File name:

FileZilla_3.64.0_win64-setup.exe

Full analysis: https://app.any.run/tasks/4c4c4208-db56-463b-b30d-976d208de23d
Verdict: Malicious activity
Analysis date: November 30, 2023, 12:36:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

6A0ADCF34A2F0AC21089B994DFF02B85

SHA1:

4C5C3F6D95FADC1ED99AAB2D85F5B7122B041A72

SHA256:

0D8F5DBE4A1F05DDACDA6493733BED57FC54310C90BC6FDC764FB95A92441B40

SSDEEP:

196608:8WRJiq6Az8mHlykdYnsdZveP6BX2wEbUeX6gnG4od/q36hnWY4Jmc2TdB68fjC:8WRJD8mUsdIP68wEbjfod/gQnCoc8B12

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • FileZilla_3.64.0_win64-setup.exe (PID: 888)
      • uninstall.exe (PID: 824)
      • FileZilla_3.64.0_win64-setup.exe (PID: 2976)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FileZilla_3.64.0_win64-setup.exe (PID: 888)
      • FileZilla_3.64.0_win64-setup.exe (PID: 2976)
      • uninstall.exe (PID: 824)

    • The process creates files with name similar to system file names

      • FileZilla_3.64.0_win64-setup.exe (PID: 888)
      • FileZilla_3.64.0_win64-setup.exe (PID: 2976)
      • uninstall.exe (PID: 824)

    • Reads the Internet Settings

      • FileZilla_3.64.0_win64-setup.exe (PID: 888)

    • Application launched itself

      • FileZilla_3.64.0_win64-setup.exe (PID: 888)

    • Searches for installed software

      • FileZilla_3.64.0_win64-setup.exe (PID: 2976)

  • INFO

    • Checks supported languages

      • FileZilla_3.64.0_win64-setup.exe (PID: 888)
      • FileZilla_3.64.0_win64-setup.exe (PID: 2976)
      • uninstall.exe (PID: 824)

    • Reads the computer name

      • FileZilla_3.64.0_win64-setup.exe (PID: 888)
      • FileZilla_3.64.0_win64-setup.exe (PID: 2976)
      • uninstall.exe (PID: 824)

    • Creates files in the program directory

      • FileZilla_3.64.0_win64-setup.exe (PID: 2976)

    • Create files in a temporary directory

      • FileZilla_3.64.0_win64-setup.exe (PID: 888)
      • uninstall.exe (PID: 824)
      • FileZilla_3.64.0_win64-setup.exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:08:01 04:44:18+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x35d8
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.64.0.0
ProductVersionNumber: 3.64.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Tim Kosse
FileDescription: FileZilla FTP Client
FileVersion: 3.64.0
LegalCopyright: Tim Kosse
OriginalFileName: FileZilla_3.64.0_win32-setup.exe
ProductName: FileZilla
ProductVersion: 3.64.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start filezilla_3.64.0_win64-setup.exe no specs filezilla_3.64.0_win64-setup.exe uninstall.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
824"C:\Program Files\FileZilla FTP Client\uninstall.exe" /frominstall /keepstartmenudir _?=C:\Program Files\FileZilla FTP ClientC:\Program Files\FileZilla FTP Client\uninstall.exeFileZilla_3.64.0_win64-setup.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
HIGH
Description:
FileZilla FTP Client
Exit code:
0
Version:
3.65.0
Modules
Images
c:\program files\filezilla ftp client\uninstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
888"C:\Users\admin\AppData\Local\Temp\FileZilla_3.64.0_win64-setup.exe" C:\Users\admin\AppData\Local\Temp\FileZilla_3.64.0_win64-setup.exeexplorer.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Exit code:
0
Version:
3.64.0
Modules
Images
c:\users\admin\appdata\local\temp\filezilla_3.64.0_win64-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2976"C:\Users\admin\AppData\Local\Temp\FileZilla_3.64.0_win64-setup.exe" /UAC:90190 /NCRC C:\Users\admin\AppData\Local\Temp\FileZilla_3.64.0_win64-setup.exe
FileZilla_3.64.0_win64-setup.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
HIGH
Description:
FileZilla FTP Client
Exit code:
0
Version:
3.64.0
Modules
Images
c:\users\admin\appdata\local\temp\filezilla_3.64.0_win64-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
2 164
Read events
2 125
Write events
23
Delete events
16

Modification events

(PID) Process:(824) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileZilla3CopyHook
Operation:delete keyName:(default)
Value:
(PID) Process:(824) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(824) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}
Operation:delete keyName:(default)
Value:
(PID) Process:(824) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla 3\fzshellext
Operation:delete valueName:Enable
Value:
1
(PID) Process:(824) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla 3\fzshellext
Operation:delete keyName:(default)
Value:
(PID) Process:(824) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla 3
Operation:delete keyName:(default)
Value:
(PID) Process:(824) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
115
(PID) Process:(824) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
116
(PID) Process:(824) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
117
(PID) Process:(824) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
118
Executable files
37
Suspicious files
124
Text files
689
Unknown types
0

Dropped files

PID
Process
Filename
Type
2976FileZilla_3.64.0_win64-setup.exeC:\Users\admin\AppData\Local\Temp\nsdC7D.tmp\UserInfo.dllexecutable
MD5:98FF85B635D9114A9F6A0CD7B9B649D0
SHA256:933F93A30CE44DF96CBC4AC0B56A8B02EE01DA27E4EA665D1D846357A8FCA8DE
888FileZilla_3.64.0_win64-setup.exeC:\Users\admin\AppData\Local\Temp\nshE463.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
2976FileZilla_3.64.0_win64-setup.exeC:\Users\admin\AppData\Local\Temp\nsdC7D.tmp\nsDialogs.dllexecutable
MD5:48F3E7860E1DE2B4E63EC744A5E9582A
SHA256:6BF9CCCD8A600F4D442EFE201E8C07B49605BA35F49A4B3AB22FA2641748E156
888FileZilla_3.64.0_win64-setup.exeC:\Users\admin\AppData\Local\Temp\nshE463.tmp\System.dllexecutable
MD5:564BB0373067E1785CBA7E4C24AAB4BF
SHA256:7A9DDEE34562CD3703F1502B5C70E99CD5BBA15DE2B6845A3555033D7F6CB2A5
2976FileZilla_3.64.0_win64-setup.exeC:\Users\admin\AppData\Local\Temp\nsdC7D.tmp\System.dllexecutable
MD5:564BB0373067E1785CBA7E4C24AAB4BF
SHA256:7A9DDEE34562CD3703F1502B5C70E99CD5BBA15DE2B6845A3555033D7F6CB2A5
2976FileZilla_3.64.0_win64-setup.exeC:\Program Files\FileZilla FTP Client\NEWStext
MD5:1C9B9A41A5EDED134D0288910AC13EC2
SHA256:505BE87E50FAA17EF1C76ED5EF215509122AECA8D657EE724CDCE2A5402B9BCF
2976FileZilla_3.64.0_win64-setup.exeC:\Program Files\FileZilla FTP Client\filezilla.exeexecutable
MD5:B7631822DFEA12C79B1C9DB86B7F776F
SHA256:F4AEBFA40895D0AB252E6CF4E7051B5FBA59DECED421FA710DD8EF6497AC6823
824uninstall.exeC:\Users\admin\AppData\Local\Temp\nsm2228.tmp\UserInfo.dllexecutable
MD5:98FF85B635D9114A9F6A0CD7B9B649D0
SHA256:933F93A30CE44DF96CBC4AC0B56A8B02EE01DA27E4EA665D1D846357A8FCA8DE
824uninstall.exeC:\Users\admin\AppData\Local\Temp\nsm2227.tmpbinary
MD5:83C7A3C549E69D9C0611883B4FEE89AD
SHA256:A1977B353A536536E087556A12A6E103EF90699DBF625AF636E7969A4292EFDA
824uninstall.exeC:\Users\admin\AppData\Local\Temp\nsm2228.tmp\System.dllexecutable
MD5:564BB0373067E1785CBA7E4C24AAB4BF
SHA256:7A9DDEE34562CD3703F1502B5C70E99CD5BBA15DE2B6845A3555033D7F6CB2A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FileZilla_3.64.0_win64-setup.exe