File name:

notsus.exe

Full analysis: https://app.any.run/tasks/cc70c1a9-72fc-4a41-8748-66ad620846e4
Verdict: Malicious activity
Analysis date: July 15, 2024, 01:51:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

3028879AB8D5C87DC023049FA5BB5C1A

SHA1:

F44FE052B6BAE5EFCB693C23071B0F6D3A4E1955

SHA256:

A44BA123189855990795E3260A64B34CDAE6B29BF1C941818A34CBA8BBC45575

SSDEEP:

3:7Dn:H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates file in the systems drive root

      • ntvdm.exe (PID: 3380)

    • Reads settings of System Certificates

      • filezilla.exe (PID: 3220)
      • filezilla.exe (PID: 3172)

  • INFO

    • Checks supported languages

      • filezilla.exe (PID: 3172)
      • filezilla.exe (PID: 3220)

    • Manual execution by a user

      • filezilla.exe (PID: 3172)
      • filezilla.exe (PID: 3220)

    • Creates files or folders in the user directory

      • filezilla.exe (PID: 3172)
      • filezilla.exe (PID: 3220)

    • Reads the computer name

      • filezilla.exe (PID: 3220)
      • filezilla.exe (PID: 3172)

    • Reads the machine GUID from the registry

      • filezilla.exe (PID: 3172)
      • filezilla.exe (PID: 3220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start ntvdm.exe no specs filezilla.exe no specs filezilla.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3172"C:\Program Files\FileZilla FTP Client\filezilla.exe" C:\Program Files\FileZilla FTP Client\filezilla.exeexplorer.exe
User:
admin
Company:
FileZilla Project
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Version:
3, 65, 0, 0
Modules
Images
c:\program files\filezilla ftp client\filezilla.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\filezilla ftp client\libfzclient-commonui-private-3-65-0.dll
c:\program files\filezilla ftp client\libfzclient-private-3-65-0.dll
c:\program files\filezilla ftp client\libfilezilla-40.dll
c:\program files\filezilla ftp client\libgmp-10.dll
c:\windows\system32\msvcrt.dll
c:\program files\filezilla ftp client\libgcc_s_dw2-1.dll
3220"C:\Program Files\FileZilla FTP Client\filezilla.exe" C:\Program Files\FileZilla FTP Client\filezilla.exeexplorer.exe
User:
admin
Company:
FileZilla Project
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Version:
3, 65, 0, 0
Modules
Images
c:\program files\filezilla ftp client\filezilla.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\filezilla ftp client\libfzclient-commonui-private-3-65-0.dll
c:\program files\filezilla ftp client\libfzclient-private-3-65-0.dll
c:\program files\filezilla ftp client\libfilezilla-40.dll
c:\program files\filezilla ftp client\libgmp-10.dll
c:\windows\system32\msvcrt.dll
c:\program files\filezilla ftp client\libgcc_s_dw2-1.dll
3380"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\System32\ntvdm.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
7 647
Read events
7 647
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
28
Unknown types
0

Dropped files

PID
Process
Filename
Type
3220filezilla.exeC:\Users\admin\AppData\Local\FileZilla\default_synchronize20x20.png
MD5:
SHA256:
3172filezilla.exeC:\Users\admin\AppData\Local\FileZilla\default_processqueue20x20.pngimage
MD5:8981536CE9B6CA800D4AA3E1531F5E18
SHA256:FDF9033E11E9A2573320A4012154D4014AD288C3F6528079F22379566BE75D55
3172filezilla.exeC:\Users\admin\AppData\Roaming\FileZilla\layout.xml~xml
MD5:2C67357412FE5428D2EB67E2178925FA
SHA256:6E8BEE236C7BB6E2CD249AF7449B0F08AFCEBEBE4140CF818750E4489D570B69
3380ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsE1A2.tmptext
MD5:8CF6DDB5AA59B49F34B967CD46F013B6
SHA256:EE06792197C3E025B84860A72460EAF628C66637685F8C52C5A08A9CC35D376C
3220filezilla.exeC:\Users\admin\AppData\Local\FileZilla\default_leds24x24.pngimage
MD5:3CDB1F496431271DB6C442BC0DFA4C87
SHA256:E9DB40BC4ACAF1B3D7C9262B6EB616C8C29DB3E34D4006443D36F1794553330E
3220filezilla.exeC:\Users\admin\AppData\Roaming\FileZilla\layout.xml~xml
MD5:2C67357412FE5428D2EB67E2178925FA
SHA256:6E8BEE236C7BB6E2CD249AF7449B0F08AFCEBEBE4140CF818750E4489D570B69
3172filezilla.exeC:\Users\admin\AppData\Local\FileZilla\default_speedlimits16x16.pngimage
MD5:EF56A56C6385B8E73B8DF483FB2B7286
SHA256:8C31386474FBFEC93A303DF0ED1B2D6029CFFD648604A1FB91A9969107D2186F
3172filezilla.exeC:\Users\admin\AppData\Local\FileZilla\default_sitemanager20x20.pngimage
MD5:0DA3E808ABE002C20B4451F5D0F2990F
SHA256:6B2CE84C384134C13BCDBF03F3163EBD9B59E6E40D5A881DF02A2B671F8F12A1
3172filezilla.exeC:\Users\admin\AppData\Local\FileZilla\default_queueview20x20.pngimage
MD5:FF1A0CACBDBCADD77C43F9E245345755
SHA256:281C277F9144F6E43BFFCEF5AD6888E9B8356AACAD75292DB364EA23BF2818C1
3172filezilla.exeC:\Users\admin\AppData\Local\FileZilla\default_localtreeview20x20.pngimage
MD5:6F1521A05994C29F5DB6711A2A56E25A
SHA256:C0B2F0998B11BFBC0D5EE0FBCA3320CC79A5AF5DF16800F7EDAAB99C7AF0949F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
whitelisted
1372
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1372
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
1060
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
notsus.exe