File name:

free-pdf-plus.exe

Full analysis: https://app.any.run/tasks/c2f230af-8455-4da3-a695-3b6695111a7b
Verdict: Malicious activity
Analysis date: February 09, 2024, 19:08:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

0D7FE4DF33A72C1653F40997B05B0D7B

SHA1:

40B404B0F1BA454E2013046BF56CF1EE35FC4302

SHA256:

5A14332CA64F1EF5247F8E2A5DE3DAA1997FEFD5C0FB7CB8BE483A02A9E100D3

SSDEEP:

49152:3m/y6zXrdWyA+yBOw4GYTJg9Jw5Z+bDh7qivAtrJ7vPJwjtf+HcmULASM3X4aI7K:3m/yKbr8gxtg9I+bD80A/NwjVKwXK4a1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • free-pdf-plus.exe (PID: 2472)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • free-pdf-plus.exe (PID: 2472)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • free-pdf-plus.exe (PID: 2472)

    • The process creates files with name similar to system file names

      • free-pdf-plus.exe (PID: 2472)

    • Creates a software uninstall entry

      • free-pdf-plus.exe (PID: 2472)

    • Executable content was dropped or overwritten

      • free-pdf-plus.exe (PID: 2472)

    • Reads the Internet Settings

      • FreePDFPlus.exe (PID: 3716)

  • INFO

    • Checks supported languages

      • FreePDFPlus.exe (PID: 3716)
      • free-pdf-plus.exe (PID: 2472)

    • Reads the computer name

      • FreePDFPlus.exe (PID: 3716)
      • free-pdf-plus.exe (PID: 2472)

    • Create files in a temporary directory

      • free-pdf-plus.exe (PID: 2472)

    • Creates files or folders in the user directory

      • free-pdf-plus.exe (PID: 2472)
      • FreePDFPlus.exe (PID: 3716)

    • Reads the machine GUID from the registry

      • FreePDFPlus.exe (PID: 3716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:57:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Free PDF Plus
FileVersion: 1.0.0.0
LegalCopyright: Copyright © 2023 Free PDF Plus
ProductName: Free PDF Plus
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start free-pdf-plus.exe freepdfplus.exe

Process information

PID
CMD
Path
Indicators
Parent process
2472"C:\Users\admin\Desktop\free-pdf-plus.exe" C:\Users\admin\Desktop\free-pdf-plus.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Free PDF Plus
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\free-pdf-plus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3716C:\Users\admin\AppData\Roaming\PDFPlus\FreePDFPlus.exeC:\Users\admin\AppData\Roaming\PDFPlus\FreePDFPlus.exe
free-pdf-plus.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FreePDFPlus
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\pdfplus\freepdfplus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 670
Read events
1 662
Write events
8
Delete events
0

Modification events

(PID) Process:(2472) free-pdf-plus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreePDFPlus
Operation:writeName:DisplayVersion
Value:
.0
(PID) Process:(2472) free-pdf-plus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreePDFPlus
Operation:writeName:DisplayName
Value:
Free PDF Plus
(PID) Process:(2472) free-pdf-plus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreePDFPlus
Operation:writeName:Publisher
Value:
Free PDF Plus
(PID) Process:(2472) free-pdf-plus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreePDFPlus
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Roaming\PDFPlus\Uninstall.exe"
(PID) Process:(2472) free-pdf-plus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreePDFPlus
Operation:writeName:DisplayIcon
Value:
"C:\Users\admin\AppData\Roaming\PDFPlus\Uninstall.exe"
(PID) Process:(3716) FreePDFPlus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
FreePDFPlus.exe
(PID) Process:(3716) FreePDFPlus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Operation:writeName:Left
Value:
0
(PID) Process:(3716) FreePDFPlus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Operation:writeName:Top
Value:
0
Executable files
13
Suspicious files
3
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2472free-pdf-plus.exeC:\Users\admin\AppData\Local\Temp\nseF30B.tmp\modern-header.bmpimage
MD5:583C38FB0F5AF5FE584D9A9B01D6A3E7
SHA256:4C9E804CE1A391F8E603B7B9C732A6529C1E81BE4D12F125C8562EA9D49095C2
2472free-pdf-plus.exeC:\Users\admin\AppData\Local\Temp\nseF30B.tmp\modern-wizard.bmpimage
MD5:9E4CD80A60DB6947642677BF31A10906
SHA256:A7B2F12E01CBEA88D4F645F797F2CA6107D76AE13CD1BE6DC532B759BFE0D925
2472free-pdf-plus.exeC:\Users\admin\AppData\Local\Temp\nseF30B.tmp\nsDialogs.dllexecutable
MD5:6C3F8C94D0727894D706940A8A980543
SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\Microsoft.Xaml.Behaviors.dllexecutable
MD5:EC5A1ABEE150ABE698689211B07CD1EC
SHA256:B864DA9D88414877CEA9B1A016146265A5FB9D0E12F4DBB1DCCC0CC998119A54
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\FreePDFPlus.exe.configxml
MD5:9DBAD5517B46F41DBB0D8780B20AB87E
SHA256:47E5A0F101AF4151D7F13D2D6BFA9B847D5B5E4A98D1F4674B7C015772746CDF
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\JetBrains.Annotations.dllexecutable
MD5:06F0688796E0F687B2DE8FEE16A26C2C
SHA256:8DA40A52D6BC6D2AA407D2F9D8C99DCC1786A9ED05BBBE7D62A99C75B0000EB6
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free PDF Plus\Free PDF Plus.lnkbinary
MD5:402A802D34947996AF3861BB461E0E92
SHA256:4E01CC5F9F0F97BEB9477DA7EC570420DA64773A59ED26E911086FAA1D846D63
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\Uninstall.exeexecutable
MD5:5CF52595992B4277F58557A49456CF7C
SHA256:4B625D4047DC10EA99D2A4CA802FCF32702222A2E83D57244D06C725905C8FFD
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\Microsoft.Web.WebView2.WinForms.dllexecutable
MD5:46128473A0B3ECAA7C8980B1F8DB78DA
SHA256:9BAC64579FB676AA77D79CB469FFD4F9F69A64EF0838F52DD1AF87931924F913
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\Microsoft.Xaml.Behaviors.pdbpdb
MD5:DB7FDE2D3EBCE71E5A0FEF7502B377B9
SHA256:5DCEC23EC8C56D07E7FE0D9D06B2DAFD943858337F3562DEC8546D827C5A343A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
FreePDFPlus.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
FreePDFPlus.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
free-pdf-plus.exe