File name:

TotalCommanderv7.50Beta1Portable.exe

Full analysis: https://app.any.run/tasks/9866a041-6f56-4414-a5dc-e3a9ab4d1f54
Verdict: Malicious activity
Analysis date: June 13, 2025, 10:50:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive, 4 sections
MD5:

B17DEBB93E144AA3D754DC0D19CDA883

SHA1:

2023E8A700231A41AFE242A3CBA89B0BCF4D1862

SHA256:

4593C1A8631F7E1EF5C748F7144386AD590A0144866F4B50EDB98542FF0AC625

SSDEEP:

98304:64lW4KIeFSTZaAU4Tti6tLENw8taac9O8nA9b0iAQcXJfPGraK9Tuk12i6q/l/vE:Rx1np

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • TOTALCMD.EXE (PID: 1044)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • The process creates files with name similar to system file names

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • Executable content was dropped or overwritten

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • Drops 7-zip archiver for unpacking

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • Reads security settings of Internet Explorer

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • There is functionality for taking screenshot (YARA)

      • TOTALCMD.EXE (PID: 1044)

  • INFO

    • Reads the computer name

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)
      • TOTALCMD.EXE (PID: 1044)

    • Create files in a temporary directory

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • The sample compiled with english language support

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • Checks supported languages

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)
      • TOTALCMD.EXE (PID: 1044)

    • Process checks computer location settings

      • TotalCommanderv7.50Beta1Portable.exe (PID: 2528)

    • Process checks whether UAC notifications are on

      • TOTALCMD.EXE (PID: 1044)

    • Creates files or folders in the user directory

      • TOTALCMD.EXE (PID: 1044)

    • Compiled with Borland Delphi (YARA)

      • TOTALCMD.EXE (PID: 1044)

    • Checks proxy server information

      • slui.exe (PID: 5780)

    • Reads the software policy settings

      • slui.exe (PID: 5780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | WinRAR Self Extracting archive (94.3)
.scr | Windows screen saver (2.3)
.dll | Win32 Dynamic Link Library (generic) (1.1)
.exe | Win32 Executable (generic) (0.8)
.exe | Win32 Executable Watcom C++ (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:09:16 14:17:44+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5
CodeSize: 81920
InitializedDataSize: 22528
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start totalcommanderv7.50beta1portable.exe totalcmd.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1044"C:\Users\admin\AppData\Local\Temp\RarSFX0\TOTALCMD.EXE" C:\Users\admin\AppData\Local\Temp\RarSFX0\TOTALCMD.EXETotalCommanderv7.50Beta1Portable.exe
User:
admin
Company:
C. Ghisler & Co.
Integrity Level:
MEDIUM
Description:
Total Commander 32 bit international version, file manager replacement for Windows
Version:
7.50
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\totalcmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2528"C:\Users\admin\Desktop\TotalCommanderv7.50Beta1Portable.exe" C:\Users\admin\Desktop\TotalCommanderv7.50Beta1Portable.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\totalcommanderv7.50beta1portable.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5780C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 565
Read events
4 565
Write events
0
Delete events
0

Modification events

No data
Executable files
16
Suspicious files
6
Text files
49
Unknown types
0

Dropped files

PID
Process
Filename
Type
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\TOTALCMD.EXEbinary
MD5:6D4D57C30DA536616CF4EFCC21FC8985
SHA256:EBEEF882DD03B7605EDC72EDF03DBCBB77B35AFC9E882AD592ECC6084DB7335D
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\WCUNINST.WULtext
MD5:551A9FB9B1EB85562B7BBB63D250DAA2
SHA256:F442DA9DAA63BACFC8911B226941D0408E0BA0A891115C4F44BE3D70AD98CD48
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\TOTALCMD.HLPbinary
MD5:3A0F8069720DA59CE1C4E7403C2E337D
SHA256:64274AF42BB1088DD4682FFEC3CEE203039E7062F816C795BC3473BB27B075A2
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\LANGUAGE\WCMD_DAN.LNGtext
MD5:EFD443D7CE416F9E8A8471B6517DCE9D
SHA256:76D16DCF1610D997C6EC24C43C537C273985EDBCD04C2397F8A31197AF7234BE
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\wincmd.keybinary
MD5:F39259F69A22C5F052478E975DEA6211
SHA256:F9076BD9404A783224502E7C4A37FB80E1FB05FE3A268E16BC077ED4158A0539
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\WCMZIP32.DLLexecutable
MD5:78AB27B9290E9CD1BC2D403F9981AA5B
SHA256:F72460EA1F8ACD8667690768AFA2171C95D1A92C6D897ECE78EBD148346A9FD2
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\LANGUAGE\WCMD_DEU.LNGtext
MD5:B9410FDD13CCCE4F93924FD712BE613D
SHA256:F4DCE4A23367FD92BD179DA2F572FC7AFD1C739F503C0CF1E04B2DF9CB72EEAE
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\LANGUAGE\WCMD_CZ.MNUtext
MD5:01AC6A19849748A4BDCE04B5D2A8FCFA
SHA256:BFDDFD03CD8DF0B15D3CA1BC11C8632995C2D2450EACBCB976C8844E7FA85690
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\LANGUAGE\WCMD_DEU.INCtext
MD5:AA278AEA500F6F407D3BAA8379EDDDB1
SHA256:EF9E9F3632C3D3C79119429CE5209D95DE009C3838A9A30FE81BA16820E8ED2D
2528TotalCommanderv7.50Beta1Portable.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\LANGUAGE\WCMD_DAN.MNUtext
MD5:ECFB324642C45B0A8DA660D35EDAF9C1
SHA256:C6E664FC9A2DA8C48C53C798087B2380C01BF2809FFE12E7600E104FF826ECC2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
43
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2140
RUXIMICS.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2140
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2140
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2140
RUXIMICS.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5944
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.128
  • 20.190.159.2
  • 40.126.31.130
  • 20.190.159.73
  • 40.126.31.2
  • 40.126.31.71
  • 20.190.159.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TotalCommanderv7.50Beta1Portable.exe