File name:

FileZilla_3.67.0_win64_sponsored2-setup.exe

Full analysis: https://app.any.run/tasks/b66f24b5-ee69-4db9-bbd4-97fcbaa8c6e5
Verdict: Malicious activity
Analysis date: April 26, 2024, 04:55:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

E4ACF0E303E9F1371F029E013F902262

SHA1:

180F686F2AFE1AD0AC6F3498E70AF910FCBCE620

SHA256:

9BE2103D3418D266DE57143C2164B31C27DFA73C22E42137F3FE63A21F793202

SSDEEP:

98304:mrCHbIa9rYHGaqIGfqdr0qTxR7taD08ELRBX8YPi83BTqk4Sm7hPN50m7OXLV4Ji:iE5f2PcScEDFhoXt+1DNb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • uninstall.exe (PID: 3084)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • uninstall.exe (PID: 3084)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
      • uninstall.exe (PID: 3084)

    • The process creates files with name similar to system file names

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
      • uninstall.exe (PID: 3084)

    • Application launched itself

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)

    • Searches for installed software

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)

    • Creates/Modifies COM task schedule object

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)

    • Creates a software uninstall entry

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)

  • INFO

    • Reads the computer name

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
      • uninstall.exe (PID: 3084)

    • Checks supported languages

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
      • uninstall.exe (PID: 3084)

    • Create files in a temporary directory

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 1072)
      • uninstall.exe (PID: 3084)

    • Creates files in the program directory

      • FileZilla_3.67.0_win64_sponsored2-setup.exe (PID: 2268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:09:43+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.67.0.0
ProductVersionNumber: 3.67.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Tim Kosse
FileDescription: FileZilla FTP Client
FileVersion: 3.67.0
LegalCopyright: Tim Kosse
OriginalFileName: FileZilla_3.67.0_win32-setup.exe
ProductName: FileZilla
ProductVersion: 3.67.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start filezilla_3.67.0_win64_sponsored2-setup.exe filezilla_3.67.0_win64_sponsored2-setup.exe uninstall.exe

Process information

PID
CMD
Path
Indicators
Parent process
1072"C:\Users\admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe" C:\Users\admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe
explorer.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Version:
3.67.0
Modules
Images
c:\users\admin\appdata\local\temp\filezilla_3.67.0_win64_sponsored2-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2268"C:\Users\admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe" /UAC:1C018A /NCRC C:\Users\admin\AppData\Local\Temp\FileZilla_3.67.0_win64_sponsored2-setup.exe
FileZilla_3.67.0_win64_sponsored2-setup.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
HIGH
Description:
FileZilla FTP Client
Version:
3.67.0
Modules
Images
c:\users\admin\appdata\local\temp\filezilla_3.67.0_win64_sponsored2-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3084"C:\Program Files\FileZilla FTP Client\uninstall.exe" /frominstall /keepstartmenudir _?=C:\Program Files\FileZilla FTP ClientC:\Program Files\FileZilla FTP Client\uninstall.exe
FileZilla_3.67.0_win64_sponsored2-setup.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
HIGH
Description:
FileZilla FTP Client
Exit code:
0
Version:
3.65.0
Modules
Images
c:\program files\filezilla ftp client\uninstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
7 262
Read events
7 213
Write events
33
Delete events
16

Modification events

(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileZilla3CopyHook
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}\InProcServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB70412E-EEC9-479C-BBA9-BE36BFDDA41B}
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla 3\fzshellext
Operation:delete valueName:Enable
Value:

(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla 3\fzshellext
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla 3
Operation:delete keyName:(default)
Value:
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
116
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
117
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
118
(PID) Process:(3084) uninstall.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nsm56C5.tmp
Executable files
36
Suspicious files
38
Text files
687
Unknown types
85

Dropped files

PID
Process
Filename
Type
1072FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Users\admin\AppData\Local\Temp\nsgE0BA.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
3084uninstall.exeC:\Users\admin\AppData\Local\Temp\nsx5667.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
2268FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Users\admin\AppData\Local\Temp\nsc17A8.tmp\System.dllexecutable
MD5:4ADD245D4BA34B04F213409BFE504C07
SHA256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
1072FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Users\admin\AppData\Local\Temp\nsgE0BA.tmp\UserInfo.dllexecutable
MD5:D458B8251443536E4A334147E0170E95
SHA256:4913D4CCCF84CD0534069107CFF3E8E2F427160CAD841547DB9019310AC86CC7
2268FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Users\admin\AppData\Local\Temp\nsc17A8.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
2268FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Users\admin\AppData\Local\Temp\nsc17A8.tmp\nsDialogs.dllexecutable
MD5:1D8F01A83DDD259BC339902C1D33C8F1
SHA256:4B7D17DA290F41EBE244827CC295CE7E580DA2F7E9F7CC3EFC1ABC6898E3C9ED
2268FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Users\admin\AppData\Local\Temp\nsc17A8.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
3084uninstall.exeC:\Users\admin\AppData\Local\Temp\nsx5667.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
1072FileZilla_3.67.0_win64_sponsored2-setup.exeC:\Users\admin\AppData\Local\Temp\nsgE0BA.tmp\System.dllexecutable
MD5:4ADD245D4BA34B04F213409BFE504C07
SHA256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
3084uninstall.exeC:\Users\admin\AppData\Local\Temp\nsx5667.tmp\UserInfo.dllexecutable
MD5:98FF85B635D9114A9F6A0CD7B9B649D0
SHA256:933F93A30CE44DF96CBC4AC0B56A8B02EE01DA27E4EA665D1D846357A8FCA8DE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FileZilla_3.67.0_win64_sponsored2-setup.exe