File name:

free-pdf-pro.exe

Full analysis: https://app.any.run/tasks/c1557e24-080e-4332-94c7-34e5166d76c5
Verdict: Malicious activity
Analysis date: February 01, 2024, 14:35:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

98C4D35C16B8E3045E28F6850908EECC

SHA1:

9F8F3DC169683BCF3BEACA37BF8584DC1CD46047

SHA256:

393C99C547885D903AB6FEF505FFA1CEC5272C52CA8335F5D07CDB079E6FD6B0

SSDEEP:

24576:vbCAKolHNNDaPTfFPdgoWPHUeq2iaJ//OXewTwHV6:zCN8HTaPTJyoWse9iaJ/GXVTw0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • free-pdf-pro.exe (PID: 268)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • free-pdf-pro.exe (PID: 268)

    • The process creates files with name similar to system file names

      • free-pdf-pro.exe (PID: 268)

    • Process drops legitimate windows executable

      • free-pdf-pro.exe (PID: 268)

    • Executable content was dropped or overwritten

      • free-pdf-pro.exe (PID: 268)

    • Reads the Internet Settings

      • FreePDFProConverter.exe (PID: 2736)

  • INFO

    • Reads the computer name

      • free-pdf-pro.exe (PID: 268)
      • FreePDFProConverter.exe (PID: 2736)

    • Checks supported languages

      • free-pdf-pro.exe (PID: 268)
      • FreePDFProConverter.exe (PID: 2736)

    • Create files in a temporary directory

      • free-pdf-pro.exe (PID: 268)

    • Creates files or folders in the user directory

      • free-pdf-pro.exe (PID: 268)
      • FreePDFProConverter.exe (PID: 2736)

    • Reads the machine GUID from the registry

      • FreePDFProConverter.exe (PID: 2736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 23:57:46+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Free PDF Pro
FileVersion: 1.0.0.0
LegalCopyright: Copyright © 2023 Active Intellect AI LLC
ProductName: Free PDF Pro
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start free-pdf-pro.exe freepdfproconverter.exe

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Users\admin\AppData\Local\Temp\free-pdf-pro.exe" C:\Users\admin\AppData\Local\Temp\free-pdf-pro.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Free PDF Pro
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\free-pdf-pro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2736C:\Users\admin\AppData\Roaming\PDFPro\FreePDFProConverter.exeC:\Users\admin\AppData\Roaming\PDFPro\FreePDFProConverter.exe
free-pdf-pro.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FreePDFProConverter
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\pdfpro\freepdfproconverter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 320
Read events
1 319
Write events
1
Delete events
0

Modification events

(PID) Process:(2736) FreePDFProConverter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
Executable files
13
Suspicious files
2
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
268free-pdf-pro.exeC:\Users\admin\AppData\Local\Temp\nsz3510.tmp\modern-wizard.bmpimage
MD5:9E4CD80A60DB6947642677BF31A10906
SHA256:A7B2F12E01CBEA88D4F645F797F2CA6107D76AE13CD1BE6DC532B759BFE0D925
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\FreePDFProConverter.exeexecutable
MD5:5E20020A9D61136B75922E50EE07096F
SHA256:4C92F4BE6AD47464DC896C2B7DFCB3C2E1B746BB7863A894ED05D1FA487C1084
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\FreePDFProConverter.pdbpdb
MD5:535570B633F3C0B4CE3E284471E3294A
SHA256:EFAAD96930D1801C3857FF74D9B959B04BB636ECAE21E1EB6DBD3AFE8D0F7243
268free-pdf-pro.exeC:\Users\admin\AppData\Local\Temp\nsz3510.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\Microsoft.Xaml.Behaviors.pdbbinary
MD5:DB7FDE2D3EBCE71E5A0FEF7502B377B9
SHA256:5DCEC23EC8C56D07E7FE0D9D06B2DAFD943858337F3562DEC8546D827C5A343A
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\runtimes\win-arm64\native\WebView2Loader.dllexecutable
MD5:F88D5949A163BDBB67E0658B9E67CCE0
SHA256:9D47338D5F8DDE0C524E61C9A8A8461EB51D930B795AC4FBE0D1D73D8BFEC790
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\Microsoft.Web.WebView2.Core.dllexecutable
MD5:7E2BC58A005E0F41D74CE4B762E0FE89
SHA256:AF0E477405AAAD87424CF3930818B4E7901A0077B13B8E0882E9B435ED6F4B4C
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\JetBrains.Annotations.dllexecutable
MD5:955A2555BEC853489DD45DCF7FD10C1C
SHA256:F5177E397A60A587AB92934A415A5803C7E005360F40042FCDFE3C55BB78ABDB
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free PDF Pro\Free PDF Pro.lnkbinary
MD5:9695A00D5CE697FBB4F2F27BA39174C3
SHA256:7CBCE074990A398F54078707BAD351561892B786327A871F2746713F0650BC91
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\Microsoft.Web.WebView2.Wpf.dllexecutable
MD5:021975A0451EC73478B2A7A5759105EE
SHA256:7A6B8C5658FE8FFB05F8DF283FE7EE5D2B68BD34AAF70CC847FC7C935FB14767
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
FreePDFProConverter.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
FreePDFProConverter.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
free-pdf-pro.exe