URL:

https://filezilla-project.org/

Full analysis: https://app.any.run/tasks/439bc6f6-e8f6-4a6a-9e57-6f9cc2aaec92
Verdict: Malicious activity
Analysis date: July 24, 2024, 10:14:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MD5:

6E7CAE3E39D6CE3C53D6FAB17E20A746

SHA1:

1B8C8A8CC50EAA8183A0E6A7560E338824CFE274

SHA256:

EA2D60E6737A586338C2626ED8155C40308B46E209D74C217ADD2DEDE2058105

SSDEEP:

3:N8sEIVEjR+XJ:2lJRi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 7260)
      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 3060)
      • uninstall.exe (PID: 7232)

    • Registers / Runs the DLL via REGSVR32.EXE

      • uninstall.exe (PID: 7232)
      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 3060)

  • SUSPICIOUS

    • Application launched itself

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 7260)

    • Reads the date of Windows installation

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 7260)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 7260)
      • uninstall.exe (PID: 7232)
      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 3060)

    • The process creates files with name similar to system file names

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 7260)
      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 3060)
      • uninstall.exe (PID: 7232)

    • Executable content was dropped or overwritten

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 7260)
      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 3060)
      • uninstall.exe (PID: 7232)

    • Reads security settings of Internet Explorer

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 7260)
      • filezilla.exe (PID: 1936)

    • Creates a software uninstall entry

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 3060)

    • Searches for installed software

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 3060)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 6196)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 7144)
      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 3060)
      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 7260)
      • uninstall.exe (PID: 7232)
      • filezilla.exe (PID: 1936)

    • Checks proxy server information

      • slui.exe (PID: 6696)

    • Reads the computer name

      • identity_helper.exe (PID: 7144)
      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 7260)
      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 3060)
      • uninstall.exe (PID: 7232)
      • filezilla.exe (PID: 1936)

    • Reads the software policy settings

      • slui.exe (PID: 6696)

    • Reads Environment values

      • identity_helper.exe (PID: 7144)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 396)

    • Process checks computer location settings

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 7260)

    • Create files in a temporary directory

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 3060)
      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 7260)
      • uninstall.exe (PID: 7232)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 4992)
      • msedge.exe (PID: 396)

    • The process uses the downloaded file

      • msedge.exe (PID: 396)
      • msedge.exe (PID: 4304)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 396)
      • msedge.exe (PID: 4992)

    • Application launched itself

      • msedge.exe (PID: 396)

    • Creates files in the program directory

      • FileZilla_3.67.1_win64_sponsored2-setup.exe (PID: 3060)

    • Creates files or folders in the user directory

      • filezilla.exe (PID: 1936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
47
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs filezilla_3.67.1_win64_sponsored2-setup.exe filezilla_3.67.1_win64_sponsored2-setup.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs uninstall.exe regsvr32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs regsvr32.exe no specs msedge.exe no specs filezilla.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://filezilla-project.org/"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\windows\system32\windows.networking.connectivity.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\dusmapi.dll
c:\windows\system32\capauthz.dll
c:\windows\system32\windows.staterepositorycore.dll
c:\windows\system32\windows.applicationmodel.dll
c:\windows\system32\appxdeploymentclient.dll
504"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x300,0x304,0x308,0x250,0x310,0x7fff00f45fd8,0x7fff00f45fe4,0x7fff00f45ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
916"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3516 --field-trial-handle=2440,i,5917321087814647841,6477355834663869162,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
1180"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2420 --field-trial-handle=2440,i,5917321087814647841,6477355834663869162,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
1252"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5636 --field-trial-handle=2440,i,5917321087814647841,6477355834663869162,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
1264"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4316 --field-trial-handle=2440,i,5917321087814647841,6477355834663869162,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1488"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5804 --field-trial-handle=2440,i,5917321087814647841,6477355834663869162,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1712"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5316 --field-trial-handle=2440,i,5917321087814647841,6477355834663869162,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1936"C:\Program Files\FileZilla FTP Client\filezilla.exe" C:\Program Files\FileZilla FTP Client\filezilla.exeFileZilla_3.67.1_win64_sponsored2-setup.exe
User:
admin
Company:
FileZilla Project
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Version:
3, 67, 1, 0
1952"C:\WINDOWS\system32\regsvr32.exe" /s /u "C:\Program Files\FileZilla FTP Client\fzshellext_64.dll"C:\Windows\System32\regsvr32.exeuninstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
1 372
Read events
1 371
Write events
1
Delete events
0

Modification events

(PID) Process:(396) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197084
Operation:writeName:WindowTabManagerFileMappingId
Value:
{6BA6205A-0579-4663-9F9F-02E7244C9FC6}
Executable files
43
Suspicious files
354
Text files
805
Unknown types
19

Dropped files

PID
Process
Filename
Type
396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFe2546.TMP
MD5:
SHA256:
396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFe2546.TMP
MD5:
SHA256:
396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFe2556.TMP
MD5:
SHA256:
396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFe25a4.TMP
MD5:
SHA256:
396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFe25d3.TMP
MD5:
SHA256:
396msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
87
DNS requests
79
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7376
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
396
msedge.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D
unknown
whitelisted
396
msedge.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK4rVKYpqhekzQwCEDGDDDcK1%2BSXYztus6AtaeY%3D
unknown
whitelisted
396
msedge.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEGIdbQxSAZ47kHkVIIkhHAo%3D
unknown
whitelisted
7312
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3060
FileZilla_3.67.1_win64_sponsored2-setup.exe
POST
200
52.222.144.90:80
http://api.playanext.com/httpapi
unknown
unknown
760
lsass.exe
GET
200
18.65.41.80:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
unknown
2452
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8bc315ba-54e5-49f4-9b75-997d7071eb06?P1=1722399780&P2=404&P3=2&P4=doEhHqU9lhWQo8CE3Ae7tklSKvrpBGLnirPwxRVvARl3ShCFCPM0Rhq%2f6Qp8WeggcFo2hvnHrv5NQy2u9yPZ%2fg%3d%3d
unknown
whitelisted
3060
FileZilla_3.67.1_win64_sponsored2-setup.exe
POST
52.222.144.90:80
http://api.playanext.com/httpapi
unknown
unknown
2452
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8bc315ba-54e5-49f4-9b75-997d7071eb06?P1=1722399780&P2=404&P3=2&P4=doEhHqU9lhWQo8CE3Ae7tklSKvrpBGLnirPwxRVvARl3ShCFCPM0Rhq%2f6Qp8WeggcFo2hvnHrv5NQy2u9yPZ%2fg%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6012
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3656
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4292
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
5368
SearchApp.exe
92.123.104.18:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted
239.255.255.250:1900
whitelisted
4.209.33.156:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 216.58.212.142
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
filezilla-project.org
  • 49.12.121.47
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.72
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
ads.filezilla-project.org
  • 49.12.121.47
whitelisted
www.bing.com
  • 2.23.209.169
  • 2.23.209.160
  • 2.23.209.168
  • 2.23.209.162
  • 2.23.209.166
  • 2.23.209.174
  • 2.23.209.163
  • 2.23.209.185
  • 2.23.209.181
  • 2.23.209.167
  • 2.23.209.157
  • 2.23.209.155
  • 2.23.209.153
  • 2.23.209.152
  • 2.23.209.154
  • 2.23.209.192
  • 2.23.209.136
  • 2.23.209.189
  • 2.23.209.139
  • 2.23.209.144
  • 2.23.209.143
  • 2.23.209.130
  • 2.23.209.141
  • 2.23.209.137
  • 2.23.209.171
  • 2.23.209.158
whitelisted
bzib.nelreports.net
  • 2.19.126.152
  • 2.19.126.145
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://filezilla-project.org/