File name:

free-pdf-pro.exe

Full analysis: https://app.any.run/tasks/c1557e24-080e-4332-94c7-34e5166d76c5
Verdict: Malicious activity
Analysis date: February 01, 2024, 14:35:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

98C4D35C16B8E3045E28F6850908EECC

SHA1:

9F8F3DC169683BCF3BEACA37BF8584DC1CD46047

SHA256:

393C99C547885D903AB6FEF505FFA1CEC5272C52CA8335F5D07CDB079E6FD6B0

SSDEEP:

24576:vbCAKolHNNDaPTfFPdgoWPHUeq2iaJ//OXewTwHV6:zCN8HTaPTJyoWse9iaJ/GXVTw0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • free-pdf-pro.exe (PID: 268)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • free-pdf-pro.exe (PID: 268)

    • Process drops legitimate windows executable

      • free-pdf-pro.exe (PID: 268)

    • The process creates files with name similar to system file names

      • free-pdf-pro.exe (PID: 268)

    • Reads the Internet Settings

      • FreePDFProConverter.exe (PID: 2736)

    • Executable content was dropped or overwritten

      • free-pdf-pro.exe (PID: 268)

  • INFO

    • Reads the computer name

      • free-pdf-pro.exe (PID: 268)
      • FreePDFProConverter.exe (PID: 2736)

    • Checks supported languages

      • free-pdf-pro.exe (PID: 268)
      • FreePDFProConverter.exe (PID: 2736)

    • Create files in a temporary directory

      • free-pdf-pro.exe (PID: 268)

    • Creates files or folders in the user directory

      • free-pdf-pro.exe (PID: 268)
      • FreePDFProConverter.exe (PID: 2736)

    • Reads the machine GUID from the registry

      • FreePDFProConverter.exe (PID: 2736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 23:57:46+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Free PDF Pro
FileVersion: 1.0.0.0
LegalCopyright: Copyright © 2023 Active Intellect AI LLC
ProductName: Free PDF Pro
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start free-pdf-pro.exe freepdfproconverter.exe

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Users\admin\AppData\Local\Temp\free-pdf-pro.exe" C:\Users\admin\AppData\Local\Temp\free-pdf-pro.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Free PDF Pro
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\free-pdf-pro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2736C:\Users\admin\AppData\Roaming\PDFPro\FreePDFProConverter.exeC:\Users\admin\AppData\Roaming\PDFPro\FreePDFProConverter.exe
free-pdf-pro.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FreePDFProConverter
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\pdfpro\freepdfproconverter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 320
Read events
1 319
Write events
1
Delete events
0

Modification events

(PID) Process:(2736) FreePDFProConverter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
Executable files
13
Suspicious files
2
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free PDF Pro\Free PDF Pro.lnkbinary
MD5:9695A00D5CE697FBB4F2F27BA39174C3
SHA256:7CBCE074990A398F54078707BAD351561892B786327A871F2746713F0650BC91
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\Microsoft.Web.WebView2.WinForms.dllexecutable
MD5:55971DDCADB9EDEFD0021622B115B4EB
SHA256:031FF9F9BF2AC816D53128D46A3E7B60C50A12A0B841A9CA367CF335B61429B0
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\Microsoft.Web.WebView2.Wpf.dllexecutable
MD5:021975A0451EC73478B2A7A5759105EE
SHA256:7A6B8C5658FE8FFB05F8DF283FE7EE5D2B68BD34AAF70CC847FC7C935FB14767
2736FreePDFProConverter.exeC:\Users\admin\AppData\Local\FreePDFProConvert\MouseScript.jstext
MD5:BFB5FBE3AB4E3A6870059565F2763049
SHA256:56A5E272EF0BB12BDDE114C234154C8C33BBF74A61A8D42D468883FB1F7968C5
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\Microsoft.Web.WebView2.Core.dllexecutable
MD5:7E2BC58A005E0F41D74CE4B762E0FE89
SHA256:AF0E477405AAAD87424CF3930818B4E7901A0077B13B8E0882E9B435ED6F4B4C
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\Microsoft.Xaml.Behaviors.dllexecutable
MD5:EC5A1ABEE150ABE698689211B07CD1EC
SHA256:B864DA9D88414877CEA9B1A016146265A5FB9D0E12F4DBB1DCCC0CC998119A54
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\runtimes\win-x64\native\WebView2Loader.dllexecutable
MD5:211EB02C92C5067CD404DA51E268578E
SHA256:3AB69D8EF2D1A9C6299D760E86D9D0C3E418B834F96B8FE48623F9673CE6B4E2
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\Uninstall.exeexecutable
MD5:878F9359A422BB70870C059A8A2696AF
SHA256:2CB6D70A5A87C78E2A75FF248C90C61CB7EAED8E5BBA85C562C9EDA21764BC9F
268free-pdf-pro.exeC:\Users\admin\AppData\Roaming\PDFPro\runtimes\win-arm64\native\WebView2Loader.dllexecutable
MD5:F88D5949A163BDBB67E0658B9E67CCE0
SHA256:9D47338D5F8DDE0C524E61C9A8A8461EB51D930B795AC4FBE0D1D73D8BFEC790
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
FreePDFProConverter.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
FreePDFProConverter.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
free-pdf-pro.exe