ID: 376922 Sample Name: FreeFileSync_11.8_Windows_Setup.exe Cookbook: default.jbs Time: 22:44:49 Date: 27/03/2021 Version: 31.0.0 Emerald Table of Contents

Table of Contents 2 Analysis Report FreeFileSync_11.8_Windows_Setup.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Analysis Advice 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 8 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 14 General 14 File Icon 14 Static PE Info 14 General 14 Authenticode Signature 14 Entrypoint Preview 15 Data Directories 16 Sections 16 Resources 16 Imports 17 Exports 17 Version Infos 17 Possible Origin 17 Network Behavior 18 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 18 Copyright Joe Security LLC 2021 Page 2 of 22 Analysis Process: FreeFileSync_11.8_Windows_Setup.exe PID: 620 Parent PID: 5568 18 General 18 File Activities 18 File Created 18 File Written 19 File Read 19 Analysis Process: FreeFileSync_11.8_Windows_Setup.tmp PID: 3348 Parent PID: 620 19 General 19 File Activities 20 File Created 20 File Written 20 File Read 21 Analysis Process: FreeFileSync.exe PID: 3016 Parent PID: 3348 22 General 22 File Activities 22 Disassembly 22 Code Analysis 22

Copyright Joe Security LLC 2021 Page 3 of 22 Analysis Report FreeFileSync_11.8_Windows_Setup.exe

Overview

General Information Detection Signatures Classification

Sample FreeFileSync_11.8_Windo Name: ws_Setup.exe CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ccaallllll nnaatttiiivvee fff…

Analysis ID: 376922 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchahelel ccnkka itiiffif v aae d df… MD5: af257f1cb06a063… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa wdw…

SHA1: d53c807d6cb12b… Ransomware CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyhynenacamk iiifcc aal llllwlyy… Miner Spreading SHA256: cee65d56e0f6cd2… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ldlaayuunnnaccmhh i aca a ppllrry CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo lllaauunncchh aa pprrr… mmaallliiiccciiioouusss Infos: malicious Evader Phishing

sssuusssppiiiccciiioouusss CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo oloappueennnc haa app ooprrrrttt… suspicious

Most interesting Screenshot: cccllleeaann clean CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qoqupueerrnryy a CC pPPoUUrt …

Exploiter Banker CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qquueerrryy llCloocPcaaUllle e…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hloeec PPaElEeBB Spyware Trojan / Bot

Adware CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo srsehhauudtttdd toohwwen nP //E/ …B Score: 9 Range: 0 - 100 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh siiicchhhu tmdoaawyy nbb ee/ …

Whitelisted: false DCDeoettnteetcacttitenedsd pfpuoontttecetnniotttiiinaaalll clcitrrryy ppwtttoho i fcffuuhnn mcctttiaiiooynn be Confidence: 60% DDrrerootpepscs t PePdEE p fffiioillleetessntial crypto function

EDExrxottteepnnsss PiiivvEee ufuilsseees oofff GeetttPPrrrooccAAddddrrreessss (((oo…

FEFoxoutuennndds didvrrreoo puppspeed do PfP GEE e fffiitillPlee r wowchhAiiiccdhhd hrheaassss n n(oo… Analysis Advice FFoouunndd edevrvoaapsspiiivveeed A APPPEIII cfcihlheaa iwiinnh ccichhhee cchkkaiiinsng gn foff…

Sample drops PE files which have not been started, submit dropped PE samples for a secondFFaooruyun naddn llelaavlrrrygagseseii svaae mt oAoo PuJunoIn tetct oh oSfaff aninnoo dcnnh-b--eeoxcxxekecicnuugttte efdd…

Sample may offer command line options, please run it with the 'Execute binary with argumenFtFsoo' uucnnoddo plkpaobortgtoteeeonn ktattiiia ma(llil t oss'sutttrrr niiipnnt oggo s fdd sneeiocbcrnrrlyey-pep tttxthiiioeoancnt u //t/ t haeae…d command line switches require additional characters like: "-", "/", "--") PFPEoEu fffniiilllede cpcoontnetttanaiitininassl asantnr i iniinngvv adalleliiiddc rccyhhpeeticcokknss u/u ma

PPEE fffiiilllee ccoonntttaaiiinnss eaexnxe eicncuvutattaalbibdllle ec hrrreesscookusururrccmee…

PPEE fffiiilllee ccoonntttaaiiinnss sesexececttctiiiouontnassb wwleiiit tthrhe nsnoonun-r--scse…

PPEE fffiiilllee ccoonntttaaiiinnss ssttetrrracatnnioggnees rr rewessitoohuu nrrrccoeenss-s Startup QPEuue efrirrliiiee ssc ottthhneeta vvinoosllluu smtreea niiinngfffoeor rrrmeasaotttiiiouonrnc (e((nnsaam… SQSaaumerppielllees ffftiiihllleee i iisvs o ddliuiifffffmfeerreree nintttf ottthhramanna otoiorrriiingg iiin(nnaaalll m … System is w10x64 USUsasemessp 3l3e22 bfbiiliitett P PisEE d fffiiiflllefeessrent than original FreeFileSync_11.8_Windows_Setup.exe (PID: 620 cmdline: 'C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe' MD5: AF257F1CB06A063644B2B3CBC14A5E1D) FreeFileSync_11.8_Windows_Setup.tmp (PID: 3348 cmdline: 'C:\Users\user\AppData\UULsosecesas l c\3cTo2oedbdmeiet p oPo\bibEsfffu- uf5sisl3eccEasat4ttiiio9on.nt m ttteepcc\hhFnnreiiiqqeuuFeeislse (S((…ync_11.8_Windows_Setup.tmp' /SL5='$110078,17 282871,899584,C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe' MD5: 90FFCDDC7F1ABC7A2BC2E54E2F9A8851) Uses code obfuscation techniques ( FreeFileSync.exe (PID: 3016 cmdline: 'C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\FreeFileSync.exe' ffs_setup_convert_jpg_to_bmp 'C:\Users\user\AppData\Loc al\Temp\is-A3LFO.tmp\img_15.jpg' MD5: EF608BE990DCCA691944F1A702E2C074) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched Copyright Joe Security LLC 2021 Page 4 of 22 Signature Overview

• Compliance • Spreading • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Remote Access Functionality

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command Application Exploitation for Masquerading 1 OS System Time Remote Archive Exfiltration Encrypted Eavesdrop on Remotely Accounts and Scripting Shimming 1 Privilege Credential Discovery 1 Services Collected Over Other Channel 1 Insecure Track Device Interpreter 3 Escalation 1 Dumping Data 1 Network Network Without Medium Communication Authorization Default Native Boot or Access Token Access Token LSASS Security Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Accounts API 2 Logon Manipulation 1 Manipulation 1 Memory Software Desktop Removable Over Redirect Phone Wipe Data Initialization Discovery 2 1 Protocol Media Bluetooth Calls/SMS Without Scripts Authorization Domain At (Linux) Logon Script Process Process Injection 3 Security Process SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) Injection 3 Account Discovery 1 Admin Shares Network Exfiltration Track Device Device Manager Shared Location Cloud Drive Backups Local At (Windows) Logon Script Application Deobfuscate/Decode NTDS Application Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Shimming 1 Files or Window Component Capture Transfer Impersonation Swap Information 1 Discovery 1 Object Model Cloud Cron Network Network Logon Obfuscated Files or LSA System SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Information 2 Secrets Owner/User Transfer Channels Device Discovery 2 Size Limits Communication Replication Launchd Rc.common Rc.common Steganography Cached File and VNC GUI Input Exfiltration Multiband Jamming or Through Domain Directory Capture Over C2 Communication Denial of Removable Credentials Discovery 2 Channel Service Media External Scheduled Startup Startup Items Compile After DCSync System Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Delivery Information Remote Capture Over Used Port Access Points Services Discovery 3 5 Management Alternative Protocol

Behavior Graph

Copyright Joe Security LLC 2021 Page 5 of 22 Hide Legend Behavior Graph Legend: ID: 376922 Process Sample: FreeFileSync_11.8_Windows_S... Signature Startdate: 27/03/2021 Architecture: WINDOWS Created File Score: 9 DNS/IP Info Is Dropped started Is Windows Process

FreeFileSync_11.8_Windows_Setup.exe Number of created Registry Values

Number of created Files

2 Visual Basic

Delphi dropped Java

.Net C# or VB.NET C:\...\FreeFileSync_11.8_Windows_Setup.tmp, PE32 started C, C++ or other language

Is malicious

Internet FreeFileSync_11.8_Windows_Setup.tmp

14

dropped dropped

C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ C:\Users\user\AppData\...\FreeFileSync.exe, PE32 started

FreeFileSync.exe

1

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 6 of 22 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link FreeFileSync_11.8_Windows_Setup.exe 0% Virustotal Browse FreeFileSync_11.8_Windows_Setup.exe 0% Metadefender Browse FreeFileSync_11.8_Windows_Setup.exe 2% ReversingLabs

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\is-53E49.tmp\FreeFileSync_11.8_Windows_Setup.tmp 3% Metadefender Browse C:\Users\user\AppData\Local\Temp\is-53E49.tmp\FreeFileSync_11.8_Windows_Setup.tmp 4% ReversingLabs C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\FreeFileSync.exe 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\FreeFileSync.exe 0% ReversingLabs C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\_isetup\_setup64.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\_isetup\_setup64.tmp 0% ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches Copyright Joe Security LLC 2021 Page 7 of 22 URLs

Source Detection Scanner Label Link https://www.remobjects.com/ps 1% Virustotal Browse https://www.remobjects.com/ps 0% Avira URL Cloud safe subca.ocsp-certum.com01 0% URL Reputation safe subca.ocsp-certum.com01 0% URL Reputation safe subca.ocsp-certum.com01 0% URL Reputation safe subca.ocsp-certum.com01 0% URL Reputation safe https://www.innosetup.com/ 3% Virustotal Browse https://www.innosetup.com/ 0% Avira URL Cloud safe https://FreeFileSync.orgpf7 0% Avira URL Cloud safe https://FreeFileSync.orgpf 0% Avira URL Cloud safe cscasha2.ocsp-certum.com04 0% Avira URL Cloud safe www.dk-soft.org/ 0% URL Reputation safe www.dk-soft.org/ 0% URL Reputation safe www.dk-soft.org/ 0% URL Reputation safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://freefilesync.org/donate FreeFileSync_11.8_Windows_Setu false high p.exe, 00000000.00000002.47247 5163.0000000002318000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000003.209281754.000000000 3520000.00000004.00000001.sdmp https://jrsoftware.org/ishelp/index.php? FreeFileSync_11.8_Windows_Setup.exe false high topic=setupcmdlineSetupU repository.certum.pl/ctnca.cer0 FreeFileSync_11.8_Windows_Setu false high p.exe, 00000000.00000003.20649 6507.000000007FBB0000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000002.483654790.000000000 5020000.00000004.00000001.sdmp, FreeFileSync_11.8_Windows_Se tup.tmp.0.dr repository.certum.pl/ctnca.cer09 FreeFileSync_11.8_Windows_Setu false high p.exe, 00000000.00000003.20649 6507.000000007FBB0000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000002.483654790.000000000 5020000.00000004.00000001.sdmp, FreeFileSync_11.8_Windows_Se tup.tmp.0.dr repository.certum.pl/cscasha2.cer0 FreeFileSync_11.8_Windows_Setu false high p.exe, 00000000.00000003.20649 6507.000000007FBB0000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000002.483654790.000000000 5020000.00000004.00000001.sdmp, FreeFileSync_11.8_Windows_Se tup.tmp.0.dr crl.certum.pl/ctnca.crl0k FreeFileSync_11.8_Windows_Setu false high p.exe, 00000000.00000003.20649 6507.000000007FBB0000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000002.483654790.000000000 5020000.00000004.00000001.sdmp, FreeFileSync_11.8_Windows_Se tup.tmp.0.dr

Copyright Joe Security LLC 2021 Page 8 of 22 Name Source Malicious Antivirus Detection Reputation https://www.remobjects.com/ps FreeFileSync_11.8_Windows_Setu false 1%, Virustotal, Browse unknown p.exe, 00000000.00000003.20649 Avira URL Cloud: safe 6507.000000007FBB0000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, FreeFil eSync_11.8_Windows_Setup.tmp.0.dr subca.ocsp-certum.com01 FreeFileSync_11.8_Windows_Setu false URL Reputation: safe unknown p.exe, 00000000.00000003.20649 URL Reputation: safe 6507.000000007FBB0000.00000004 URL Reputation: safe .00000001.sdmp, FreeFileSync_1 URL Reputation: safe 1.8_Windows_Setup.tmp, 0000000 1.00000002.483654790.000000000 5020000.00000004.00000001.sdmp, FreeFileSync_11.8_Windows_Se tup.tmp.0.dr https://www.innosetup.com/ FreeFileSync_11.8_Windows_Setu false 3%, Virustotal, Browse unknown p.exe, 00000000.00000003.20649 Avira URL Cloud: safe 6507.000000007FBB0000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, FreeFil eSync_11.8_Windows_Setup.tmp, 00000001.00000002.470991407.00 00000000401000.00000020.000200 00.sdmp, FreeFileSync_11.8_Win dows_Setup.tmp.0.dr https://FreeFileSync.org FreeFileSync_11.8_Windows_Setu false high p.exe, 00000000.00000003.20558 4380.00000000024E0000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000003.209281754.000000000 3520000.00000004.00000001.sdmp https://api.freefilesync.org/new_installation FreeFileSync_11.8_Windows_Setu false high p.exe, 00000000.00000002.47247 5163.0000000002318000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000003.209281754.000000000 3520000.00000004.00000001.sdmp www.openssl.org/) FreeFileSync_11.8_Windows_Setu false high p.tmp, 00000001.00000003.43891 1567.00000000009C7000.00000004 .00000001.sdmp https://www.certum.pl/CPS0 FreeFileSync_11.8_Windows_Setu false high p.exe, 00000000.00000003.20649 6507.000000007FBB0000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000002.483654790.000000000 5020000.00000004.00000001.sdmp, FreeFileSync_11.8_Windows_Se tup.tmp.0.dr fsf.org/ FreeFileSync_11.8_Windows_Setu false high p.exe, 00000000.00000002.47247 5163.0000000002318000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000003.438911567.000000000 09C7000.00000004.00000001.sdmp https://FreeFileSync.orgpf7 FreeFileSync_11.8_Windows_Setu false Avira URL Cloud: safe unknown p.exe, 00000000.00000002.47255 0683.0000000002376000.00000004 .00000001.sdmp crl.certum.pl/cscasha2.crl0q FreeFileSync_11.8_Windows_Setu false high p.exe, 00000000.00000003.20649 6507.000000007FBB0000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000002.483654790.000000000 5020000.00000004.00000001.sdmp, FreeFileSync_11.8_Windows_Se tup.tmp.0.dr www.certum.pl/CPS0 FreeFileSync_11.8_Windows_Setu false high p.exe, 00000000.00000003.20649 6507.000000007FBB0000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000002.483654790.000000000 5020000.00000004.00000001.sdmp, FreeFileSync_11.8_Windows_Se tup.tmp.0.dr

Copyright Joe Security LLC 2021 Page 9 of 22 Name Source Malicious Antivirus Detection Reputation https://FreeFileSync.orgpf FreeFileSync_11.8_Windows_Setu false Avira URL Cloud: safe unknown p.tmp, 00000001.00000002.47369 1860.00000000025B8000.00000004 .00000001.sdmp https://jrsoftware.org/ishelp/index.php? FreeFileSync_11.8_Windows_Setup.exe false high topic=setupcmdline cscasha2.ocsp-certum.com04 FreeFileSync_11.8_Windows_Setu false Avira URL Cloud: safe unknown p.exe, 00000000.00000003.20649 6507.000000007FBB0000.00000004 .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000002.483654790.000000000 5020000.00000004.00000001.sdmp, FreeFileSync_11.8_Windows_Se tup.tmp.0.dr www.dk-soft.org/ FreeFileSync_11.8_Windows_Setu false URL Reputation: safe unknown p.exe, 00000000.00000003.20558 URL Reputation: safe 4380.00000000024E0000.00000004 URL Reputation: safe .00000001.sdmp, FreeFileSync_1 1.8_Windows_Setup.tmp, 0000000 1.00000003.209281754.000000000 3520000.00000004.00000001.sdmp

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 376922 Start date: 27.03.2021 Start time: 22:44:49 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 8m 16s Hypervisor based Inspection enabled: false Report type: light Sample file name: FreeFileSync_11.8_Windows_Setup.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 22 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean9.winEXE@5/5@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 72.6% (good quality ratio 68.8%) Quality average: 76.2% Quality standard deviation: 28.5% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe

Copyright Joe Security LLC 2021 Page 10 of 22 Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Users\user\AppData\Local\Temp\is- 4FNTlzlu10.exe Get hash malicious Browse A3LFO.tmp\_isetup\_setup64.tmp ajESKcIz8f.exe Get hash malicious Browse 5KqnAZiZz1.exe Get hash malicious Browse wBMrs2pk8w.exe Get hash malicious Browse NocSbjtb9r.exe Get hash malicious Browse UWbkgpAQuS.exe Get hash malicious Browse aSxOjbS1Wr.exe Get hash malicious Browse 9MyoOYNXKe.exe Get hash malicious Browse BRnRfGXrIP.exe Get hash malicious Browse MsBDqyJWav.exe Get hash malicious Browse pass.exe Get hash malicious Browse kDehUzwz2d.exe Get hash malicious Browse trppS0BjmT.exe Get hash malicious Browse mj8ejPVt3a.exe Get hash malicious Browse 59f81_$ral84tx.exe Get hash malicious Browse tFqfAPK60I.exe Get hash malicious Browse jD8oMLSIrf.exe Get hash malicious Browse RFLinkClient-2.30.0.29010.exe Get hash malicious Browse SecuriteInfo.com.Trojan.Siggen12.25943.14679.exe Get hash malicious Browse BitRecover IncrediMail Converter Wizard 4.8.exe Get hash malicious Browse

Created / dropped Files

Copyright Joe Security LLC 2021 Page 11 of 22 C:\Users\user\AppData\Local\Temp\is-53E49.tmp\FreeFileSync_11.8_Windows_Setup.tmp

Process: C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 3138608 Entropy (8bit): 6.413171991794661 Encrypted: false SSDEEP: 49152:eLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvgFqB:6wSi0b67zeCzt0+yO3kSqW MD5: 90FFCDDC7F1ABC7A2BC2E54E2F9A8851 SHA1: 330758FBDC0D0CBE3F0100DFDF6C6CCA99844E2E SHA-256: 5BD81A830C57655CA0CD21EC6321530ACE3517B52DC87151D6FDD27D5FDED05B SHA-512: 3056575CC6527AA96E01F094F3C5688AC49373BD5955FA9E39483FD5F93700BE40722B2BA7F44A76D7CDD44D6C14343A092E389E75950EDEEB62873DA4F913BE Malicious: false Antivirus: Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 4% Reputation: low Preview: MZP...... @...... InUn...... !..L.!..This program must be run under Win32..$7...... PE..L...p.._...... $,...... P6,...... @,...@...... 0...... 0...@...... @...... -...... `-.49....-...... /.0...... -...... i- ...... -...... text...P.+...... +...... `.itext..t(....,..*....+...... `.data...... @,...... (,...... @....bss.....x....,...... idata..49...`-..:....,...... @....didata ...... -...... ,...... @....edata...... -...... -...... @[email protected]...... rdata..].....-...... -...... @[email protected]...... -...... -...... @..@...... -...... @ ..@......

C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\FreeFileSync.exe

Process: C:\Users\user\AppData\Local\Temp\is-53E49.tmp\FreeFileSync_11.8_Windows_Setup.tmp File Type: PE32 executable (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 737328 Entropy (8bit): 6.124881756823897 Encrypted: false SSDEEP: 12288:vFSza0VjawHRkpNgyUKxa2u/z/CCFhdb514ocPAwYf7kYO:vFsaajHQNgyUKxart3b51+ifwYO MD5: EF608BE990DCCA691944F1A702E2C074 SHA1: 5AC8FA86EB59430D682D39DB90ECBEFE671F73EC SHA-256: 69E0184096347B610296CC93830039EAF7DDE9402852F0DDA51E7D7C8D8872B5 SHA-512: 02685F3977B5B7B75AF0552CD4B0668BB4E4D52FCD54C19CC5A81DBB6C83CA9C7EA35E67F6C0F1617714C22298DEBE236E86A7C6ECC0453A75E3B923C3915B7 1 Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... s.t.7...7...7...#...9...#...... A...... &...... "...#...... #...5...#...... 7...... ;...... 6...... 6...Rich7...... PE..L...U.<`...... t...... l...... @...... p...... <....@...... j...... *..0...... `C.....T...... 0...@...... text...p...... `.rdata...O...... P...... @[email protected]...,r...0...b...... @....rsrc....j...... l...z...... @[email protected]..`C...... D...... @..B......

C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\_isetup\_setup64.tmp

Process: C:\Users\user\AppData\Local\Temp\is-53E49.tmp\FreeFileSync_11.8_Windows_Setup.tmp File Type: PE32+ executable (console) x86-64, for MS Windows Category: dropped Size (bytes): 6144 Entropy (8bit): 4.720366600008286 Encrypted: false SSDEEP: 96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0 MD5: E4211D6D009757C078A9FAC7FF4F03D4 SHA1: 019CD56BA687D39D12D4B13991C9A42EA6BA03DA SHA-256: 388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 SHA-512: 17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E Malicious: false Antivirus: Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%

Copyright Joe Security LLC 2021 Page 12 of 22 C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\_isetup\_setup64.tmp

Joe Sandbox Filename: 4FNTlzlu10.exe, Detection: malicious, Browse View: Filename: ajESKcIz8f.exe, Detection: malicious, Browse Filename: 5KqnAZiZz1.exe, Detection: malicious, Browse Filename: wBMrs2pk8w.exe, Detection: malicious, Browse Filename: NocSbjtb9r.exe, Detection: malicious, Browse Filename: UWbkgpAQuS.exe, Detection: malicious, Browse Filename: aSxOjbS1Wr.exe, Detection: malicious, Browse Filename: 9MyoOYNXKe.exe, Detection: malicious, Browse Filename: BRnRfGXrIP.exe, Detection: malicious, Browse Filename: MsBDqyJWav.exe, Detection: malicious, Browse Filename: pass.exe, Detection: malicious, Browse Filename: kDehUzwz2d.exe, Detection: malicious, Browse Filename: trppS0BjmT.exe, Detection: malicious, Browse Filename: mj8ejPVt3a.exe, Detection: malicious, Browse Filename: 59f81_$ral84tx.exe, Detection: malicious, Browse Filename: tFqfAPK60I.exe, Detection: malicious, Browse Filename: jD8oMLSIrf.exe, Detection: malicious, Browse Filename: RFLinkClient-2.30.0.29010.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen12.25943.14679.exe, Detection: malicious, Browse Filename: BitRecover IncrediMail Converter Wizard 4.8.exe, Detection: malicious, Browse

Reputation: high, very likely benign file Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... ^...... l...... =\...... =\...... =\...... Rich...... PE.. d.....R...... #...... @...... `...... ,......

C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\img_15.bmp Process: C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\FreeFileSync.exe File Type: PC bitmap, Windows 3.x format, 640 x 338 x 24 Category: dropped Size (bytes): 649014 Entropy (8bit): 7.500115381467487 Encrypted: false SSDEEP: 12288:6WYvRb+8chc2bdtgkAd4Ig3cCMCRC0eXspP+qQMaqIwRmuh4mx:O1bSvdtgX4IgsSRCbXcl4kHamx MD5: 74EAECEF9BABEDAB3AE1AB0B2ACD6CF3 SHA1: 09E3D1848BFFBF4D894033B7D9C9E344C50F5608 SHA-256: B9C368ADB67133AED22DCABE83027AA98AD698E14379B74A70FC45E02222DCF1 SHA-512: D9D4CAFF83A4B94A04D997E6CAB2660AF76E9DD39091595F67A684D5E961D4DF5441382131A311C36C468BC3966FEFCA7E17FF07E5149EB4AADA3B880276B4F 5 Malicious: false Reputation: low Preview: BM6...... 6...(...... R...... x...x...... bw^4V8-V78cB?dBDb?MbA-l@+l?'l?&n@)nA.oB/l@2j?&g: &g:%f9$e8#d7#d7$e8$e8"b8%d:'f<+g>.h?2jA8mE:oG7oD9qF;sHxH=zH>{IB}KD.MH.OJ.QK.RL.RC.OD.ND.LG~MK{QLvSLrVLnVFnKCjJAfL@dN@ bQ@bQ@bQ?aP>dR=dO=bN=bN=aP=]R:YR8VQ:OM:JQ?FYFGiQHz\L.jU.v^.}h..s..|...... ~..}..v..t.wq.oo.eov^qnYsfVsdX.bX.`U._S.[[email protected]@.Z?.[<.];._;.c9 .e:.f0.]/.\,.Y).V'.T&.S%.R%.R..M .O".P$.R%.R(.U+.X..Y2.Z4.\7._9.a:.b<.d?.gA.i<.l<.l=.m>.n>.n>.n=.m=.m<.i=.i?.i?.iA.iB.hB.gA.f;.]=._@.`B.`C._D.^D.^F._J.XK.YK.YN.ZN.ZP. [Q.\Q.\I.\H.[F.YE.XD.WA.T>.Q;.NC.V>.S9.N6|M3{L2zL1zL1zL1xM0wL0vM/uL0vN1wO3xS4yT/wM1yO4|R6~T4~T5.U5.W6.X7._7._8.`9.b:[email protected]. uH.sF.qG.qF.pD.lE.kE.kE.jD.hC.gB.d?.a

C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\img_15.jpg Process: C:\Users\user\AppData\Local\Temp\is-53E49.tmp\FreeFileSync_11.8_Windows_Setup.tmp File Type: "", progressive, precision 8, 640x338, frames 3 Category: dropped Size (bytes): 55247 Entropy (8bit): 7.974717723378599 Encrypted: false SSDEEP: 1536:TSwKIX/5QWgKoITiq3nC46bClL8nvmb0Ntx:TSTiUeTtC4UdvmK MD5: 74F3E6B3FDBD7DFF80BBB552DB298A81 SHA1: 8234FE0DFD12200623090A6751B3234A25CAAF9D SHA-256: 4283631ACB069FC6F6186543595C169613009FA1BFEAB38F7F5EBD332E8D6B2A SHA-512: 7311D02045969D0B0588D8ACE3B78D7571B6B2C498740C311457BAF29D9A8C4D94D29CAC6213477085907458370597A1A16DE2AE3D68E44DA595BCB626F6EB1C Malicious: false Reputation: low Preview: ...... JFIF.....N.N...... R...... (!..%..."/#%)*,-,.!140+4(+,+...... +....+++++++++++++++++++++++++++++++++++++++++++++++++...... "...... `v].b...... ^.1..[.h..m..uL_n.....W..$I.M.(.Jt&..sTTy.TA.Fe%m..w...g..s...w..%.{4_.ps1..C..."Ci....U.._...F..dD....!...o....I.n+S.S)..F&' U.7..4.y.h...... \..+D.X....l.^.W`s./.sP.....A.`^ZP...m...+c`.vzhe.q.Z.;..V`z....K7^\....^z.S!'..UTM.B.4w.. J:.b..*.g.!?..8PI^..r)..w;3..`O3+...... d.w.\0...d..IR.P...{45V..5PRJ..@...... pJ.b`...$..:"Z.~a.q.N.t.4...F.....,.5..Q..TKbQt..zD..B.v..j.)...4...C..C...M.Za...9..~.v.rQ2...... o...... [W..1....6y.. .P.

Copyright Joe Security LLC 2021 Page 13 of 22 Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.98631654848823 TrID: Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%

File name: FreeFileSync_11.8_Windows_Setup.exe File size: 18334168 MD5: af257f1cb06a063644b2b3cbc14a5e1d SHA1: d53c807d6cb12b714e0315887ba69c570697478f SHA256: cee65d56e0f6cd216b702ac4801ff177e0e6cb12296a7c7 bb6d5bcf0f5226695 SHA512: c9640f3e1b3d740213e00cc9688f5fbbe5e0c9e1f67f9223 ba08d837d60db19018e0ba6f8b1baacd4d783fe63b57c57 e8d72ffa9f5868bca9d4d55e00e247525 SSDEEP: 393216:wnnHq6mniB8dTAS8WHgQj3wnqKBmMgjswGt +ZZ2:YnKJniB4sS8WHgQ0jCjbZw File Content Preview: MZP...... @...... !..L.!.. This program must be run under Win32..$7......

File Icon

Icon Hash: f0c8d08ed8c4f030

Static PE Info

General Entrypoint: 0x4b5eec Entrypoint Section: .itext Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x5FB0F96E [Sun Nov 15 09:48:30 2020 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 6 OS Version Minor: 0 File Version Major: 6 File Version Minor: 0 Subsystem Version Major: 6 Subsystem Version Minor: 0 Import Hash: 5a594319a0d69dbc452e748bcf05892e

Authenticode Signature

Signature Valid: true Signature Issuer: CN=Certum Code Signing CA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 1/18/2021 3:00:00 PM 1/18/2024 3:00:00 PM Subject Chain [email protected], CN=Florian BAUER, O=Florian BAUER, S=Bavaria, C=DE Version: 3

Copyright Joe Security LLC 2021 Page 14 of 22 Thumbprint MD5: 8E4A3E22A35CF4A039C74C5EB7445855 Thumbprint SHA-1: 175B477FE709B6EDF4441B08AF3F27EDE3F5DE3E Thumbprint SHA-256: 9207953A7D380F70BC5EB8AE016A3667DD7966E7A52D219A5E86CA1403D6DA16 Serial: 4C862D2340DCDFF769F4FFF5D1858E3D

Entrypoint Preview

Instruction push ebp mov ebp, esp add esp, FFFFFFA4h push ebx push esi push edi xor eax, eax mov dword ptr [ebp-3Ch], eax mov dword ptr [ebp-40h], eax mov dword ptr [ebp-5Ch], eax mov dword ptr [ebp-30h], eax mov dword ptr [ebp-38h], eax mov dword ptr [ebp-34h], eax mov dword ptr [ebp-2Ch], eax mov dword ptr [ebp-28h], eax mov dword ptr [ebp-14h], eax mov eax, 004B10F0h call 00007F6B68C4BF25h xor eax, eax push ebp push 004B65E2h push dword ptr fs:[eax] mov dword ptr fs:[eax], esp xor edx, edx push ebp push 004B659Eh push dword ptr fs:[edx] mov dword ptr fs:[edx], esp mov eax, dword ptr [004BE634h] call 00007F6B68CEE64Fh call 00007F6B68CEE1A2h lea edx, dword ptr [ebp-14h] xor eax, eax call 00007F6B68C61998h mov edx, dword ptr [ebp-14h] mov eax, 004C1D84h call 00007F6B68C46B17h push 00000002h push 00000000h push 00000001h mov ecx, dword ptr [004C1D84h] mov dl, 01h mov eax, dword ptr [004237A4h] call 00007F6B68C629FFh mov dword ptr [004C1D88h], eax xor edx, edx push ebp push 004B654Ah push dword ptr fs:[edx] mov dword ptr fs:[edx], esp call 00007F6B68CEE6D7h mov dword ptr [004C1D90h], eax mov eax, dword ptr [004C1D90h] cmp dword ptr [eax+0Ch], 01h jne 00007F6B68CF4CBAh mov eax, dword ptr [004C1D90h] mov edx, 00000028h

Copyright Joe Security LLC 2021 Page 15 of 22 Instruction call 00007F6B68C632F4h mov edx, dword ptr [004C1D90h]

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0xc4000 0x9a .edata IMAGE_DIRECTORY_ENTRY_IMPORT 0xc2000 0xf36 .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0xc7000 0x217bc .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x117aba8 0x1630 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0xc6000 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0xc22e4 0x244 .idata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0xc3000 0x1a4 .didata IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0xb361c 0xb3800 False 0.344863934105 data 6.35605820433 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .itext 0xb5000 0x1688 0x1800 False 0.544921875 data 5.97275005522 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0xb7000 0x37a4 0x3800 False 0.360979352679 data 5.04440056201 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .bss 0xbb000 0x6de8 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .idata 0xc2000 0xf36 0x1000 False 0.3681640625 data 4.89870464796 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .didata 0xc3000 0x1a4 0x200 False 0.345703125 data 2.75636286825 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .edata 0xc4000 0x9a 0x200 False 0.2578125 data 1.87222286659 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .tls 0xc5000 0x18 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rdata 0xc6000 0x5d 0x200 False 0.189453125 data 1.38389437522 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .rsrc 0xc7000 0x217bc 0x21800 False 0.497369111474 data 6.00254729849 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_ICON 0xc74f8 0xa082 PNG image data, 256 x 256, 8-bit/color RGBA, non- English United States interlaced RT_ICON 0xd157c 0x10828 dBase IV DBT, blocks size 0, block length 2048, next English United States free block index 40, next free block 0, next used block 0 RT_ICON 0xe1da4 0x25a8 data English United States RT_ICON 0xe434c 0x10a8 data English United States RT_ICON 0xe53f4 0x468 GLS_BINARY_LSB_FIRST English United States RT_STRING 0xe585c 0x360 data RT_STRING 0xe5bbc 0x260 data RT_STRING 0xe5e1c 0x45c data RT_STRING 0xe6278 0x40c data RT_STRING 0xe6684 0x2d4 data RT_STRING 0xe6958 0xb8 data RT_STRING 0xe6a10 0x9c data

Copyright Joe Security LLC 2021 Page 16 of 22 Name RVA Size Type Language Country RT_STRING 0xe6aac 0x374 data RT_STRING 0xe6e20 0x398 data RT_STRING 0xe71b8 0x368 data RT_STRING 0xe7520 0x2a4 data RT_RCDATA 0xe77c4 0x10 data RT_RCDATA 0xe77d4 0x2c4 data RT_RCDATA 0xe7a98 0x2c data RT_GROUP_ICON 0xe7ac4 0x4c data English United States RT_VERSION 0xe7b10 0x584 data English United States RT_MANIFEST 0xe8094 0x726 XML 1.0 document, ASCII text, with CRLF line English United States terminators

Imports

DLL Import kernel32.dll GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale comctl32.dll InitCommonControls version.dll GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW user32.dll CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW oleaut32.dll SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate netapi32.dll NetWkstaGetInfo, NetApiBufferFree advapi32.dll RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name Ordinal Address TMethodImplementationIntercept 3 0x454060 __dbk_fcall_wrapper 2 0x40d0a0 dbkFCallWrapperAddr 1 0x4be63c

Version Infos

Description Data LegalCopyright Zenju - All Rights Reserved FileVersion 11.8 CompanyName FreeFileSync.org Comments This installation was built with Inno Setup. ProductName FreeFileSync ProductVersion 11.8 FileDescription FreeFileSync Setup OriginalFileName Translation 0x0000 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Copyright Joe Security LLC 2021 Page 17 of 22 Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• FreeFileSync_11.8_Windows_Setu… • FreeFileSync_11.8_Windows_Setu… • FreeFileSync.exe

Click to jump to process

System Behavior

Analysis Process: FreeFileSync_11.8_Windows_Setup.exe PID: 620 Parent PID: 5568

General

Start time: 22:45:38 Start date: 27/03/2021 Path: C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe' Imagebase: 0x400000 File size: 18334168 bytes MD5 hash: AF257F1CB06A063644B2B3CBC14A5E1D Has elevated privileges: true Has administrator privileges: true Programmed in: Borland Delphi Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol

Copyright Joe Security LLC 2021 Page 18 of 22 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\is-53E49.tmp read data or list device directory file | success or wait 1 4AF035 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\is-53E49.tmp\FreeFileSync_1 read attributes | device synchronous io success or wait 1 423DEA CreateFileW 1.8_Windows_Setup.tmp synchronize | non alert | non generic write directory file

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\is- unknown 3138608 4d 5a 50 00 02 00 00 MZP...... @..... success or wait 1 423F10 WriteFile 53E49.tmp\FreeFileSync_11.8_Windows_Setup.tmp 00 04 00 0f 00 ff ff 00 ...... InUn...... 00 b8 00 00 00 00 00 ...... !..L.!..This program 00 00 40 00 1a 00 00 must be run under 00 00 00 00 00 00 00 Win32..$7 00 00 00 00 00 00 00 ...... 00 00 00 00 00 49 6e ...... 55 6e 00 00 00 00 00 ...... 00 00 00 00 01 00 00 ...... ba 10 00 0e 1f b4 09 ...... cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe unknown 64 success or wait 1 423E74 ReadFile C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe unknown 4 success or wait 2 423E74 ReadFile C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe unknown 4 success or wait 2 423E74 ReadFile

Analysis Process: FreeFileSync_11.8_Windows_Setup.tmp PID: 3348 Parent PID: 620

General

Start time: 22:45:40 Start date: 27/03/2021 Path: C:\Users\user\AppData\Local\Temp\is-53E49.tmp\FreeFileSync_11.8_Windows_Setup.tmp Wow64 process (32bit): true Commandline: 'C:\Users\user\AppData\Local\Temp\is-53E49.tmp\FreeFileSync_11.8_Windows_Setup.tmp' /SL5='$110078,17282871,899584,C:\Users\user\Desktop\FreeFileSync_11.8_Window s_Setup.exe' Imagebase: 0x400000 File size: 3138608 bytes MD5 hash: 90FFCDDC7F1ABC7A2BC2E54E2F9A8851

Copyright Joe Security LLC 2021 Page 19 of 22 Has elevated privileges: true Has administrator privileges: true Programmed in: Borland Delphi Antivirus matches: Detection: 3%, Metadefender, Browse Detection: 4%, ReversingLabs Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp read data or list device directory file | success or wait 1 60CEDD CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\_isetup read data or list device directory file | success or wait 1 6AB364 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\_isetup\_setup64.tmp read attributes | device synchronous io success or wait 1 423742 CreateFileW synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\FreeFileSync.exe read attributes | device synchronous io success or wait 1 5CAE1E CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\img_15.jpg read attributes | device synchronous io success or wait 1 5CAE1E CreateFileW synchronize | non alert | non generic write directory file

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\_isetup\_setup unknown 6144 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 42378D WriteFile 64.tmp 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... ^...... l..... 00 00 00 00 00 00 00 ...... =\...... =\...... =\.. 00 00 00 00 00 00 00 ....Rich...... 00 00 00 d8 00 00 00 ...... PE..d...... R...... #. 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5e fb aa ad 1a 9a c4 fe 1a 9a c4 fe 1a 9a c4 fe 6c 07 bf fe 17 9a c4 fe 1a 9a c5 fe 02 9a c4 fe 3d 5c a9 fe 1b 9a c4 fe 3d 5c b8 fe 1b 9a c4 fe 3d 5c bc fe 1b 9a c4 fe 52 69 63 68 1a 9a c4 fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 d5 a0 1c 52 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 08 00 00 06 00 00 00 0e 00 00 00 00 00

Copyright Joe Security LLC 2021 Page 20 of 22 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\is- unknown 65536 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 12 5CAF78 WriteFile A3LFO.tmp\FreeFileSync.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... s.t.7...7...7...#...9. 00 00 00 00 00 00 00 ..#...... A...... &...... 00 00 00 00 00 00 00 "...#...... #...5...#...... 7. 00 00 00 00 01 00 00 ...... ;...... 6...... 6... 0e 1f ba 0e 00 b4 09 Rich7...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 73 cc 74 9a 37 ad 1a c9 37 ad 1a c9 37 ad 1a c9 23 c6 19 c8 39 ad 1a c9 23 c6 1f c8 ae ad 1a c9 89 dc 1f c8 41 ad 1a c9 89 dc 1e c8 26 ad 1a c9 89 dc 19 c8 22 ad 1a c9 23 c6 1e c8 20 ad 1a c9 23 c6 1c c8 35 ad 1a c9 23 c6 1b c8 20 ad 1a c9 37 ad 1b c9 c0 ad 1a c9 ae df 13 c8 3b ad 1a c9 ae df e5 c9 36 ad 1a c9 ae df 18 c8 36 ad 1a c9 52 69 63 68 37 ad 1a c9 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\img_15.jpg unknown 55247 ff d8 ff e0 00 10 4a 46 ...... JFIF.....N.N...... success or wait 1 5CAF78 WriteFile 49 46 00 01 02 02 00 ...... 4e 00 4e 00 00 ff fe 01 ...... 02 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe unknown 64 success or wait 1 5CAEA8 ReadFile C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe unknown 4 success or wait 2 5CAEA8 ReadFile C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe unknown 4 success or wait 2 5CAEA8 ReadFile C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe unknown 4 success or wait 2 5CAEA8 ReadFile C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe unknown 5 success or wait 7 5CAEA8 ReadFile

Copyright Joe Security LLC 2021 Page 21 of 22 Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\img_15.bmp unknown 14 success or wait 2 423761 ReadFile C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\img_15.bmp unknown 4 success or wait 8 423761 ReadFile

Analysis Process: FreeFileSync.exe PID: 3016 Parent PID: 3348

General

Start time: 22:45:41 Start date: 27/03/2021 Path: C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\FreeFileSync.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\FreeFileSync.exe' ffs_setup_conve rt_jpg_to_bmp 'C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\img_15.jpg' Imagebase: 0xcd0000 File size: 737328 bytes MD5 hash: EF608BE990DCCA691944F1A702E2C074 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Disassembly

Code Analysis

Copyright Joe Security LLC 2021 Page 22 of 22