File name:

TotalCommanderv7.50Beta1Portable.exe

Full analysis: https://app.any.run/tasks/9866a041-6f56-4414-a5dc-e3a9ab4d1f54
Verdict: Malicious activity
Analysis date: June 13, 2025, 10:50:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive, 4 sections
MD5:

B17DEBB93E144AA3D754DC0D19CDA883

SHA1:

2023E8A700231A41AFE242A3CBA89B0BCF4D1862

SHA256:

4593C1A8631F7E1EF5C748F7144386AD590A0144866F4B50EDB98542FF0AC625

SSDEEP:

98304:64lW4KIeFSTZaAU4Tti6tLENw8taac9O8nA9b0iAQcXJfPGraK9Tuk12i6q/l/vE:Rx1np

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • TOTALCMD.EXE (PID: 1044)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • Drops 7-zip archiver for unpacking

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • The process creates files with name similar to system file names

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • Drops a system driver (possible attempt to evade defenses)

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • There is functionality for taking screenshot (YARA)

      • TOTALCMD.EXE (PID: 1044)

    • Reads security settings of Internet Explorer

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

  • INFO

    • Create files in a temporary directory

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • The sample compiled with english language support

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • Reads the computer name

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)
      • TOTALCMD.EXE (PID: 1044)

    • Checks supported languages

      • TOTALCMD.EXE (PID: 1044)
      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • Process checks whether UAC notifications are on

      • TOTALCMD.EXE (PID: 1044)

    • Checks proxy server information

      • slui.exe (PID: 5780)

    • Creates files or folders in the user directory

      • TOTALCMD.EXE (PID: 1044)

    • Process checks computer location settings

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • Compiled with Borland Delphi (YARA)

      • TOTALCMD.EXE (PID: 1044)

    • Reads the software policy settings

      • slui.exe (PID: 5780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | WinRAR Self Extracting archive (94.3)
.scr | Windows screen saver (2.3)
.dll | Win32 Dynamic Link Library (generic) (1.1)
.exe | Win32 Executable (generic) (0.8)
.exe | Win32 Executable Watcom C++ (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:09:16 14:17:44+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5
CodeSize: 81920
InitializedDataSize: 22528
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start totalcommanderv7.50beta1portable.exe totalcmd.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1044"C:\Users\admin\AppData\Local\Temp\RarSFX0\TOTALCMD.EXE" C:\Users\admin\AppData\Local\Temp\RarSFX0\TOTALCMD.EXETotalCommanderv7.50Beta1Portable.exe
User:
admin
Company:
C. Ghisler & Co.
Integrity Level:
MEDIUM
Description:
Total Commander 32 bit international version, file manager replacement for Windows
Version:
7.50
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\totalcmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2528"C:\Users\admin\Desktop\TotalCommanderv7.50Beta1Portable.exe" C:\Users\admin\Desktop\TotalCommanderv7.50Beta1Portable.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\totalcommanderv7.50beta1portable.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5780C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 565
Read events
4 565
Write events
0
Delete events
0

Modification events

No data
Executable files
16
Suspicious files
6
Text files
49
Unknown types
0

Dropped files

PID
Process
Filename
Type
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\TOTALCMD.HLPbinary
MD5:3A0F8069720DA59CE1C4E7403C2E337D
SHA256:64274AF42BB1088DD4682FFEC3CEE203039E7062F816C795BC3473BB27B075A2
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\UNRAR.DLLexecutable
MD5:421FC844F5EBE260AF7B8E64DC9E8D62
SHA256:97D8E67484327FEB5F0F89E41C9E2AAE6D0FA38EE16F736A6059D58B4B5DA554
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\WC32TO16.EXEexecutable
MD5:552B40663B6F22377AF1809AF85711E3
SHA256:7D29F43234520D06A8F90F5B1B016FC008E3916BA260A30AADACA20ADEDCBE88
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\UNACEV2.DLLexecutable
MD5:DE02C4D04088B69E64ECC30A3D9E22E5
SHA256:C9D28800E740A1569AEC8FE27DF10EF186D883F94CEC15A5C228826B45A24F9D
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\TOTALCMD.EXE.MANIFESTxml
MD5:67E3D38F6B071C8C6C0A110423C1B397
SHA256:442236E62131DFB7E550D06D6B2CFCE324AB8BD793A455212276014FE2532047
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\TOTALCMD.INCtext
MD5:E7D8B252504435AC6CC43709DC092B12
SHA256:0A2C32584FD9C90231A7B51455C1CDF7AC74E209CEDCF871FCD26D9CA4E47B70
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\LANGUAGE\WCMD_DEU.LNGtext
MD5:B9410FDD13CCCE4F93924FD712BE613D
SHA256:F4DCE4A23367FD92BD179DA2F572FC7AFD1C739F503C0CF1E04B2DF9CB72EEAE
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\LANGUAGE\WCMD_DAN.LNGtext
MD5:EFD443D7CE416F9E8A8471B6517DCE9D
SHA256:76D16DCF1610D997C6EC24C43C537C273985EDBCD04C2397F8A31197AF7234BE
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\WCMZIP32.DLLexecutable
MD5:78AB27B9290E9CD1BC2D403F9981AA5B
SHA256:F72460EA1F8ACD8667690768AFA2171C95D1A92C6D897ECE78EBD148346A9FD2
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\WCMICONS.INCtext
MD5:23C484A28C49BDC838AB7B95FB24D55F
SHA256:3442715BBC5CAD665585BDE69D80C1EDB6B217543B90A84460F2722EAA98B01B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
43
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2140
RUXIMICS.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
2140
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2140
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2140
RUXIMICS.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5944
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.128
  • 20.190.159.2
  • 40.126.31.130
  • 20.190.159.73
  • 40.126.31.2
  • 40.126.31.71
  • 20.190.159.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TotalCommanderv7.50Beta1Portable.exe