969738652
DLLImport
KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance
Language of compilation systemCountry where language is spokenMap
EnglishUnited States