File name:

free-pdf-plus.exe

Full analysis: https://app.any.run/tasks/c2f230af-8455-4da3-a695-3b6695111a7b
Verdict: Malicious activity
Analysis date: February 09, 2024, 19:08:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

0D7FE4DF33A72C1653F40997B05B0D7B

SHA1:

40B404B0F1BA454E2013046BF56CF1EE35FC4302

SHA256:

5A14332CA64F1EF5247F8E2A5DE3DAA1997FEFD5C0FB7CB8BE483A02A9E100D3

SSDEEP:

49152:3m/y6zXrdWyA+yBOw4GYTJg9Jw5Z+bDh7qivAtrJ7vPJwjtf+HcmULASM3X4aI7K:3m/yKbr8gxtg9I+bD80A/NwjVKwXK4a1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • free-pdf-plus.exe (PID: 2472)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • free-pdf-plus.exe (PID: 2472)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • free-pdf-plus.exe (PID: 2472)

    • The process creates files with name similar to system file names

      • free-pdf-plus.exe (PID: 2472)

    • Creates a software uninstall entry

      • free-pdf-plus.exe (PID: 2472)

    • Process drops legitimate windows executable

      • free-pdf-plus.exe (PID: 2472)

    • Reads the Internet Settings

      • FreePDFPlus.exe (PID: 3716)

  • INFO

    • Checks supported languages

      • free-pdf-plus.exe (PID: 2472)
      • FreePDFPlus.exe (PID: 3716)

    • Reads the computer name

      • free-pdf-plus.exe (PID: 2472)
      • FreePDFPlus.exe (PID: 3716)

    • Create files in a temporary directory

      • free-pdf-plus.exe (PID: 2472)

    • Creates files or folders in the user directory

      • free-pdf-plus.exe (PID: 2472)
      • FreePDFPlus.exe (PID: 3716)

    • Reads the machine GUID from the registry

      • FreePDFPlus.exe (PID: 3716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:57:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Free PDF Plus
FileVersion: 1.0.0.0
LegalCopyright: Copyright © 2023 Free PDF Plus
ProductName: Free PDF Plus
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start free-pdf-plus.exe freepdfplus.exe

Process information

PID
CMD
Path
Indicators
Parent process
2472"C:\Users\admin\Desktop\free-pdf-plus.exe" C:\Users\admin\Desktop\free-pdf-plus.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Free PDF Plus
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\free-pdf-plus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3716C:\Users\admin\AppData\Roaming\PDFPlus\FreePDFPlus.exeC:\Users\admin\AppData\Roaming\PDFPlus\FreePDFPlus.exe
free-pdf-plus.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FreePDFPlus
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\pdfplus\freepdfplus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 670
Read events
1 662
Write events
8
Delete events
0

Modification events

(PID) Process:(2472) free-pdf-plus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreePDFPlus
Operation:writeName:DisplayVersion
Value:
.0
(PID) Process:(2472) free-pdf-plus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreePDFPlus
Operation:writeName:DisplayName
Value:
Free PDF Plus
(PID) Process:(2472) free-pdf-plus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreePDFPlus
Operation:writeName:Publisher
Value:
Free PDF Plus
(PID) Process:(2472) free-pdf-plus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreePDFPlus
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Roaming\PDFPlus\Uninstall.exe"
(PID) Process:(2472) free-pdf-plus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreePDFPlus
Operation:writeName:DisplayIcon
Value:
"C:\Users\admin\AppData\Roaming\PDFPlus\Uninstall.exe"
(PID) Process:(3716) FreePDFPlus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
FreePDFPlus.exe
(PID) Process:(3716) FreePDFPlus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Operation:writeName:Left
Value:
0
(PID) Process:(3716) FreePDFPlus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Operation:writeName:Top
Value:
0
Executable files
13
Suspicious files
3
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2472free-pdf-plus.exeC:\Users\admin\AppData\Local\Temp\nseF30B.tmp\nsDialogs.dllexecutable
MD5:6C3F8C94D0727894D706940A8A980543
SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\Microsoft.Web.WebView2.WinForms.dllexecutable
MD5:46128473A0B3ECAA7C8980B1F8DB78DA
SHA256:9BAC64579FB676AA77D79CB469FFD4F9F69A64EF0838F52DD1AF87931924F913
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\FreePDFPlus.exe.configxml
MD5:9DBAD5517B46F41DBB0D8780B20AB87E
SHA256:47E5A0F101AF4151D7F13D2D6BFA9B847D5B5E4A98D1F4674B7C015772746CDF
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\JetBrains.Annotations.dllexecutable
MD5:06F0688796E0F687B2DE8FEE16A26C2C
SHA256:8DA40A52D6BC6D2AA407D2F9D8C99DCC1786A9ED05BBBE7D62A99C75B0000EB6
2472free-pdf-plus.exeC:\Users\admin\AppData\Local\Temp\nseF30B.tmp\modern-wizard.bmpimage
MD5:9E4CD80A60DB6947642677BF31A10906
SHA256:A7B2F12E01CBEA88D4F645F797F2CA6107D76AE13CD1BE6DC532B759BFE0D925
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\Microsoft.Web.WebView2.Core.dllexecutable
MD5:28C6A96591A4890D33DEAA7DBABEBF10
SHA256:6E7B8869B538417CC361C97A37F7CEEC92DDC8AD84E0585BCF7021DABBF6F985
2472free-pdf-plus.exeC:\Users\admin\AppData\Local\Temp\nseF30B.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\FreePDFPlus.pdbbinary
MD5:9CBE584EB8334A45EF0AD75C62140116
SHA256:9C17D8543DFE5093F58A5CC48217A74EC64E0FC71E2507D14EAF908E70D00A9A
2472free-pdf-plus.exeC:\Users\admin\AppData\Roaming\PDFPlus\Microsoft.Web.WebView2.Wpf.dllexecutable
MD5:39069FA58D5BA0B2B4C6F55864DADCB6
SHA256:D41B57A535EB6B4D78264DCEDAE2C635B1640B43EC05B82091A7DE9937C340D1
2472free-pdf-plus.exeC:\Users\admin\AppData\Local\Temp\nseF30B.tmp\modern-header.bmpimage
MD5:583C38FB0F5AF5FE584D9A9B01D6A3E7
SHA256:4C9E804CE1A391F8E603B7B9C732A6529C1E81BE4D12F125C8562EA9D49095C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
Process
Message
FreePDFPlus.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
FreePDFPlus.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
free-pdf-plus.exe