File name:

Tftpd32-4.64-setup.exe

Full analysis: https://app.any.run/tasks/cd32099e-239d-4f21-9bce-0f8ba9a24ef3
Verdict: Malicious activity
Analysis date: February 13, 2024, 01:57:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

4A77C0A4701C751144D2D6161935F7F7

SHA1:

77D4D5E42D37C5389FC74BB0DFCF9D5B35A6DCE2

SHA256:

2DE0849E81686EF91AB4DFCA1C589247C7D8EDB937051B2DD3D4B9F16C8CB3FC

SSDEEP:

12288:sJ+gA6RPCuLmMl06EpwUG5IAeKPOFwTM84qpcy+qtv2tSoTqLQby463:swgA6RPCUmMlQqIWWFA4qphN28o+LQeb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Tftpd32-4.64-setup.exe (PID: 2848)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Tftpd32-4.64-setup.exe (PID: 2848)

    • Reads security settings of Internet Explorer

      • tftpd32.exe (PID: 2304)

    • Creates a software uninstall entry

      • Tftpd32-4.64-setup.exe (PID: 2848)

    • Reads the Internet Settings

      • tftpd32.exe (PID: 2304)
      • hh.exe (PID: 4000)

    • Reads Internet Explorer settings

      • hh.exe (PID: 4000)

    • Reads Microsoft Outlook installation path

      • hh.exe (PID: 4000)

  • INFO

    • Reads the computer name

      • Tftpd32-4.64-setup.exe (PID: 2848)
      • tftpd32.exe (PID: 2304)

    • Creates files in the program directory

      • Tftpd32-4.64-setup.exe (PID: 2848)
      • hh.exe (PID: 4000)

    • Checks supported languages

      • Tftpd32-4.64-setup.exe (PID: 2848)
      • tftpd32.exe (PID: 2304)

    • Creates files or folders in the user directory

      • Tftpd32-4.64-setup.exe (PID: 2848)
      • hh.exe (PID: 4000)

    • Create files in a temporary directory

      • hh.exe (PID: 4000)

    • Reads security settings of Internet Explorer

      • hh.exe (PID: 4000)

    • Checks proxy server information

      • hh.exe (PID: 4000)

    • Reads the machine GUID from the registry

      • hh.exe (PID: 4000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:02 03:20:13+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 164864
UninitializedDataSize: 1024
EntryPoint: 0x312a
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start tftpd32-4.64-setup.exe tftpd32.exe hh.exe no specs tftpd32-4.64-setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2304"C:\Program Files\Tftpd32\Tftpd32.exe"C:\Program Files\Tftpd32\tftpd32.exe
Tftpd32-4.64-setup.exe
User:
admin
Company:
Ph. Jounin
Integrity Level:
HIGH
Description:
TFTP server
Exit code:
0
Modules
Images
c:\program files\tftpd32\tftpd32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2848"C:\Users\admin\AppData\Local\Temp\Tftpd32-4.64-setup.exe" C:\Users\admin\AppData\Local\Temp\Tftpd32-4.64-setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\tftpd32-4.64-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3652"C:\Users\admin\AppData\Local\Temp\Tftpd32-4.64-setup.exe" C:\Users\admin\AppData\Local\Temp\Tftpd32-4.64-setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\tftpd32-4.64-setup.exe
c:\windows\system32\ntdll.dll
4000"C:\Windows\hh.exe" C:\Program Files\Tftpd32\Tftpd32.chmC:\Windows\hh.exetftpd32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
Total events
4 400
Read events
4 374
Write events
24
Delete events
2

Modification events

(PID) Process:(2848) Tftpd32-4.64-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Tftpd32
Operation:writeName:Install_Dir
Value:
C:\Program Files\Tftpd32
(PID) Process:(2848) Tftpd32-4.64-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tftpd32
Operation:writeName:DisplayName
Value:
Tftpd32 Standalone Edition (remove only)
(PID) Process:(2848) Tftpd32-4.64-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tftpd32
Operation:writeName:UninstallString
Value:
"C:\Program Files\Tftpd32\uninstall.exe"
(PID) Process:(2848) Tftpd32-4.64-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tftpd32
Operation:writeName:NoModify
Value:
1
(PID) Process:(2848) Tftpd32-4.64-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tftpd32
Operation:writeName:NoRepair
Value:
1
(PID) Process:(2304) tftpd32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2304) tftpd32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2304) tftpd32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2304) tftpd32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4000) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
3
Suspicious files
8
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2848Tftpd32-4.64-setup.exeC:\Program Files\Tftpd32\tftpd32.chmbinary
MD5:DE0095E371874836FB50CD3400D7B204
SHA256:810A0F52703D051B30D5ECD219C72B0599964DE34D1C1912367271C87D4725BF
2848Tftpd32-4.64-setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tftpd32\Uninstall.lnkbinary
MD5:F79D2D6E7C87C3258A09B9024E82C604
SHA256:B0AF69621B4A4CD141BA47F58A089B316CF4195ECE521809D0FB4F76BF338986
2848Tftpd32-4.64-setup.exeC:\Program Files\Tftpd32\EUPL-EN.pdfpdf
MD5:254B5DDBC15269E72BA3A0508681A70C
SHA256:CD5D9E2A925D8DAA92D083FD8C1CEA48DF1BCFFFD857F4F93E2148FDDC5001EC
2848Tftpd32-4.64-setup.exeC:\Program Files\Tftpd32\tftpd32.exeexecutable
MD5:733ED472EDBBA6FCCFF0A74882CD6B51
SHA256:C270EBD42AC19805F58BDA8A0A34898ADD80CDAFF3594038C3C9B47FDB0FA06A
4000hh.exeC:\Users\admin\AppData\Local\Temp\~DFEB296ECC21988BB1.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
4000hh.exeC:\Users\admin\AppData\Local\Temp\IMT8855.tmpbinary
MD5:5D0E5693027A0E5ADF1D49847779B65C
SHA256:AC0710AABAAEAAC65507050647FA9D97A82639DA0D1D6B436800B177478C6D6B
2848Tftpd32-4.64-setup.exeC:\Program Files\Tftpd32\uninstall.exeexecutable
MD5:81982BE80DEC4E8462EF03FD5E44F406
SHA256:181A386BA1B874C4F2779A27181332374F640A89333C88E70309B829324DB07C
2848Tftpd32-4.64-setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tftpd32\Tftpd32.lnkbinary
MD5:232E76333D3A6C0BCCF6B279D9DDCA97
SHA256:B96AF275B7091456D595B1565185849F53A808F71904B39CF60BAE7B16DE624B
2848Tftpd32-4.64-setup.exeC:\Program Files\Tftpd32\tftpd32.initext
MD5:C973075D00B0BF2D5C4CB18155AD92FB
SHA256:0C00CBDAE4E3F2F430CA803E2E08BB3CBBA4E83CF9024DBB64DA212B8034E60D
2848Tftpd32-4.64-setup.exeC:\Users\admin\Desktop\Tftpd32.lnklnk
MD5:52DD11A0917547627C2936D41C4B7C67
SHA256:BE90E76384F81C88BA835844291ADA10DA9382F0621F4B8967E5DC0F215BBD14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
tftpd32.exe
Th 2624 :opening comm socket
tftpd32.exe
Th 2624 :Console disconnected
tftpd32.exe
Th 2328 :Port 17152 may be reused
tftpd32.exe
Th 1040 :connected to console
tftpd32.exe
Th 2624 :Verify Console/GUI parameters
tftpd32.exe
Th 2624 :Version check OK
tftpd32.exe
Th 1040 :GUI Version check OK
tftpd32.exe
Th 2624 :Console connected
tftpd32.exe
Th 864 :Scheduler signal received
tftpd32.exe
Th 1040 :GUI: new service 4 status 4
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Tftpd32-4.64-setup.exe