Behavioral Indicators

Severity: 100     Confidence: 95

Artifact Flagged Malicious by Antivirus Service

An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.

Artifact IDSHA256Detections
6306ac4abb03d250b51eceb20e15ec6a70bfa4da375040838991a5c96db132b6

Antiy-AVL: "GrayWare/Win32.FusionCore"
Avira: "PUA/Fusion.avf"
CAT-QuickHeal: "Trojan.Agent"
Comodo: "Malware@#1wid4yvr0cvxc"
Cylance: "Unsafe"
Cyren: "W32/FusionCore.CRIW-3837"
ESET-NOD32: "a variant of Win32/FusionCore.AM potentially unwanted"
F-Prot: "W32/FusionCore.E"
F-Secure: "PotentialRisk.PUA/Fusion.avf"
Fortinet: "Riskware/FusionCore"
GData: "Win32.Trojan.Agent.MS1CF9"
Malwarebytes: "Adware.FusionCore"
McAfee: "Artemis!B1F4DD5BCCA1"
McAfee-GW-Edition: "Artemis"
Microsoft: "PUA:Win32/Vigua.A"
Panda: "PUP/BundleInstaller"
Reversing Labs: "Win32.PUA.Fusioncore"
Rising: "PUA.FusionCore!8.124 (CLOUD)"
Sophos: "Generic PUA EC (PUA)"
Symantec: "PUA.InstallCore"

6306ac4abb03d250b51eceb20e15ec6a70bfa4da375040838991a5c96db132b6

Antiy-AVL: "GrayWare/Win32.FusionCore"
Avira: "PUA/Fusion.avf"
CAT-QuickHeal: "Trojan.Agent"
Comodo: "Malware@#1wid4yvr0cvxc"
Cylance: "Unsafe"
Cyren: "W32/FusionCore.CRIW-3837"
ESET-NOD32: "a variant of Win32/FusionCore.AM potentially unwanted"
F-Prot: "W32/FusionCore.E"
F-Secure: "PotentialRisk.PUA/Fusion.avf"
Fortinet: "Riskware/FusionCore"
GData: "Win32.Trojan.Agent.MS1CF9"
Malwarebytes: "Adware.FusionCore"
McAfee: "Artemis!B1F4DD5BCCA1"
McAfee-GW-Edition: "Artemis"
Microsoft: "PUA:Win32/Vigua.A"
Panda: "PUP/BundleInstaller"
Reversing Labs: "Win32.PUA.Fusioncore"
Rising: "PUA.FusionCore!8.124 (CLOUD)"
Sophos: "Generic PUA EC (PUA)"
Symantec: "PUA.InstallCore"

Severity: 90     Confidence: 90

Cisco Umbrella Categorized Domain As Adware

A domain referenced during the sample run has been categorized as adware by Cisco Umbrella. Cisco Umbrella is a cloud security platform which provides additional detail about network activity such as security and content categorization for domains. Adware is a special type of malware, that typically causes no harm to the computer or user, but may modify the behaviour of programs or operating systems to display ads. They often included some kind of persistence, and are generally unwanted programs. Being categorized as adware by Cisco Umbrella suggests that the site hosts freeware that comes bundles with adware so caution should be taken when navigating to these sites.

DomainCategoriesSecurity
cdnus.tourtodaylaboratory.com

Adware

Potentially Harmful

img.tourtodaylaboratory.com

Adware

Potentially Harmful

Severity: 90     Confidence: 90

Cisco Umbrella Categorized Domain As Potentially Harmful

A domain referenced during the sample run has been categorized as a potentially harmful by Cisco Umbrella. Cisco Umbrella is a cloud security platform which provides additional detail about network activity such as security and content categorization for domains. Being categorized as potentially harmful suggests that malicious activity has been seen on, or at least associated with the domain in question. It is also possible that Cisco Umbrella has detected an exploit which has yet to be classified by an analyst. These domains should be handled very carefully.

DomainCategoriesSecurity
cdnus.tourtodaylaboratory.com

Adware

Potentially Harmful

rp.tourtodaylaboratory.com

Potentially Harmful

img.tourtodaylaboratory.com

Adware

Potentially Harmful

os.tourtodaylaboratory.com

Potentially Harmful

cdneu.tourtodaylaboratory.com

Potentially Harmful

Severity: 90     Confidence: 90

Machine Learning Model Identified Executable Artifact as Likely Malicious

A machine learning model has determined that one or more artifacts are likely malicious. The machine learning model is trained on a very large number of samples. The output of the training is a decision engine that takes static features of executables as input and returns a verdict on whether it is malicious or unknown. In general, a single feature of an artifact will not cause it to be determined as malicious, but rather the decision engine uses all features about the artifact together to come up with a verdict.

Artifact IDSHA256Path
dbb24d9f16453f8d300a0ea5af670ad6fd54826e9846240789ad2ee382489867
\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
avast_free_antivirus_setup_online_x64.exe
Severity: 85     Confidence: 90

Network Stream Marked by Snort as Shellcode

A Snort rule identified a network stream that may contain shellcode. Snort is an intrusion prevention service that watches network traffic for unusual and/or malicious material. In this case, the rule belongs to a set that checks for patterns common to shellcode.

Network StreamIPGidSidRevMessage
72.22.185.200
1
648
18
INDICATOR-SHELLCODE x86 NOOP
Severity: 75     Confidence: 100

Command Exe File Deletion Detected

A process deleted a file using cmd.exe. Malware authors will often delete the original binary and files containing configuration instructions and commands. The files are then deleted to remove any visible evidence of the malware infection.

Process IDProcess NameCommand Line
cmd.exe
/d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~1.DAT"+"C:\Users\ADMINI~1\AppData\Local\Temp\D88210~2.DAT" "C:\Users\ADMINI~1\AppData\Local\Temp\ns20813EE1\0928F64C_stp\avastfreeantivirussetuponline.m.exe" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~1.DAT" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~2.DAT"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062381.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~1.DAT"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628531.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628532.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ff.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628531.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628532.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202191.dat"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062381.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062382.dat" "C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\WinBee.ico" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062381.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062382.dat"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323841.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323842.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ie.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323841.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323842.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281321.dat"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281321.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281322.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\Sqlite3.dll" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281321.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281322.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628531.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323841.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628532.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~2.DAT"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202191.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202192.dat" "C:\Users\ADMINI~1\AppData\Local\{C373F~1\Sqlite3.dll" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202191.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202192.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202192.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~1.DAT"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323842.dat"
cmd.exe
/d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~1.DAT"+"C:\Users\ADMINI~1\AppData\Local\Temp\D39719~2.DAT" "C:\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~1.DAT" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~2.DAT"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~2.DAT"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281322.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062382.dat"
Severity: 75     Confidence: 100

App Path Registry Key Modified

An App Path registry key was modified. These parituclar keys are used to allow users to run programs based on their common name rather than their full path. Malware can replace the path of a legitimate executable with it's own malicious file.

Process IDProcess NameRegKey NameRegKey Value NameRegKey Data
FileZilla_3.41.1_win64-setup_bundled.exe
MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\FILEZILLA.EXE
Path
C:\Program Files\FileZilla FTP Clients\\0
FileZilla_3.41.1_win64-setup_bundled.exe
MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\FILEZILLA.EXE
C:\Program Files\FileZilla FTP Client\filezilla.exes\\0
Severity: 80     Confidence: 90

Process Modified a File in the Program Files Directory

Malware will modify files within the Program Files to hamper legitimate applications (such as security software) and attempt to appear as a legitimate application on the system. Other reasons for modification include attempts to remove evidence of malicious software activity.

Process IDProcess NamePath
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\binary.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\cyril\16x16\folderback.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\co\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\48x48\uploadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\upload.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\filter.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\16x16\find.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\localtreeview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\dropdown.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\reconnect.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\16x16\download.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\help.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\xrc\update.xrc
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\cancel.png
FileZilla_3.41.1_win64-setup_bundled.exe
C:\Program Files\FileZilla FTP Client\filezilla.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\16x16\refresh.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\fi_FI\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\folderup.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\16x16\ascii.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\48x48\processqueue.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\32x32\folderback.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\kab\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\16x16\reconnect.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\uploadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\16x16\download.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\32x32\logview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\minimal\theme.xml
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\minimal\16x16\lock.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\xrc\sitemanager.xrc
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\theme.xml
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\th_TH\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\16x16\upload.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\file.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\16x16\download.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\auto.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\filezilla.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\48x48\reconnect.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\16x16\bookmarks.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\32x32\binary.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\fzstorj.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\sk_SK\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\lock.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\docs\fzdefaults.xml.example
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\32x32\logview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\sun\48x48\uploadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\logview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\16x16\download.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\tr\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\48x48\ascii.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\32x32\downloadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\leds.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\20x20\server.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\folder.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\sitemanager.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\ca_ES@valencia\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\48x48\downloadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\fzputtygen.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\48x48\localtreeview.png
FileZilla_3.41.1_win64-setup_bundled.exe
C:\Program Files\FileZilla FTP Client\uninstall.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\sun\48x48\filter.png
FileZilla_3.41.1_win64-setup_bundled.exe
C:\Program Files\FileZilla FTP Client\fzputtygen.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\find.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\file.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\48x48\folderback.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\32x32\help.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\compare.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\sun\48x48\help.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\16x16\lock.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\folderup.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\sitemanager.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\32x32\filezilla.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\bg_BG\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\queueview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\48x48\uploadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\processqueue.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\32x32\file.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\cyril\16x16\ascii.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\minimal\16x16\server.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\48x48\showhidden.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\16x16\bookmark.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\48x48\download.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\sun\48x48\downloadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\synchronize.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\48x48\speedlimits.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\synchronize.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\32x32\downloadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\48x48\find.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\16x16\compare.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\folderup.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\filter.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\lock.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\32x32\help.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\16x16\binary.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\reconnect.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\cancel.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\32x32\disconnect.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\minimal\16x16\remotetreeview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\fzshellext.dll
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\eu\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\32x32\processqueue.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\16x16\compare.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\16x16\find.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\refresh.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\32x32\folderclosed.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\filter.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\16x16\synchronize.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\cyril\16x16\synchronize.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\km_KH\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\16x16\disconnect.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\32x32\uploadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\libwinpthread-1.dll
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\zlib1.dll
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\ru\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\32x32\server.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\download.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\48x48\binary.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\hr\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\an\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\16x16\queueview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\sun\48x48\folderclosed.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\32x32\speedlimits.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\downloadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\remotetreeview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\compare.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\16x16\server.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\leds.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\hy\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\minimal\16x16\reconnect.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\sun\48x48\localtreeview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\32x32\auto.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\find.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\16x16\cancel.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\processqueue.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\folderback.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\speedlimits.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\sun\48x48\ascii.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\folderclosed.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\queueview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\ascii.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\16x16\queueview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\uploadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\sun\48x48\download.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\speedlimits.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\16x16\uploadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\uninstall.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\16x16\filter.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\32x32\cancel.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\minimal\16x16\download.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\48x48\compare.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\theme.xml
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\reconnect.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\32x32\refresh.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\sun\48x48\speedlimits.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\upload.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\16x16\synchronize.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\16x16\sitemanager.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\16x16\queueview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\16x16\reconnect.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\16x16\upload.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\48x48\filter.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\binary.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\16x16\auto.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\16x16\downloadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\48x48\auto.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\48x48\folderclosed.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\classic\16x16\sitemanager.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\48x48\speedlimits.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\folder.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\32x32\logview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\32x32\localtreeview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\find.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\sitemanager.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\remotetreeview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\32x32\uploadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\48x48\ascii.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\16x16\synchronize.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\48x48\help.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\minimal\16x16\disconnect.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\32x32\leds.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\48x48\queueview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\sort_up_dark.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\cyril\16x16\server.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\tango\48x48\disconnect.png
FileZilla_3.41.1_win64-setup_bundled.exe
C:\Program Files\FileZilla FTP Client\fzsftp.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\24x24\downloadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\32x32\lock.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\16x16\folderup.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\logview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\queueview.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\lone\32x32\downloadadd.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\cyril\16x16\showhidden.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\locales\hu_HU\filezilla.mo
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\48x48\filezilla.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\blukis\32x32\cancel.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\flatzilla\48x48\folderclosed.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\minimal\16x16\cancel.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\synchronize.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\default\480x480\auto.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\GPL.html
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\resources\opencrystal\16x16\folderclosed.png
Severity: 70     Confidence: 100

Excessive Number of DNS Queries

An excessive number of DNS queries detected. Malware will generally attempt to make contact with its command and control infrastructure when it is first executed. Malware that makes use of domain generation algorithms will often query a large number of domains looking for an active command and control server. In addition, adware and potentially unwanted applications often attempt to resolve a large number of domains.

Severity: 80     Confidence: 80

File Name of Executable on Disk Does Not Match Original File Name

Most compilers add a resource to PE files called "Version Info". The Version Info resource contains metadata about the PE file, including the PE file's original filename. The original filename attribute can be used to determine if the PE's filename was changed from the name it had when it was originally compiled. Most legitimate software will not change the name of PE files from their original name.

Artifact IDPathOriginal Filename
\Program Files\FileZilla FTP Client\fzsftp.exe
FZSFTP
\Program Files\FileZilla FTP Client\fzputtygen.exe
FZSFTP
\Program Files\FileZilla FTP Client\fzshellext_64.dll
fzshellext.dll
Severity: 70     Confidence: 90

Excessive File Modification by Process

A process was found that made an extraordinarily large number of file modifications. Most processes will perform some file modification to a single file or a small set of files. Installers may write many files. While these file modifications are not necessarily malicious, modification of more than a hundred files is suspicious. Viruses and ransomware may modify hundreds or thousands of files on a system in a short time.

Process IDProcess NameFile Count
FileZilla_3.41.1_win64-setup_bundled.exe
881
Severity: 60     Confidence: 100

Process Modified an Executable File

Malware will modify executables on a system, to hide logs or other evidence. Also, by modifying various executables it can disable functionality in the system which may detect or hamper the operation of the malware. Lastly, it may be attempting to hide an executable, so that it appears to be a legitimate file. Please review the 'Disk Artifacts' section in order to view additional details about this file.

Process IDProcess NamePath
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\filezilla.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\fzstorj.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\fzputtygen.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\uninstall.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Program Files\FileZilla FTP Client\fzsftp.exe
avast_free_antivirus_setup_online_x64.exe
\Windows\Temp\asw.ded71fac308702df\Instup.exe
cmd.exe
\Users\ADMINI~1\AppData\Local\Temp\ns20813EE1\0928F64C_stp\avastfreeantivirussetuponline.m.exe
avastfreeantivirussetuponline.m.exe
\Windows\Temp\asw.6b0ce27d0b5a5fb7\avast_free_antivirus_setup_online_x64.exe
cmd.exe
\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe
Severity: 60     Confidence: 95

Process Created an Executable in a User Directory

Malware will often create a new executable file in a user directory such as 'Local Settings' or 'Application Data' in an attempt to hide its presence on the system. Often the name of the file is similar to the name of common system or user files. This is done to hide the executable, as the user may believe it's a legitimate file. Please review the 'Disk Artifacts' section in order to view additional details about this file.

Process IDProcess NamePath
cmd.exe
C:\Users\ADMINI~1\AppData\Local\Temp\ns20813EE1\0928F64C_stp\avastfreeantivirussetuponline.m.exe
cmd.exe
C:\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe
Severity: 75     Confidence: 75

Outbound HTTP GET Request

Outbound HTTP GET to a remote server was detected. This is not inherently suspicious but malware will often use Gets in order to check in to the Command and Control servers upon infection or to download or exfiltrate data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

Network StreamMethodURL
GET
http://img.tourtodaylaboratory.com:80/img/Sibarasawi/bg_comp.png
GET
http://h1745978.vps18tiny.u.avcdn.net:80/vps18tiny/prod-vps.vpx
GET
http://d4130079.iavs9x.u.avast.com:80/iavs9x/offertool_x64_ais-941.vpx
GET
http://rp.tourtodaylaboratory.com:80/
GET
http://d4130079.iavs9x.u.avast.com:80/iavs9x/avbugreport_x64_ais-941.vpx
GET
http://img.tourtodaylaboratory.com:80/img/Webinebinec/teal_logo_white.png
GET
http://cdnus.tourtodaylaboratory.com:80/ofr/Bigiwigi/Bigiwigi_b.cis
GET
http://k5854113.iavs9x.u.avast.com:80/iavs9x/servers.def.vpx
GET
http://j4501229.iavs9x.u.avast.com:80/iavs9x/prod-pgm.vpx
GET
http://iavs9x.u.avast.com:80/iavs9x/avast_free_antivirus_setup_online_x64.exe
GET
http://img.tourtodaylaboratory.com:80/img/Webinebinec/teal_logo.png
GET
http://img.tourtodaylaboratory.com:80/img/Tavasat/15Feb17/v2_fs/EN.jpg
GET
http://img.tourtodaylaboratory.com:80/img/Rowabobeso/bg_fus_TB.png
GET
http://d39ievd5spb5kl.cloudfront.net:80/3.28.3.64.dat
GET
http://d4130079.iavs9x.u.avast.com:80/iavs9x/avdump_x86_ais-941.vpx
GET
http://cdneu.tourtodaylaboratory.com:80/ofr/Webinebinec/Webinebinec_Links_13Oct15.cis
GET
http://www.google-analytics.com:80/collect?aiid=mmm_irs_ppi_002_451_m&an=Free&av=19.3.4241&cd=stub-extended&cd3=Online&cid=43d7c2cf-2dd8-4588-a867-258113314a7c&dt=Installation&t=screenview&tid=UA-58120669-3&v=1
GET
http://cdnus.tourtodaylaboratory.com:80/ofr/Tavasat/Tavasat_18Jan19_m.cis
GET
http://d4130079.iavs9x.u.avast.com:80/iavs9x/prod-pgm.vpx
GET
http://d4130079.iavs9x.u.avast.com:80/iavs9x/avdump_x64_ais-941.vpx
GET
http://img.tourtodaylaboratory.com:80/img/Sibarasawi/logo_comp.png
Severity: 70     Confidence: 80

Process Modified File in a User Directory

Malware will modify files in user directories to hide logs or other evidence. Also, by modifying various files it can disable functionality in the system which may detect or hamper the operation of the malware. Lastly, it may be attempting to hide an executable, so that it appears to be a legitimate file. Please review the 'Disk Artifacts' section in order to view additional details about this file.

Process IDProcess NamePath
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\css\sdk-ui\images\button-bg.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\css\sdk-ui\images\progress-bg-corner.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\FR.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\LV.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\DA.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\DE.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\HI.locale
filezilla.exe
\Users\Administrator\AppData\Roaming\FileZilla\filezilla.xml
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsiF1E4.tmp\StartMenu.dll
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsiF1E4.tmp\modern-wizard.bmp
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\PS.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\EU.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\SR.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\PT.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2A2E94.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsiF1E4.tmp\nsis_appid.dll
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2AAB03.log
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_logview20x20.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\YO.locale
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\D5475892323842.dat
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\HE.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\EL.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\css\sdk-ui\checkbox.css
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\SQ.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\PA.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2A30E5.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\csshover3.htc
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_refresh20x20.png
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_server16x16.png
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2A7850.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\MK.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\ns20813EE1\0C232113_stp\yt13.html
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\IS.locale
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_queueview20x20.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\0F29F8C5.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\0F292ABD.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\UR.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\NS2081~1\20D2B0~1.TMP
gegeruci.exe
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js.copy
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\EN.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\D39719949487852.dat
filezilla.exe
\Users\Administrator\AppData\Roaming\FileZilla\layout.xml
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\D65312990202192.dat
cmd.exe
\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\WinBee.ico
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\D94912025628531.dat
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_remotetreeview20x20.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\IT.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\KA.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\css\sdk-ui\browse.css
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\VI.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\ZU.locale
gegeruci.exe
\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\uninst.dat
gegeruci.exe
\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2927A2.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2A0266.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\D39719949487851.dat
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\CA.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\TH.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\AF.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\FI.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\HT.locale
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\D65312990202191.dat
IEXPLORE.EXE
\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\imagestore\aowwxkh\imagestore.dat
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\D5475892323841.dat
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\sb900.dat
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\KU.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\LO.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\BG.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\bootstrap_50753.html
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\BE.locale
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_find20x20.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\css\sdk-ui\images\progress-bg.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\css\ie6_main.css
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\MR.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\ID.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\NS2081~1\0928F6~1.PAR
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\CS.locale
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\D26817096062381.dat
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_leds24x24.png
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_sitemanager20x20.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\NS2081~1\20D2B0~1.PAR
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\css\sdk-ui\button.css
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsiF1E4.tmp\nsDialogs.dll
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\HR.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsiF1E4.tmp\System.dll
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_disconnect20x20.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\UK.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\KO.locale
svchost.exe
\Users\Administrator\NTUSER.DAT
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_compare20x20.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\HY.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\NL.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\ES.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2A0044.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\ET.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\ns20813EE1\0C232113_stp\yt17.html
cmd.exe
\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\Sqlite3.dll
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_folder16x16.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\ZH.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\images\Loader.gif
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsiF1E4.tmp\UAC.dll
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2AA614.log
cmd.exe
\Users\ADMINI~1\AppData\Local\Temp\ns20813EE1\0928F64C_stp\avastfreeantivirussetuponline.m.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\AZ.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\JA.locale
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_file16x16.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\NS2081~1\0C2321~1.PAR
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_cancel20x20.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\ML.locale
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_reconnect20x20.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\GU.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2957B6.log
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_processqueue20x20.png
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2A8C2E.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\0F292ADC.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsdF1C4.tmp
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\D63014529281322.dat
filezilla.exe
\Users\ADMINI~1\AppData\Local\Temp\fzupdate_6304c0d314c5bbe3.tmp
gegeruci.exe
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\NS2081~1\0C2321~1.TMP
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\LT.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsiF1E4.tmp\Fusion.dll
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsiF1E4.tmp\UserInfo.dll
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\NO.locale
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\D94912025628532.dat
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\SV.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\TE.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\BS.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\SL.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\TL.locale
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_synchronize20x20.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\HU.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2A3B9E.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\RU.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\D88210684816512.dat
gegeruci.exe
\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js.copy
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\TA.locale
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_localtreeview20x20.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\RO.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsiF1E4.tmp\Math.dll
cmd.exe
\Users\ADMINI~1\AppData\Local\{C373F~1\Sqlite3.dll
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_speedlimits16x16.png
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_filter20x20.png
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\D26817096062382.dat
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\NS2081~1\0928F6~1.TMP
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\TR.locale
gegeruci.exe
\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1lcuq8ab.default\searchplugins\search provided by bing.xml
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_close12x12.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\css\sdk-ui\images\progress-bg2.png
cmd.exe
\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsiF1E4.tmp\INetC.dll
cmd.exe
\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ie.dat
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\css\main.css
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_dropdown12x12.png
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\D63014529281321.dat
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\css\sdk-ui\progress-bar.css
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\UZ.locale
gegeruci.exe
\Users\ADMINI~1\AppData\Local\Temp\0F2AB475.log
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\NE.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\MS.locale
cmd.exe
\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ff.dat
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\SK.locale
filezilla.exe
\Users\Administrator\AppData\Local\FileZilla\default_cancel24x24.png
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\PL.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\D88210684816511.dat
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\FA.locale
FileZilla_3.41.1_win64-setup_bundled.exe
\Users\ADMINI~1\AppData\Local\Temp\nsd25435537752942\locale\KK.locale
Severity: 70     Confidence: 80

Public DNS Server Contacted

DNS network traffic was sent to a known public DNS server that is not the system's assigned DNS server. A small number of reliable public DNS servers are available for public use. For example, Google maintains the DNS servers at 8.8.8.8 and 8.8.4.4. The use of a public DNS server is not by itself malicious, but could indicate attempts to evade network filtering or hide malicious data.

Network StreamIPPort
8.8.8.8
53
8.8.8.8
53
8.8.8.8
53
8.8.8.8
53
8.8.8.8
53
8.8.8.8
53
Severity: 70     Confidence: 80

Network Stream Marked by Snort as Containing Sensitive Data

A Snort rule identified a network stream as likely obfuscated. Snort is an intrusion prevention service that watches network traffic for unusual and/or malicious material. In this case, the rule belongs to a set that checks for the transfer of sensitive information over the network. Sensitive data can include credit card numbers, social security numbers and email addresses.

Network StreamIPGidSidRevMessage
52.36.172.181
138
5
1
SENSITIVE-DATA Email Addresses
52.36.172.181
138
5
1
SENSITIVE-DATA Email Addresses
52.36.172.181
138
5
1
SENSITIVE-DATA Email Addresses
52.36.172.181
138
5
1
SENSITIVE-DATA Email Addresses
52.36.172.181
138
5
1
SENSITIVE-DATA Email Addresses
Severity: 70     Confidence: 80

Network Stream Marked by Snort as Containing Executable

A Snort rule identified a network stream as possibly carrying an executable program. Snort is an intrusion prevention service that watches network traffic for unusual and/or malicious material. In this case, the rule belongs to a set that checks for material concerning executable filetypes (such as PE files for Windows). These rules either note the presence of executable code or warn of known patterns associated with packers or vulnerabilities.

Network StreamIPGidSidRevMessage
72.22.185.200
1
15306
22
FILE-EXECUTABLE Portable Executable binary file magic detected
72.22.185.200
1
11192
20
FILE-EXECUTABLE download of executable content
Severity: 60     Confidence: 90

Downloaded PE Executable

A PE executable was downloaded over the network. While this does not necessarily imply that it is malicious, it is suspicious. Malware will often download additional executables for added capabilities and so this file should be reviewed for additional activity that might be suspicious.

Artifact IDSHA256Dst IPDomain
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
72.22.185.200
f3355109.iavs9x.u.avast.com
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
72.22.185.200
v6831430.iavs9x.u.avast.com
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
72.22.185.200
k5854113.iavs9x.u.avast.com
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
72.22.185.200
b4380882.iavs9x.u.avast.com
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
72.22.185.200
x5026866.iavs9x.u.avast.com
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
72.22.185.200
j4501229.iavs9x.u.avast.com
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
72.22.185.200
g0679661.iavs9x.u.avast.com
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
72.22.185.200
b1477563.iavs9x.u.avast.com
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
72.22.185.200
d4130079.iavs9x.u.avast.com
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
72.22.185.200
iavs9x.u.avast.com
Severity: 60     Confidence: 80

File Uploaded to the Network

A file was uploaded to the network using HTTP. Legitimate programs do this at the user's direction or to provide needed information to an online service. Malware may enumerate a disk using standard tools to gather information, which is sent back to a command and control server for a more targeted second-stage attack.

Network StreamIPDomainSHA256
52.7.205.46
rp.tourtodaylaboratory.com
426197d559534a3541ae00e1e8a371114654a332dc28d197de5ea8d581ab4ef9
52.7.205.46
rp.tourtodaylaboratory.com
881f0735762520c3f64f9977002717a38b0c6591a819785d03df60b3ebdff937
52.7.205.46
rp.tourtodaylaboratory.com
7eccaaef636b33d07336bb783d12c39a4e8760baafec46a1b82544f033b2ee24
172.217.10.46
www.google-analytics.com
17fdda66992dfe53e8f7aff7852d9541d7c1135f45b176d700e84310b77f0d9d
52.7.205.46
rp.tourtodaylaboratory.com
c470384a30df1d7ca5647d00d72a0f45fcae9baf796767c67fb2a8946b5d43f1
52.7.205.46
rp.tourtodaylaboratory.com
88cb7ac219887733c4c55726e4d799f4054ae5c635ea10e4881d02b86a6605fc
52.7.205.46
rp.tourtodaylaboratory.com
3ff04c1a290db0dc1b3e2beca9970beaf69a64d779a800445ef7bdc69f3cfd9c
52.7.205.46
rp.tourtodaylaboratory.com
1d2921ca51d64997d9ebdf5ea4e7a9cf802fe114cabbe05dee3cc0e558ba69a6
52.36.172.181
os.tourtodaylaboratory.com
0661d9c7e6b204b367363863173f80087c4859055e1f8bcf29082eb1e3cd580a
52.7.205.46
rp.tourtodaylaboratory.com
e8a0b30186b349d43eb98ac8da7195010edebdc5b4edfe84e56fb1656c42b68b
77.234.44.64
v7event.stats.avast.com
dc7d628e25a0dad79652c6f08f0a9d0ac63f18149f7c6fab3f21d8156ba85cc3
52.7.205.46
rp.tourtodaylaboratory.com
3b22cd64ed956ee453aae5d2eb98cb535c46f921c671ce1a011c81f7b7c5683f
77.234.44.64
v7event.stats.avast.com
bd2202bca67b14b77b7210ad492c610fc26ff1fd923e13e7e83a425331dd5805
52.7.205.46
rp.tourtodaylaboratory.com
96774e8456708045770faea3fc6a4967b3b90305da6a8845465f722b9771b8bd
52.7.205.46
rp.tourtodaylaboratory.com
ebf2e164e5e7706785de871fa62650c3de95d70f2bf50933f54b781108e0a1e4
52.7.205.46
rp.tourtodaylaboratory.com
6b2c35ea06eec853914f18bd34cea71d4573edb6df918bae51b65ef70ec5b2c3
54.225.213.54
goquc.com
f913f4feef802b353d8345f005c0f96a58f232168c8ee959ce71f0a58c17dd9c
52.7.205.46
rp.tourtodaylaboratory.com
fcdc269d947a6a83056ce3468c9dc9d72efbd2af1ba07eb465bcb73937a72f3a
52.7.205.46
rp.tourtodaylaboratory.com
00e7cd8b1d29eadc48aa0711c6617535f943a30dfe11a165ad43d1b294bee037
52.0.16.153
gubuh.com
d8548bd0462533fbdacac8c764ee6a687a3f3132355f4816636224ef68ca2cbc
52.7.205.46
rp.tourtodaylaboratory.com
2d7680c440487697ca8e6469a5848ec89ac59638d0c801cc14361150a0ceb9a0
52.7.205.46
rp.tourtodaylaboratory.com
66f7c899b1a69b6eaf0c4e9bc5349fa9f08b31fd1c71a13c6664217ec73fd828
52.7.205.46
rp.tourtodaylaboratory.com
6c967a89cb07771a16adc0a6b5cf323f7c813a799bacfa8d31ef3d85a26a13a2
52.7.205.46
rp.tourtodaylaboratory.com
84c9bad907b8613a5d6cecf79329f4ecef8f848de7039bad76a4a1f490b98648
52.7.205.46
rp.tourtodaylaboratory.com
4d1fd1abe68edc121fc7c1358fa184b6b7e0efa782efcdedf0373c8c947e8d4f
52.7.205.46
rp.tourtodaylaboratory.com
4fef6002b0b14a21f472f008724fd36cc02e5a2963ba3c7c24405fbf21459833
77.234.44.64
v7event.stats.avast.com
2388ff82afa32eafe0ba170345b6885ec684ec462dbf0d82872bbe6221dbd96d
52.7.205.46
rp.tourtodaylaboratory.com
3e01313d7373f33ce69493ef8cd94c136096ce234540ccb250cef56449c4409e
52.7.205.46
rp.tourtodaylaboratory.com
3fb044d8793cb98a299fa77bdd47d1239c7a57f58509252e06b14664ea2eabcc
52.7.205.46
rp.tourtodaylaboratory.com
4f35ba295ff5d7b8a0fdb374069b54a994df90182d47f8c6f87430427fe2f9d8
52.7.205.46
rp.tourtodaylaboratory.com
d529ddca109b0bda4f504ae6d36b91898066464984f0eb25381e7cade8315e7c
52.7.205.46
rp.tourtodaylaboratory.com
cb43188e3db63ee41083a52fea974d300e3841c6338099bf22b55dfc66072ca6
52.7.205.46
rp.tourtodaylaboratory.com
5dc77fc8b3e9eb794d4df4b263d605cc5ba24a7820be82c864deabf96226c4b8
172.217.10.46
www.google-analytics.com
b1cd74f11d9712dcd3497bce147ad7a7b817d814529b2daba23edc972f867b58
52.7.205.46
rp.tourtodaylaboratory.com
d4ef11446b9c31552ac1730ca123d2b6c7c3d26680bbfde30806cc58a477b571
52.7.205.46
rp.tourtodaylaboratory.com
7c5d304ace84e1740c7fed703833bc5cc3cbe06ddba3f598fe96030c2cbc8da5
52.7.205.46
rp.tourtodaylaboratory.com
8ab0659c928e1806fb800cfef20003ace214989667a38b88f9a265f0c84c3cf8
52.7.205.46
rp.tourtodaylaboratory.com
066346d2e26d18daa3590d385efe3fb25a2d3171588053c619f79f3ed988a0e0
52.7.205.46
rp.tourtodaylaboratory.com
b9fc8b43fe808d54bd7c09c77c137559e7eb01aac66717a59016895c602337d1
52.7.205.46
rp.tourtodaylaboratory.com
0d27a6efe93dd5cd4f80e99e11d22fa3ac8c723880bb1e07c5b1f18d284e7ba9
52.7.205.46
rp.tourtodaylaboratory.com
ac5bea7ec4d165e47238bc4cf4060d38e41a96a68b0397bb74caa115a802a4e2
52.7.205.46
rp.tourtodaylaboratory.com
6ca25c8ad1cdb7a1a901fe265c6a27d149048ac551fa337030c2583e7278554d
Severity: 60     Confidence: 80

Process Registered COM Server DLL

A COM class has a few subkeys of particular interest to a packager and his associated support teams. One of these attributes in particular is: InProcServer32. The InProcServer32 key contains the path to the actual DLL itself, or can also contain a Windows Installer Darwin Descriptor. When an application or script uses an API call such as "CreateObject", The operating system will first lookup the ProgID in the Windows registry, it will then cross reference the ProgID with its associated ClassID which will in turn look for an InProcServer32 value which will contain the path to the actual DLL which contains the COM class.

Process IDProcess NameRegKey NameRegKey ValueRegKey Data
FileZilla_3.41.1_win64-setup_bundled.exe
MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\INPROCSERVER32
C:\Program Files\FileZilla FTP Client\fzshellext.dlls\\0
regsvr32.exe
MACHINE\SOFTWARE\CLASSES\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\INPROCSERVER32
C:\Program Files\FileZilla FTP Client\fzshellext_64.dlls\\0
Severity: 60     Confidence: 80

Static Analysis Flagged Artifact As Anomalous

A static analysis rule identified an artifact that has one or more anomalous characteristics. These anomalies may exist due to flaws in the file generation or misunderstandings of the format. Malware may use file anomalies to confuse antivirus parsers and hide code in unusual locations.

Artifact IDSHA256PathRuleDescription
13d5ccab51f599bca0f0e92b252bae9d6a1b6dda3621a44b09e96d05d1daa8f4
avast_free_antivirus_setup_online_x64.exe
pe_physical_disk
PE makes reference to the physical drive.
Severity: 50     Confidence: 80

Command Exe File Execution Detected

A process executed a file using cmd.exe. Malware authors will often launch batch or shellscripts that utilize Windows shell utilities. Additional uses include launching an interactive command shell.

Process IDProcess NameCommand Line
cmd.exe
/d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~1.DAT"+"C:\Users\ADMINI~1\AppData\Local\Temp\D88210~2.DAT" "C:\Users\ADMINI~1\AppData\Local\Temp\ns20813EE1\0928F64C_stp\avastfreeantivirussetuponline.m.exe" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~1.DAT" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~2.DAT"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062381.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~1.DAT"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202191.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202192.dat" "C:\Users\ADMINI~1\AppData\Local\{C373F~1\Sqlite3.dll"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628531.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628532.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ff.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628531.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628532.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202191.dat"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323841.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323842.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ie.dat"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062381.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062382.dat" "C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\WinBee.ico" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062381.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062382.dat"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323841.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323842.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ie.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323841.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323842.dat"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628531.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628532.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ff.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281321.dat"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281321.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281322.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\Sqlite3.dll" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281321.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281322.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628531.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323841.dat"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281321.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281322.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\Sqlite3.dll"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628532.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~2.DAT"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202191.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202192.dat" "C:\Users\ADMINI~1\AppData\Local\{C373F~1\Sqlite3.dll" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202191.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202192.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202192.dat"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~1.DAT"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323842.dat"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062381.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062382.dat" "C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\WinBee.ico"
cmd.exe
/d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~1.DAT"+"C:\Users\ADMINI~1\AppData\Local\Temp\D39719~2.DAT" "C:\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~1.DAT" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~2.DAT"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~2.DAT"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281322.dat"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~1.DAT"+"C:\Users\ADMINI~1\AppData\Local\Temp\D39719~2.DAT" "C:\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~1.DAT"+"C:\Users\ADMINI~1\AppData\Local\Temp\D88210~2.DAT" "C:\Users\ADMINI~1\AppData\Local\Temp\ns20813EE1\0928F64C_stp\avastfreeantivirussetuponline.m.exe"
cmd.exe
cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062382.dat"
Severity: 80     Confidence: 50

Process Created a File in the Windows Start Menu Folder

A new file was added to the Windows Start Menu folder to ensure that this file runs on system startup. Please review the 'Disk Artifacts' section in order to view additional details about this file.

Process IDProcess NamePath
FileZilla_3.41.1_win64-setup_bundled.exe
\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client\~ileZilla.tmp
FileZilla_3.41.1_win64-setup_bundled.exe
\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client\FileZilla.lnk
FileZilla_3.41.1_win64-setup_bundled.exe
\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client\Uninstall.lnk
Severity: 50     Confidence: 70

Executable Artifact Imports Process Status DLL

An executable file imports the Process Status library (psapi.dll). This allows the process to gather information about all the processes and device drivers running on the system and the libraries that those processes import. Legitimate uses for this include writing debuggers and system utilities. Malware may use this library to check the system for antivirus programs or anti-malware techniques. This allows the malicious program to disable or circumvent protective measures.

Artifact IDPathFunction
536-instup.exe
GetProcessImageFileNameW
536-instup.exe
GetMappedFileNameW
\Program Files\FileZilla FTP Client\fzstorj.exe
GetProcessMemoryInfo
1392-instup.exe
GetMappedFileNameW
1392-instup.exe
GetProcessImageFileNameW
Severity: 50     Confidence: 70

Executable Artifact Imports Tool Help Functions

An executable file imports one or more of the ToolHelp functions. These functions simplify gathering information about running processes, such as the libraries imported, threads and heap allocations. Legitimate uses for this include writing debuggers and system utilities. Malware may use these functions to check the system for antivirus programs or anti-malware techniques. This allows the malicious program to disable or circumvent protective measures.

Artifact IDPathFunction
\Program Files\FileZilla FTP Client\fzstorj.exe
Process32First
\Program Files\FileZilla FTP Client\fzstorj.exe
Process32Next
\Program Files\FileZilla FTP Client\fzstorj.exe
CreateToolhelp32Snapshot
Severity: 40     Confidence: 80

Process Uses Very Large Command-Line

A process was started with an exceptionally long command-line. Many processes will use a command-line option beyond the filename itself. Other items may use a script on the command-line, which executes in the shell. Malware will sometimes make very long command-lines that contain obfuscated information, to avoid writing their command to disk, where it may be found by forensic tools.

Process IDProcess NameCommand Line
gegeruci.exe
"C:\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe" /mhp /mnt /mds /ext:bahk /gu:10 /aflt=wgb_fjnh3nrsiacegikm3ve_19_12d /instlref=b /noadmin /nochrome /RSF=1568 /adt=tE1L1R1V2Y1L1QzutDtDyDtDtAtByDzz0FyB0CyDzz0EtA0CtTtE1L1R1V1B1Q2ZzutBtDtCzytDtAtCzztCyEyDyBtCzytCtCtBtTtE1Q1G1Izu2Y1G1J1G1F2W1GtTtE1Q1G1I1M2YzuyDtTtE1L1R1O1I1T2X1F1CzutByBzyyBtHtAyCtCtC
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628531.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628532.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ff.dat"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323841.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323842.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ie.dat"
avast_free_antivirus_setup_online_x64.exe
"C:\Windows\Temp\asw.6b0ce27d0b5a5fb7\avast_free_antivirus_setup_online_x64.exe" /silent /psh:u6gkYf7xdWz983VkiPYDafaEcx/osiQo8/Nwbffxc2328HRp+fB5bf/zZjOopyUu84A2Pb21HxKNiWY/vKJzbvP1cWj6+HZq9/Z1/ksAAADOwUBc /ga_clientid:205218d2-aee4-4247-a3a7-9fa760c0b18d /edat_dir:C:\Windows\Temp\asw.6b0ce27d0b5a5fb7
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~1.DAT"+"C:\Users\ADMINI~1\AppData\Local\Temp\D39719~2.DAT" "C:\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202191.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202192.dat" "C:\Users\ADMINI~1\AppData\Local\{C373F~1\Sqlite3.dll"
instup.exe
"C:\Windows\Temp\asw.ded71fac308702df\instup.exe" /cookie:mmm_irs_ppi_002_451_m /edition:1 /ga_clientid:205218d2-aee4-4247-a3a7-9fa760c0b18d /guid:43d7c2cf-2dd8-4588-a867-258113314a7c /prod:ais /sfx:lite /sfxstorage:C:\Windows\Temp\asw.ded71fac308702df /silent /psh:u6gkYf7xdWz983VkiPYDafaEcx/osiQo8/Nwbffxc2328HRp+fB5bf/zZjOopyUu84A2Pb21HxKNiWY/vKJzbvP1cWj6+HZq9/Z1/ksAAADOwUBc /ga_clientid:205218d2-aee4-4247-a3a7-9fa760c0b18d /edat_dir:C:\Windows\Temp\asw.6b0ce27d0b5a5fb7
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281321.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281322.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\Sqlite3.dll" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281321.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281322.dat"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281321.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D63014529281322.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\Sqlite3.dll"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323841.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323842.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ie.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323841.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D5475892323842.dat"
instup.exe
"C:\Windows\Temp\asw.ded71fac308702df\New_13030941\instup.exe" /cookie:mmm_irs_ppi_002_451_m /edat_dir:C:\Windows\Temp\asw.6b0ce27d0b5a5fb7 /edition:1 /ga_clientid:205218d2-aee4-4247-a3a7-9fa760c0b18d /guid:43d7c2cf-2dd8-4588-a867-258113314a7c /online_installer /prod:ais /psh:u6gkYf7xdWz983VkiPYDafaEcx/osiQo8/Nwbffxc2328HRp+fB5bf/zZjOopyUu84A2Pb21HxKNiWY/vKJzbvP1cWj6+HZq9/Z1/ksAAADOwUBc /sfx /sfxstorage:C:\Windows\Temp\asw.ded71fac308702df /silent
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202191.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202192.dat" "C:\Users\ADMINI~1\AppData\Local\{C373F~1\Sqlite3.dll" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202191.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D65312990202192.dat"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628531.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628532.dat" "C:\Users\Administrator\AppData\Local\{C373F52F-E7DB-9997-8A43-BC7FAE2B40E7}\bapi_ff.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628531.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D94912025628532.dat"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062381.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062382.dat" "C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\WinBee.ico"
cmd.exe
/d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~1.DAT"+"C:\Users\ADMINI~1\AppData\Local\Temp\D39719~2.DAT" "C:\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~1.DAT" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D39719~2.DAT"
cmd.exe
/d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~1.DAT"+"C:\Users\ADMINI~1\AppData\Local\Temp\D88210~2.DAT" "C:\Users\ADMINI~1\AppData\Local\Temp\ns20813EE1\0928F64C_stp\avastfreeantivirussetuponline.m.exe" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~1.DAT" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~2.DAT"
cmd.exe
cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D88210~1.DAT"+"C:\Users\ADMINI~1\AppData\Local\Temp\D88210~2.DAT" "C:\Users\ADMINI~1\AppData\Local\Temp\ns20813EE1\0928F64C_stp\avastfreeantivirussetuponline.m.exe"
cmd.exe
/d /c cmd /d /c copy /B /Y "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062381.dat"+"C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062382.dat" "C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\WinBee.ico" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062381.dat" & cmd /d /c del "C:\Users\ADMINI~1\AppData\Local\Temp\D26817096062382.dat"
Severity: 30     Confidence: 90

File Downloaded to Disk

A file was downloaded to disk. This is not inherently suspicious, but this indicator will help an analyst correlate files to download sources.

Net Artifact IDDisk Artifact IDSHA256Path
8bfc99d5cc3d9cddb44d77160d3c09a3a5ec629cde7bb7d64bd86a023dcbdb73
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\bg_comp[1].png
1187e1b0875a611f2279bcab132491bba547bde98d3a21ff8ed6706e30fd7806
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\EN[1].jpg
2a76cdfd493f3beefb47f8d04e57001b40621a9b51185ba0ff0dc3dc40ab4317
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\teal_logo[1].png
2eda136d8645862194ef932b7a06714b9c49fc7b884424aa7758358d704b0e97
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\logo_comp[1].png
6f3e47f0f9551a6aff50bf490e5f5f19f0572007b393f2cb4b406e8e5300678c
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\teal_logo_white[1].png
8d0dbcc4d2f9607316b7aaa17332420cb98568320ca23ea9fd4ce4f44bf0a4bd
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\bg_fus_TB[1].png
Severity: 50     Confidence: 50

Potential Code Injection Detected

Some malware applications write code into areas of memory intended for data (such as a thread's stack) and then the application executes the malicious code. Windows introduced Data Execution Prevention (DEP) which provided protection against this type of attack. If an attempt to execute code is made in a page that does not have the PAGE_EXECUTE_ protection, an access violation will occur. Malware will often allocate memory in which it will inject code. In order to bypass DEP the allocated memory must be marked Read, Write and Execute. The submitted sample allocated a memory region with the flag PAGE_EXECUTE_READWRITE. This could indicate the presence of code injection, into itself or a remote process.

Process IDAddressProcess Name
2004549632
cmd.exe
2003501056
cmd.exe
2004549632
cmd.exe
2003501056
cmd.exe
2004549632
timeout.exe
2003501056
cmd.exe
2004549632
cmd.exe
0
FileZilla_3.41.1_win64-setup_bundled.exe
2003501056
cmd.exe
2004549632
cmd.exe
2004549632
cmd.exe
2003501056
cmd.exe
2003501056
cmd.exe
2004549632
FileZilla_3.41.1_win64-setup_bundled.exe
2003501056
avastfreeantivirussetuponline.m.exe
2004549632
cmd.exe
2004549632
cmd.exe
2003501056
cmd.exe
2003501056
cmd.exe
0
gegeruci.exe
2003501056
cmd.exe
2003501056
cmd.exe
2003501056
FileZilla_3.41.1_win64-setup_bundled.exe
2004549632
timeout.exe
2003501056
cmd.exe
2003501056
timeout.exe
2003501056
cmd.exe
2004549632
cmd.exe
2004549632
cmd.exe
2003501056
cmd.exe
2003501056
cmd.exe
2003501056
cmd.exe
2004549632
cmd.exe
2004549632
cmd.exe
168558592
FileZilla_3.41.1_win64-setup_bundled.exe
2003501056
cmd.exe
2004549632
cmd.exe
2004549632
cmd.exe
2004549632
gegeruci.exe
2004549632
cmd.exe
2003501056
cmd.exe
2004549632
cmd.exe
2004549632
cmd.exe
2004549632
cmd.exe
2004549632
cmd.exe
2004549632
cmd.exe
2003501056
cmd.exe
2003501056
cmd.exe
77332480
gegeruci.exe
2004549632
cmd.exe
2003501056
gegeruci.exe
2004549632
cmd.exe
2004549632
cmd.exe
2003501056
timeout.exe
2004549632
avastfreeantivirussetuponline.m.exe
2003501056
cmd.exe
2003501056
cmd.exe
2003501056
cmd.exe
2004549632
cmd.exe
2003501056
cmd.exe
2004549632
cmd.exe
2003501056
cmd.exe
2004549632
cmd.exe
2003501056
cmd.exe
2004549632
cmd.exe
2004549632
cmd.exe
2003501056
cmd.exe
2004549632
cmd.exe
2003501056
cmd.exe
2003501056
cmd.exe
Severity: 50     Confidence: 50

Process Registered a Service DLL

A process registered a service DLL using Regsvr32.exe. Malware will often download additional DLLs to provide enhanced functionality. These DLLs will be registered and their path with often be added to various autorun or other registry keys used to maintain persistence on a system.

Process IDProcess NameCommand Line
regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\FileZilla FTP Client\fzshellext_64.dll"
Severity: 40     Confidence: 60

PE Has Sections Marked Shareable

What most programmers call flags, the COFF/PE format calls characteristics. This field is a set of flags that indicate the section's attributes (such as code/data, readable, or writeable). When used with a DLL, the data in this section will be shared among all processes using the DLL. The default is for data sections to be nonshared, meaning that each process using a DLL gets its own copy of this section's data. In more technical terms, a shared section tells the memory manager to set the page mappings for this section such that all processes using the DLL refer to the same physical page in memory. This creates a certain security problem where the attacker is able to directly manipulate a certain portion of memory.

Artifact IDPathSectionFlags
\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe
610304

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED

\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe
606208

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED

\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe
634880

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_SHARED

Severity: 40     Confidence: 60

PE Contains TLS Callback Entries

Thread Local Storage (TLS) is a Windows storage class in which a data object is not an automatic stack variable, yet is local to each thread that runs the code. When TLS is implemented by an executable, the code will typically contain a .tls section in the PE header. TLS supports callback functions for initialization and termination of TLS data objects. Windows executes these functions before running code at the normal start of a program. TLS callback functions allow malware authors to execute malicious code before the debugger has a chance to pause at the traditional entry point. This allows malware to infect the system or disable the debugger before the analyst has a chance to look at the sample's code.

Artifact IDPathCallback AddressCallback Rva
\Program Files\FileZilla FTP Client\libfilezilla-0.dll
647f6030
36030
\Program Files\FileZilla FTP Client\libgcc_s_seh-1.dll
61458030
18030
\Program Files\FileZilla FTP Client\libgnutls-30.dll
649f0030
1b0030
\Program Files\FileZilla FTP Client\fzshellext.dll
6728d018
d018
\Program Files\FileZilla FTP Client\fzsftp.exe
47f040
7f040
\Program Files\FileZilla FTP Client\fzshellext_64.dll
6708f030
f030
\Program Files\FileZilla FTP Client\libgmp-10.dll
6ad4a030
8a030
\Program Files\FileZilla FTP Client\fzstorj.exe
4b8040
b8040
\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe
494010
94010
\Program Files\FileZilla FTP Client\filezilla.exe
e5b040
a5b040
\Program Files\FileZilla FTP Client\fzputtygen.exe
437040
37040
Severity: 40     Confidence: 50

Pending File Deletions

The MoveFileEX API call adds the file names to a registry key. Session Manager (smss.exe) queries the registry key PendingFileRenameOperations on each reboot and deletes any files listed in this key. Malware will utilize this registry key to get rid of temporary files that it dropped or downloaded. Each call to MoveFileEx will contain two strings being added to the key; the first is the original file name, the second is the destination. If the original file is to be deleted, then the destination file name is an empty string.

Process IDProcess NameRegKey NameRegKey Value NameRegKey Data TypeRegKey Data
avastfreeantivirussetuponline.m.exe
MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
PendingFileRenameOperations
MULTI_SZ
\??\C:\Windows\Temp\asw.6b0ce27d0b5a5fb7s\\0s\\0s\\0
Severity: 20     Confidence: 95

Cisco Umbrella Detected A Likely Benign Domain

A domain referenced during the sample run has been categorized with content that is likely benign by Cisco Umbrella. Cisco Umbrella is a cloud security platform which provides additional detail about network activity such as security and content categorization for domains. Certain categories attributed to domains by Cisco Umbrella imply that a domain is likely safe. This is because the content hosted by the domain owners is well understood and unlikely to accidentally host malware.

DomainStatusCategoriesSecurity
static3.avast.com
innocuous

Business Services
Computer Security
Software/Technology

www.google-analytics.com
innocuous

Software/Technology

v6831430.iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

tr.outbrain.com
innocuous

Blogs
Business Services

amplify.outbrain.com
innocuous

Blogs
Business Services

dev.visualwebsiteoptimizer.com
indeterminate

Business Services

amplifypixel.outbrain.com
innocuous

Blogs
Business Services

ampcid.google.com
innocuous

Search Engines

iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

adservice.google.com
innocuous

Search Engines

v7event.stats.avast.com
innocuous

Business Services
Computer Security
Software/Technology

Severity: 20     Confidence: 95

Sample Contacts Only Benign Domains

The sample contacted only benign or likely benign domains. It is unlikely that malware will download malicious content from such sites.

DomainStatusCategoriesSecurity
static3.avast.com
innocuous

Business Services
Computer Security
Software/Technology

static.avast.com
innocuous

Business Services
Computer Security
Software/Technology

connect.facebook.net
innocuous

Social Networking

v7event.stats.avast.com
innocuous

Business Services
Computer Security
Software/Technology

www.bing.com
innocuous

Search Engines

bat.bing.com
innocuous

Search Engines

googleads.g.doubleclick.net
innocuous

a.tribalfusion.com
innocuous

Business Services

stats.g.doubleclick.net
innocuous

k5854113.iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

d4130079.iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

j4501229.iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

g0679661.iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

b1477563.iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

f3355109.iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

x5026866.iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

v6831430.iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

b4380882.iavs9x.u.avast.com
innocuous

Business Services
Computer Security
Software/Technology

adservice.google.com
innocuous

Search Engines

dev.visualwebsiteoptimizer.com
indeterminate

Business Services

tr.outbrain.com
innocuous

Blogs
Business Services

www.facebook.com
innocuous

Social Networking

www.google-analytics.com
innocuous

Software/Technology

mc.yandex.ru
innocuous

Search Engines

www.google.com
innocuous

Search Engines

amplifypixel.outbrain.com
innocuous

Blogs
Business Services

ampcid.google.com
innocuous

Search Engines

www.avast.com
innocuous

Business Services
Computer Security
Software/Technology

www.googleadservices.com
innocuous

shepherd.ff.avast.com
innocuous

Business Services
Computer Security
Software/Technology

www.googletagmanager.com
innocuous

Software/Technology

amplify.outbrain.com
innocuous

Blogs
Business Services

Severity: 20     Confidence: 90

Windows Executable Without Library Imports

Executables not importing functions are very suspicious, since they do not use the Windows API. They are very often corrupted programs or are using other means to load libraries.

Artifact IDSHA256Path
3a8d32e8900db697ffa905636b2c9721bad15e5872ea39af4bd6555d2c481a08
1888-gegeruci.exe
Severity: 35     Confidence: 50

Possible Double Flux Nameserver Detected [Beta]

Fast flux is a DNS technique used by botnets to maintain a resilient command and control infrastructure of compromised hosts acting as proxies. Fast flux is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A record list for a DNS name. Double-flux networks are a more complex technique providing an additional layer of redundancy. Specifically, both the DNS A record sets and the authoritative NS records for a domain are continually changed in a round robin manner. Please view the 'DNS' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

Network StreamTTLAnswer NameAnswer Data
335
d.akamai.net
n0d.akamai.net
255
ns1.ff.avast.com
dns1.p02.nsone.net
444
d.akamai.net
n0d.akamai.net
Severity: 30     Confidence: 50

Process Read INI File

A process read a Windows initialization (INI) file. The INI file acts as a basic configuration in a human-readable format. They are common through the Windows operating system and used to set configurations for things like boot menus, program options, display of files and so on. In Windows Vista and later, INI files are no longer used for system configuration, though some programs still read and use them.

Process IDProcess NamePath
gegeruci.exe
\Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini
Severity: 35     Confidence: 40

Hook Procedure Detected in Executable

An executable file contains a library reference to the SetWindowsHookEx function. This library could be used to monitor keyboard or other input, which could indicate the presence of a keylogger or other spyware.

Artifact IDPathSymbol Name
\Program Files\FileZilla FTP Client\filezilla.exe
SetWindowsHookExW
\Users\Administrator\AppData\Local\Temp\tmp4403842\gegeruci.exe
SetWindowsHookExA
Severity: 10     Confidence: 100

Executable Signed With Digital Certificate

Authenticode is Microsoft's solution to ensuring integrity of software introduced to the operating system. Authenticode only assures users that the publisher is participating in the trusted entities infrastructure and that the binary has not been altered, the presence of a certificate does not guarantee that the signed code is safe to execute. Starting with Windows Vista, Microsoft required that all driver code contain a digital signature.

Artifact IDPathIssuerSerialSubject
\Program Files\FileZilla FTP Client\fzputtygen.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
\Program Files\FileZilla FTP Client\fzputtygen.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\Program Files\FileZilla FTP Client\fzputtygen.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
\Program Files\FileZilla FTP Client\libgcc_s_seh-1.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
\Program Files\FileZilla FTP Client\fzputtygen.exe
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
\Program Files\FileZilla FTP Client\fzputtygen.exe
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
\Program Files\FileZilla FTP Client\libgcc_s_seh-1.dll
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
\Program Files\FileZilla FTP Client\fzputtygen.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\libgcc_s_seh-1.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\Program Files\FileZilla FTP Client\filezilla.exe
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
\Program Files\FileZilla FTP Client\libgcc_s_seh-1.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
\Program Files\FileZilla FTP Client\libgcc_s_seh-1.dll
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
\Program Files\FileZilla FTP Client\filezilla.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\Program Files\FileZilla FTP Client\libgcc_s_seh-1.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\filezilla.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
\Program Files\FileZilla FTP Client\fzstorj.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\Program Files\FileZilla FTP Client\filezilla.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\filezilla.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
\Program Files\FileZilla FTP Client\fzstorj.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\filezilla.exe
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
\Program Files\FileZilla FTP Client\fzstorj.exe
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
FileZilla_3.41.1_win64-setup_bundled.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
\Program Files\FileZilla FTP Client\fzstorj.exe
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
\Program Files\FileZilla FTP Client\fzstorj.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
FileZilla_3.41.1_win64-setup_bundled.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
\Program Files\FileZilla FTP Client\fzstorj.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
FileZilla_3.41.1_win64-setup_bundled.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\TEMP\FileZilla_3.41.1_win64-setup_bundled.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
FileZilla_3.41.1_win64-setup_bundled.exe
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
FileZilla_3.41.1_win64-setup_bundled.exe
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
\TEMP\FileZilla_3.41.1_win64-setup_bundled.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
FileZilla_3.41.1_win64-setup_bundled.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\libgmp-10.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\TEMP\FileZilla_3.41.1_win64-setup_bundled.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\TEMP\FileZilla_3.41.1_win64-setup_bundled.exe
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
\Program Files\FileZilla FTP Client\libgmp-10.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\TEMP\FileZilla_3.41.1_win64-setup_bundled.exe
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
\TEMP\FileZilla_3.41.1_win64-setup_bundled.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\libgmp-10.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
\Program Files\FileZilla FTP Client\libgnutls-30.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
\Program Files\FileZilla FTP Client\libgmp-10.dll
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
\Program Files\FileZilla FTP Client\libgmp-10.dll
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
\Program Files\FileZilla FTP Client\libgnutls-30.dll
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
\Program Files\FileZilla FTP Client\libgmp-10.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
\Program Files\FileZilla FTP Client\libgnutls-30.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\Program Files\FileZilla FTP Client\fzshellext_64.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
\Program Files\FileZilla FTP Client\libgnutls-30.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\libgnutls-30.dll
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
\Program Files\FileZilla FTP Client\fzshellext_64.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\Program Files\FileZilla FTP Client\libgnutls-30.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
\Program Files\FileZilla FTP Client\fzshellext_64.dll
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
\Program Files\FileZilla FTP Client\fzshellext.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\Program Files\FileZilla FTP Client\fzshellext_64.dll
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
\Program Files\FileZilla FTP Client\fzshellext_64.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
\Program Files\FileZilla FTP Client\fzshellext.dll
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
\Program Files\FileZilla FTP Client\fzshellext_64.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\fzshellext.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
avast_free_antivirus_setup_online_x64.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
\Program Files\FileZilla FTP Client\fzshellext.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\fzshellext.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
avast_free_antivirus_setup_online_x64.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
\Program Files\FileZilla FTP Client\fzshellext.dll
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
avast_free_antivirus_setup_online_x64.exe
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Verification Root
61:20:4d:b4:00:00:00:00:00:27
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
\Program Files\FileZilla FTP Client\fzsftp.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
avast_free_antivirus_setup_online_x64.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
07:c7:0f:7c:ab:14:5b:c1:ed:38:5f:be:69:fa:31:30
/C=CZ/L=Praha 4/O=AVAST Software s.r.o./CN=AVAST Software s.r.o.
avast_free_antivirus_setup_online_x64.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\fzsftp.exe
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\fzsftp.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
\Program Files\FileZilla FTP Client\libfilezilla-0.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\Program Files\FileZilla FTP Client\fzsftp.exe
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
\Program Files\FileZilla FTP Client\fzsftp.exe
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
\Program Files\FileZilla FTP Client\libfilezilla-0.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
\Program Files\FileZilla FTP Client\fzsftp.exe
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
\Program Files\FileZilla FTP Client\libfilezilla-0.dll
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
5d:38:d8:bd:64:45:50:68:c2:d1:c7:40:88:c5:e2:8a
/C=DE/ST=NRW/L=Köln/O=Tim Kosse/CN=Tim Kosse
\Program Files\FileZilla FTP Client\libfilezilla-0.dll
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Code Signing CA
\Program Files\FileZilla FTP Client\libfilezilla-0.dll
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
/C=US/O=DigiCert/CN=DigiCert Timestamp Responder
\Program Files\FileZilla FTP Client\libfilezilla-0.dll
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
01
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Severity: 30     Confidence: 30

Executable with Encrypted Sections

An executable artifact has encrypted section(s). This usually indicates that the author is attempting to hide or obfuscate code or data.

Artifact IDPathSection Type
\Program Files\FileZilla FTP Client\fzshellext.dll
.rdata
\Program Files\FileZilla FTP Client\fzshellext_64.dll
.rdata
Severity: 30     Confidence: 30

Nullsoft Installer Detected

An executable that uses the Nullsoft Scriptable Install System (NSIS) was detected. NSIS is an open-source framework for creating Windows installers. A Windows application typically requires multiple files to be placed on disk, registry modifications, and other actions in order to install it. NSIS allows a developer to create a single executable that when executed will perform the required installation actions. Malware has been known to distribute their binaries packaged in NSIS installers.

Artifact IDSHA256Path
6306ac4abb03d250b51eceb20e15ec6a70bfa4da375040838991a5c96db132b6
FileZilla_3.41.1_win64-setup_bundled.exe
6306ac4abb03d250b51eceb20e15ec6a70bfa4da375040838991a5c96db132b6
\TEMP\FileZilla_3.41.1_win64-setup_bundled.exe
Severity: 30     Confidence: 30

COM Object Detected

A PE was found that implements the COM API. The Component Object Model (COM) is a set of programs that provide additional capabilities within a programming framework. COM provides the underpinnings for many Windows capabilities, including ActiveX, OLE and the Windows shell. COM objects are connected to the OS through the registry and can then be used by many applications.

Artifact IDSHA256Path
de02c74ddf235559a2319b89e6fc8617b1f054933b046a2d24401a2b4dcbb45f
\Program Files\FileZilla FTP Client\fzshellext.dll
91370160dd464e5fcb443467c737ab88254eaf80a29f8bffb37d60184545b282
\Program Files\FileZilla FTP Client\fzshellext_64.dll
Severity: 35     Confidence: 20

DNS Response Contains Low Time to Live (TTL) Value

DNS responses with low time-to-live values is a technique used by botnets to maintain a resilient command and control infrastructure of compromised hosts acting as proxies. Also known as Fast Flux, this behavior is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A record list for a DNS name. Each record has a very short TTL (time to live) value of usually less than five minutes. This creates a constantly changing list of destination addresses for a single DNS name. Please view the 'DNS' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

Query IDQuery DataAnswer DataAnswer TypeTTL
19931
shepherd.ff.avast.com
5.62.48.205
A
130
21203
f3355109.iavs9x.u.avast.com
72.22.185.200
A
19
31461
b4380882.vps18tiny.u.avcdn.net
72.22.185.208
A
19
14246
gubuh.com
52.44.131.105
A
60
3595
mc.yandex.ru
93.158.134.119
A
197
11293
vars.hotjar.com
147.75.73.213
A
29
53339
os.tourtodaylaboratory.com
52.36.172.181
A
60
7366
static.hotjar.com
147.75.77.255
A
60
64120
static3.avast.com
173.223.56.140
A
20
46640
www.avast.com
23.3.126.88
A
20
42887
script.hotjar.com
147.75.78.123
A
60
25713
6679503.fls.doubleclick.net
172.217.10.38
A
300
25380
shepherd.ff.avast.com
5.62.40.21
A
35
30477
stats.g.doubleclick.net
172.217.197.155
A
300
34696
k5854113.iavs9x.u.avast.com
72.22.185.206
A
19
53853
v6831430.iavs9x.u.avast.com
72.22.185.200
A
19
50862
www.googletagmanager.com
172.217.3.104
A
300
3595
mc.yandex.ru
77.88.21.119
A
197
58186
s-vps18tiny.avcdn.net
184.29.85.139
A
19
31042
action.media6degrees.com
204.2.197.202
A
14
41072
s-vps18tiny.avcdn.net
2600:141b:5000:3a7::240d
AAAA
19
31042
action.media6degrees.com
38.126.130.202
A
14
64191
d4130079.iavs9x.u.avast.com
72.22.185.206
A
19
31461
b4380882.vps18tiny.u.avcdn.net
72.22.185.209
A
19
20476
googleads.g.doubleclick.net
172.217.10.66
A
300
32495
s-iavs9x.avcdn.net
184.29.85.139
A
19
25565
tr.outbrain.com
151.101.2.2
A
25
29929
s-iavs9x.avcdn.net
2600:141b:5000:3a7::240d
AAAA
19
29929
s-iavs9x.avcdn.net
2600:141b:5000:396::240d
AAAA
19
15330
v7event.stats.avast.com
77.234.44.64
A
128
22945
d39ievd5spb5kl.cloudfront.net
52.85.104.248
A
60
15002
a.tribalfusion.com
204.11.109.68
A
300
25565
tr.outbrain.com
151.101.130.2
A
25
11293
vars.hotjar.com
147.75.77.221
A
29
15330
v7event.stats.avast.com
77.234.44.63
A
128
14246
gubuh.com
34.200.58.162
A
60
11293
vars.hotjar.com
147.75.77.43
A
29
42887
script.hotjar.com
147.75.77.43
A
60
15002
a.tribalfusion.com
204.11.110.63
A
300
29317
www.googleadservices.com
172.217.11.34
A
300
49087
goquc.com
54.235.185.112
A
60
23013
j4501229.iavs9x.u.avast.com
72.22.185.206
A
19
11293
vars.hotjar.com
147.75.199.1
A
29
25565
tr.outbrain.com
151.101.66.2
A
25
42887
script.hotjar.com
147.75.73.213
A
60
31434
www.avast.com
23.3.126.88
A
20
36433
s-iavs9x.avcdn.net
2600:141b:5000:396::240d
AAAA
19
34696
k5854113.iavs9x.u.avast.com
72.22.185.200
A
19
54072
amplifypixel.outbrain.com
alldcs.outbrain.org
CNAME
205
64120
static3.avast.com
e13074.a.akamaiedge.net
CNAME
300
15002
a.tribalfusion.com
204.11.109.65
A
300
10939
img.tourtodaylaboratory.com
46.166.187.59
A
60
15330
v7event.stats.avast.com
analytics.ns1.ff.avast.com
CNAME
45
8037
iavs9x.u.avast.com
72.22.185.206
A
20
11293
vars.hotjar.com
147.75.77.255
A
29
20583
g0679661.iavs9x.u.avast.com
72.22.185.206
A
19
10494
b1477563.iavs9x.u.avast.com
72.22.185.206
A
19
14246
gubuh.com
54.210.195.70
A
60
28297
k5854113.vps18tiny.u.avcdn.net
72.22.185.208
A
19
11293
vars.hotjar.com
147.75.78.123
A
29
51351
b4380882.iavs9x.u.avast.com
72.22.185.200
A
19
21697
action.dstillery.com
38.126.130.202
A
13
53339
os.tourtodaylaboratory.com
54.213.65.193
A
60
45279
k5854113.iavs9x.u.avast.com
72.22.185.206
A
19
42887
script.hotjar.com
147.75.77.255
A
60
15002
a.tribalfusion.com
204.11.110.61
A
300
54642
x5026866.iavs9x.u.avast.com
72.22.185.200
A
19
3595
mc.yandex.ru
87.250.251.119
A
197
7366
static.hotjar.com
map16-100.s.section.io
CNAME
114
21203
f3355109.iavs9x.u.avast.com
72.22.185.206
A
19
53908
rp.tourtodaylaboratory.com
52.7.205.46
A
60
25380
shepherd.ff.avast.com
5.62.40.201
A
35
19931
shepherd.ff.avast.com
77.234.42.107
A
130
46003
pixel.mathtag.com
pixel.mathtag.com.edgekey.net
CNAME
166
15002
a.tribalfusion.com
204.11.109.66
A
300
7366
static.hotjar.com
147.75.77.43
A
60
11293
vars.hotjar.com
map16-100.s.section.io
CNAME
14
9370
connect.facebook.net
157.240.19.26
A
60
34115
static.avast.com
173.223.56.140
A
20
42887
script.hotjar.com
map16-100.s.section.io
CNAME
98
25321
shepherd.ff.avast.com
5.62.48.204
A
207
42887
script.hotjar.com
147.75.199.1
A
60
15002
a.tribalfusion.com
204.11.109.67
A
300
23013
j4501229.iavs9x.u.avast.com
72.22.185.200
A
19
54642
x5026866.iavs9x.u.avast.com
72.22.185.206
A
19
36433
s-iavs9x.avcdn.net
2600:141b:5000:3a7::240d
AAAA
19
45279
k5854113.iavs9x.u.avast.com
72.22.185.200
A
19
20071
cm.g.doubleclick.net
172.217.10.66
A
300
53339
os.tourtodaylaboratory.com
52.40.83.6
A
60
19430
s-iavs9x.avcdn.net
184.29.85.139
A
19
30477
stats.g.doubleclick.net
172.217.197.157
A
300
54365
dev.visualwebsiteoptimizer.com
169.54.251.164
A
120
20583
g0679661.iavs9x.u.avast.com
72.22.185.200
A
19
10494
b1477563.iavs9x.u.avast.com
72.22.185.200
A
19
54072
amplifypixel.outbrain.com
64.202.112.19
A
199
25321
shepherd.ff.avast.com
5.62.48.205
A
207
22945
d39ievd5spb5kl.cloudfront.net
52.85.104.139
A
60
7366
static.hotjar.com
147.75.77.221
A
60
42146
m5972635.vps18tiny.u.avcdn.net
72.22.185.209
A
19
53853
v6831430.iavs9x.u.avast.com
72.22.185.206
A
19
16816
amplify.outbrain.com
wildcard.outbrain.com.edgekey.net
CNAME
263
7366
static.hotjar.com
147.75.199.1
A
60
22945
d39ievd5spb5kl.cloudfront.net
52.85.104.149
A
60
56676
g5569634.vps18tiny.u.avcdn.net
72.22.185.209
A
19
7366
static.hotjar.com
147.75.73.213
A
60
41072
s-vps18tiny.avcdn.net
2600:141b:5000:396::240d
AAAA
19
42887
script.hotjar.com
147.75.77.221
A
60
40956
h1745978.vps18tiny.u.avcdn.net
72.22.185.209
A
19
45714
t.av.st
23.5.225.249
A
20
54072
amplifypixel.outbrain.com
nydc1.outbrain.org
CNAME
162
46003
pixel.mathtag.com
96.6.27.20
A
20
30477
stats.g.doubleclick.net
172.217.197.154
A
300
63736
cdneu.tourtodaylaboratory.com
146.185.27.45
A
60
29317
www.googleadservices.com
pagead.l.doubleclick.net
CNAME
300
28297
k5854113.vps18tiny.u.avcdn.net
72.22.185.209
A
19
15002
a.tribalfusion.com
204.11.110.62
A
300
15002
a.tribalfusion.com
204.11.110.64
A
300
42146
m5972635.vps18tiny.u.avcdn.net
72.22.185.208
A
19
11293
vars.hotjar.com
147.75.76.93
A
29
40956
h1745978.vps18tiny.u.avcdn.net
72.22.185.208
A
19
3595
mc.yandex.ru
87.250.250.119
A
197
51351
b4380882.iavs9x.u.avast.com
72.22.185.206
A
19
22945
d39ievd5spb5kl.cloudfront.net
52.85.104.103
A
60
16816
amplify.outbrain.com
69.192.110.3
A
20
56676
g5569634.vps18tiny.u.avcdn.net
72.22.185.208
A
19
21697
action.dstillery.com
204.2.197.202
A
13
42965
6633083.fls.doubleclick.net
172.217.10.38
A
300
20927
shepherd.ff.avast.com
shepherd.ns1.ff.avast.com
CNAME
175
30477
stats.g.doubleclick.net
172.217.197.156
A
300
7366
static.hotjar.com
147.75.78.123
A
60
14246
gubuh.com
52.0.16.153
A
60
53908
rp.tourtodaylaboratory.com
34.197.157.148
A
60
64191
d4130079.iavs9x.u.avast.com
72.22.185.200
A
19
20476
googleads.g.doubleclick.net
pagead46.l.doubleclick.net
CNAME
300
8037
iavs9x.u.avast.com
72.22.185.200
A
20
49087
goquc.com
54.225.213.54
A
60
15002
a.tribalfusion.com
a-scl1.tribalfusion.com.akadns.net
CNAME
300
7366
static.hotjar.com
147.75.76.93
A
60
60974
cdnus.tourtodaylaboratory.com
199.115.112.67
A
60
42887
script.hotjar.com
147.75.76.93
A
60
25565
tr.outbrain.com
151.101.194.2
A
25
15330
v7event.stats.avast.com
analytics.ff.avast.com
CNAME
16
Severity: 25     Confidence: 25

URL Resulted in 404 or Empty File

A sample reached out to a URL that returned either a known 404 page or an empty response. This may be indicative of a retired campaign or successful incidence response since the file or files the malware authors intended to download are no longer present.

Network StreamURL
http://rp.tourtodaylaboratory.com:80/
http://rp.tourtodaylaboratory.com:80/
http://rp.tourtodaylaboratory.com:80/
http://rp.tourtodaylaboratory.com:80/
Severity: 25     Confidence: 25

Outbound Communications to Nginx Web Server

Outbound traffic to a remote Nginx Web Server was detected. This is not inherently suspicious but malware authors often use the Nginx Web Server to host malicious content for infecting other systems or additional files and/or executables for download. Please view the 'DNS' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

Network StreamMethodURLHeader NameHeader Value
GET
http://img.tourtodaylaboratory.com:80/img/Webinebinec/teal_logo.png
server
nginx/1.10.2
GET
http://img.tourtodaylaboratory.com:80/img/Webinebinec/teal_logo_white.png
server
nginx/1.10.2
POST
http://goquc.com:80/
server
nginx
GET
http://k5854113.iavs9x.u.avast.com:80/iavs9x/servers.def.vpx
server
nginx
POST
http://v7event.stats.avast.com:80/cgi-bin/iavsevents.cgi
server
nginx
GET
http://d4130079.iavs9x.u.avast.com:80/iavs9x/avbugreport_x64_ais-941.vpx
server
nginx
GET
http://j4501229.iavs9x.u.avast.com:80/iavs9x/prod-pgm.vpx
server
nginx
GET
http://iavs9x.u.avast.com:80/iavs9x/avast_free_antivirus_setup_online_x64.exe
server
nginx
GET
http://img.tourtodaylaboratory.com:80/img/Rowabobeso/bg_fus_TB.png
server
nginx/1.10.2
HEAD
http://cdneu.tourtodaylaboratory.com:80/ofr/Bigiwigi/Bigiwigi_b.cis
server
nginx/1.0.10
GET
http://d4130079.iavs9x.u.avast.com:80/iavs9x/prod-pgm.vpx
server
nginx
GET
http://cdneu.tourtodaylaboratory.com:80/ofr/Webinebinec/Webinebinec_Links_13Oct15.cis
server
nginx/1.0.10
GET
http://img.tourtodaylaboratory.com:80/img/Sibarasawi/logo_comp.png
server
nginx/1.10.2
GET
http://d4130079.iavs9x.u.avast.com:80/iavs9x/offertool_x64_ais-941.vpx
server
nginx
GET
http://img.tourtodaylaboratory.com:80/img/Tavasat/15Feb17/v2_fs/EN.jpg
server
nginx/1.10.2
GET
http://img.tourtodaylaboratory.com:80/img/Sibarasawi/bg_comp.png
server
nginx/1.10.2
GET
http://d4130079.iavs9x.u.avast.com:80/iavs9x/avdump_x86_ais-941.vpx
server
nginx
POST
http://v7event.stats.avast.com:80/cgi-bin/iavsevents.cgi
server
nginx
GET
http://h1745978.vps18tiny.u.avcdn.net:80/vps18tiny/prod-vps.vpx
server
nginx
HEAD
http://cdneu.tourtodaylaboratory.com:80/ofr/Webinebinec/Webinebinec_Links_13Oct15.cis
server
nginx/1.0.10
GET
http://cdnus.tourtodaylaboratory.com:80/ofr/Bigiwigi/Bigiwigi_b.cis
server
nginx/1.6.2
HEAD
http://cdneu.tourtodaylaboratory.com:80/ofr/Tavasat/Tavasat_18Jan19_m.cis
server
nginx/1.0.10
GET
http://d4130079.iavs9x.u.avast.com:80/iavs9x/avdump_x64_ais-941.vpx
server
nginx
GET
http://cdnus.tourtodaylaboratory.com:80/ofr/Tavasat/Tavasat_18Jan19_m.cis
server
nginx/1.6.2
POST
http://os.tourtodaylaboratory.com:80/FusionFileZilla/
server
nginx
Severity: 25     Confidence: 25

Outbound HTTP POST Communications

Outbound HTTP POST to a remote server was detected. This is not inherently suspicious but malware will often use POSTs in order to check in to the Command and Control servers upon infection or to upload or exfiltrate data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

Network StreamMethodURL
POST
http://v7event.stats.avast.com:80/cgi-bin/iavsevents.cgi
POST
http://rp.tourtodaylaboratory.com:80/
POST
http://gubuh.com:80/
POST
http://www.google-analytics.com:80/collect
POST
http://rp.tourtodaylaboratory.com:80/
POST
http://rp.tourtodaylaboratory.com:80/
POST
http://rp.tourtodaylaboratory.com:80/
POST
http://v7event.stats.avast.com:80/cgi-bin/iavsevents.cgi
POST
http://goquc.com:80/
POST
http://os.tourtodaylaboratory.com:80/FusionFileZilla/
Severity: 25     Confidence: 25

Sample flagged by antivirus service contacted domain

A sample flagged as malicious by an antivirus service was observed contacting, or attempting to contact, a domain. These domains are often part of a malware sample's command and control infrastructure. However, the contacted domains may also be compromised sites hosting secondary payloads, or legitimate domains may be contacted to confirm Internet connectivity.

DomainReason
v7event.stats.avast.com
HTTP POST to Domain
rp.tourtodaylaboratory.com
HTTP POST to Domain
gubuh.com
HTTP POST to Domain
www.google-analytics.com