File name:

FreeCommanderPortable_2024_Build_901.paf.exe

Full analysis: https://app.any.run/tasks/af61673c-8189-449a-b6af-9a563b35606f
Verdict: Malicious activity
Analysis date: March 14, 2024, 08:05:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

47E6E227F3E34D451CEE7A0969E95B6B

SHA1:

C2A69F247B9DF8628CB3DF680EC28E7AA8CD8E4E

SHA256:

7CC0B34BD1178FCB80802F75FB1DB021E28215B5B9AB6AA76C9773DAB21E0648

SSDEEP:

98304:CaXpLeXJ6znPs+BfrOGBFuUfHVQSkq1wNnNDFoYjhPyqse65WBdYYcx2N5lK9lr9:Rhr3uNyh8/2naap/CDxthnxAZO0BT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)

    • The process creates files with name similar to system file names

      • FreeCommanderPortable.exe (PID: 3784)
      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)

    • Executable content was dropped or overwritten

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)

    • Creates file in the systems drive root

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)

    • Reads security settings of Internet Explorer

      • FreeCommander.exe (PID: 2848)

    • Uses pipe srvsvc via SMB (transferring data)

      • FreeCommander.exe (PID: 2848)

    • Reads the Internet Settings

      • FreeCommander.exe (PID: 2848)
      • sdiagnhost.exe (PID: 2888)

    • Uses RUNDLL32.EXE to load library

      • FreeCommander.exe (PID: 2848)

    • Probably uses Microsoft diagnostics tool to execute malicious payload

      • rundll32.exe (PID: 1308)

    • Reads settings of System Certificates

      • msdt.exe (PID: 1340)

    • Process drops legitimate windows executable

      • msdt.exe (PID: 1340)

    • Non-standard symbols in registry

      • WINWORD.EXE (PID: 984)
      • WINWORD.EXE (PID: 1124)

  • INFO

    • Create files in a temporary directory

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)
      • msdt.exe (PID: 1340)

    • Checks supported languages

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)
      • FreeCommander.exe (PID: 2848)

    • Reads the computer name

      • FreeCommanderPortable.exe (PID: 3784)
      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommander.exe (PID: 2848)

    • Reads the machine GUID from the registry

      • FreeCommanderPortable.exe (PID: 3784)
      • FreeCommander.exe (PID: 2848)

    • Checks transactions between databases Windows and Oracle

      • FreeCommander.exe (PID: 2848)

    • Reads security settings of Internet Explorer

      • sdiagnhost.exe (PID: 2888)
      • msdt.exe (PID: 1340)

    • Drops the executable file immediately after the start

      • msdt.exe (PID: 1340)

    • Reads the software policy settings

      • msdt.exe (PID: 1340)

    • Creates files or folders in the user directory

      • msdt.exe (PID: 1340)

    • Reads Microsoft Office registry keys

      • FreeCommander.exe (PID: 2848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:10:30+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 412160
UninitializedDataSize: 16384
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2024.0.901.0
ProductVersionNumber: 2024.0.901.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: For additional details, visit PortableApps.com
CompanyName: PortableApps.com
FileDescription: FreeCommander XE Portable
FileVersion: 2024.0.901.0
InternalName: FreeCommander XE Portable
LegalCopyright: 2007-2023 PortableApps.com, PortableApps.com Installer 3.8.3.0
LegalTrademarks: PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFileName: FreeCommanderPortable_2024_Build_901.paf.exe
PortableAppscomAppID: FreeCommanderPortable
PortableAppscomFormatVersion: 3.8
PortableAppscomInstallerVersion: 3.8.3.0
ProductName: FreeCommander XE Portable
ProductVersion: 2024.0.901.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start freecommanderportable_2024_build_901.paf.exe freecommanderportable.exe freecommander.exe no specs Shell Security Editor no specs rundll32.exe no specs msdt.exe no specs sdiagnhost.exe no specs winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
984"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\nightfish.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFreeCommander.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
1124"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\saylinks.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFreeCommander.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
1308"C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\admin\AppData\Local\Temp\FreeCommanderPortableTemp\NDFA82D.tmpC:\Windows\System32\rundll32.exeFreeCommander.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1340 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\FreeCommanderPortableTemp\NDFA82D.tmp -ep NetworkDiagnosticsSharingC:\Windows\System32\msdt.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2848"C:\Users\admin\Documents\FreeCommanderPortable\App\FreeCommanderXE\FreeCommander.exe" -ini="C:\Users\admin\Documents\FreeCommanderPortable\Data\settings\FreeCommander.ini"C:\Users\admin\Documents\FreeCommanderPortable\App\FreeCommanderXE\FreeCommander.exeFreeCommanderPortable.exe
User:
admin
Company:
Marek Jasinski
Integrity Level:
MEDIUM
Description:
FreeCommander - freeware file manager for Windows
Exit code:
0
Version:
2024.0.0.901
Modules
Images
c:\users\admin\documents\freecommanderportable\app\freecommanderxe\freecommander.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2888C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
3068C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3700"C:\Users\admin\AppData\Local\Temp\FreeCommanderPortable_2024_Build_901.paf.exe" C:\Users\admin\AppData\Local\Temp\FreeCommanderPortable_2024_Build_901.paf.exe
explorer.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
FreeCommander XE Portable
Exit code:
0
Version:
2024.0.901.0
Modules
Images
c:\users\admin\appdata\local\temp\freecommanderportable_2024_build_901.paf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3784"C:\Users\admin\Documents\FreeCommanderPortable\FreeCommanderPortable.exe"C:\Users\admin\Documents\FreeCommanderPortable\FreeCommanderPortable.exe
FreeCommanderPortable_2024_Build_901.paf.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
FreeCommander XE Portable (PortableApps.com Launcher)
Exit code:
0
Version:
2.2.2.1
Modules
Images
c:\users\admin\documents\freecommanderportable\freecommanderportable.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
34 015
Read events
33 023
Write events
364
Delete events
628

Modification events

(PID) Process:(3700) FreeCommanderPortable_2024_Build_901.paf.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3700) FreeCommanderPortable_2024_Build_901.paf.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-2
Value:
Access the computers and devices that are on your network.
(PID) Process:(3700) FreeCommanderPortable_2024_Build_901.paf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Width
Value:
318
(PID) Process:(3700) FreeCommanderPortable_2024_Build_901.paf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Height
Value:
288
(PID) Process:(3700) FreeCommanderPortable_2024_Build_901.paf.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%CommonProgramFiles%\system\wab32res.dll,-10200
Value:
Contains Contact files.
(PID) Process:(2848) FreeCommander.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2848) FreeCommander.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{863AA9FD-42DF-457B-8E4D-0DE1B8015C60} {000214E6-0000-0000-C000-000000000046} 0xFFFF
Value:
01000000000000009862CEB7E675DA01
(PID) Process:(2848) FreeCommander.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2848) FreeCommander.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2848) FreeCommander.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
19
Suspicious files
16
Text files
124
Unknown types
7

Dropped files

PID
Process
Filename
Type
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\AppData\Local\Temp\nsc6F2.tmp\LangDLL.dllexecutable
MD5:50016010FB0D8DB2BC4CD258CEB43BE5
SHA256:32230128C18574C1E860DFE4B17FE0334F685740E27BC182E0D525A8948C9C2E
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\AppData\Local\Temp\nsc6F2.tmp\modern-wizard.bmpimage
MD5:4DF53EFCAA2C52F39618B2AAD77BB552
SHA256:EE13539F3D66CC0592942EA1A4C35D8FD9AF67B1A7F272D0D791931E6E9CE4EB
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\help.htmlhtml
MD5:523370B7A25D3B531BF77F19975695DA
SHA256:DC7093921C77A5C5F8D2113E52149186F5A792A08FCABDCCE6CC3D04E8A44B1A
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\AppData\Local\Temp\nsc6F2.tmp\nsDialogs.dllexecutable
MD5:1D8F01A83DDD259BC339902C1D33C8F1
SHA256:4B7D17DA290F41EBE244827CC295CE7E580DA2F7E9F7CC3EFC1ABC6898E3C9ED
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\AppInfo\appicon_256.pngimage
MD5:94FB835E0EE427134921B45BA596F75C
SHA256:E78BB9F9EFF37F0704DC0E23D3AF6AA3926BB9AC7D3DA1266928FA064BDFDA4F
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\AppInfo\appicon_75.pngimage
MD5:7B28A9C412D4385FE075A19096DB9056
SHA256:0BA0EEA67309E9BC9B1F55AFAFA8155BFD3132AD94E0EF93049F2C8972C541DB
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\Readme.txttext
MD5:9D3D2C85756FF419CEC6DA38BD89A37B
SHA256:CF7718E82AFA1AF00882AF5A9B80CB1640FBFADAD56D218A78371B9BCB649170
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\AppInfo\appicon_128.pngimage
MD5:6A58D369D1B5AD0587011DDF875C71B6
SHA256:A0A0F21DADEF62AEAB28A1577C59D566DA553EB7DEDD3A931D3AFDEF7E48757E
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\AppInfo\EULA.txttext
MD5:34207E46C29166582BEE4267FC9C2222
SHA256:39B5AA06700256BFF87E8F9EE9ECC0E86D925EB3DFB3A2F843EE41A5395E8415
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\AppInfo\appicon.icoimage
MD5:E96E46BCEC428CA9CAFB7E6D64FCDB72
SHA256:86E96B546DD5386DA3CE7E609F520C296859221799D8001A725404914A57E2BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
10
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
unknown
828
svchost.exe
239.255.255.250:3702
unknown
2444
svchost.exe
239.255.255.250:1900
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

Domain
IP
Reputation
DESKTOP-JGLLJLD
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FreeCommanderPortable_2024_Build_901.paf.exe