File name:

FreeCommanderPortable_2024_Build_901.paf.exe

Full analysis: https://app.any.run/tasks/af61673c-8189-449a-b6af-9a563b35606f
Verdict: Malicious activity
Analysis date: March 14, 2024, 08:05:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

47E6E227F3E34D451CEE7A0969E95B6B

SHA1:

C2A69F247B9DF8628CB3DF680EC28E7AA8CD8E4E

SHA256:

7CC0B34BD1178FCB80802F75FB1DB021E28215B5B9AB6AA76C9773DAB21E0648

SSDEEP:

98304:CaXpLeXJ6znPs+BfrOGBFuUfHVQSkq1wNnNDFoYjhPyqse65WBdYYcx2N5lK9lr9:Rhr3uNyh8/2naap/CDxthnxAZO0BT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)

    • The process creates files with name similar to system file names

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)

    • Creates file in the systems drive root

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)

    • Executable content was dropped or overwritten

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)

    • Reads the Internet Settings

      • FreeCommander.exe (PID: 2848)
      • sdiagnhost.exe (PID: 2888)

    • Reads security settings of Internet Explorer

      • FreeCommander.exe (PID: 2848)

    • Reads settings of System Certificates

      • msdt.exe (PID: 1340)

    • Probably uses Microsoft diagnostics tool to execute malicious payload

      • rundll32.exe (PID: 1308)

    • Process drops legitimate windows executable

      • msdt.exe (PID: 1340)

    • Uses pipe srvsvc via SMB (transferring data)

      • FreeCommander.exe (PID: 2848)

    • Non-standard symbols in registry

      • WINWORD.EXE (PID: 1124)
      • WINWORD.EXE (PID: 984)

    • Uses RUNDLL32.EXE to load library

      • FreeCommander.exe (PID: 2848)

  • INFO

    • Reads the computer name

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)
      • FreeCommander.exe (PID: 2848)

    • Checks supported languages

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)
      • FreeCommander.exe (PID: 2848)

    • Create files in a temporary directory

      • FreeCommanderPortable_2024_Build_901.paf.exe (PID: 3700)
      • FreeCommanderPortable.exe (PID: 3784)
      • msdt.exe (PID: 1340)

    • Reads the machine GUID from the registry

      • FreeCommanderPortable.exe (PID: 3784)
      • FreeCommander.exe (PID: 2848)

    • Checks transactions between databases Windows and Oracle

      • FreeCommander.exe (PID: 2848)

    • Drops the executable file immediately after the start

      • msdt.exe (PID: 1340)

    • Reads the software policy settings

      • msdt.exe (PID: 1340)

    • Reads security settings of Internet Explorer

      • msdt.exe (PID: 1340)
      • sdiagnhost.exe (PID: 2888)

    • Creates files or folders in the user directory

      • msdt.exe (PID: 1340)

    • Reads Microsoft Office registry keys

      • FreeCommander.exe (PID: 2848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:10:30+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 412160
UninitializedDataSize: 16384
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2024.0.901.0
ProductVersionNumber: 2024.0.901.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: For additional details, visit PortableApps.com
CompanyName: PortableApps.com
FileDescription: FreeCommander XE Portable
FileVersion: 2024.0.901.0
InternalName: FreeCommander XE Portable
LegalCopyright: 2007-2023 PortableApps.com, PortableApps.com Installer 3.8.3.0
LegalTrademarks: PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFileName: FreeCommanderPortable_2024_Build_901.paf.exe
PortableAppscomAppID: FreeCommanderPortable
PortableAppscomFormatVersion: 3.8
PortableAppscomInstallerVersion: 3.8.3.0
ProductName: FreeCommander XE Portable
ProductVersion: 2024.0.901.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start freecommanderportable_2024_build_901.paf.exe freecommanderportable.exe freecommander.exe no specs Shell Security Editor no specs rundll32.exe no specs msdt.exe no specs sdiagnhost.exe no specs winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
984"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\nightfish.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFreeCommander.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
1124"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\saylinks.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFreeCommander.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
1308"C:\Windows\system32\rundll32.exe" ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile NetworkDiagnosticsSharing C:\Users\admin\AppData\Local\Temp\FreeCommanderPortableTemp\NDFA82D.tmpC:\Windows\System32\rundll32.exeFreeCommander.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1340 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\FreeCommanderPortableTemp\NDFA82D.tmp -ep NetworkDiagnosticsSharingC:\Windows\System32\msdt.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2848"C:\Users\admin\Documents\FreeCommanderPortable\App\FreeCommanderXE\FreeCommander.exe" -ini="C:\Users\admin\Documents\FreeCommanderPortable\Data\settings\FreeCommander.ini"C:\Users\admin\Documents\FreeCommanderPortable\App\FreeCommanderXE\FreeCommander.exeFreeCommanderPortable.exe
User:
admin
Company:
Marek Jasinski
Integrity Level:
MEDIUM
Description:
FreeCommander - freeware file manager for Windows
Exit code:
0
Version:
2024.0.0.901
Modules
Images
c:\users\admin\documents\freecommanderportable\app\freecommanderxe\freecommander.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2888C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
3068C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3700"C:\Users\admin\AppData\Local\Temp\FreeCommanderPortable_2024_Build_901.paf.exe" C:\Users\admin\AppData\Local\Temp\FreeCommanderPortable_2024_Build_901.paf.exe
explorer.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
FreeCommander XE Portable
Exit code:
0
Version:
2024.0.901.0
Modules
Images
c:\users\admin\appdata\local\temp\freecommanderportable_2024_build_901.paf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3784"C:\Users\admin\Documents\FreeCommanderPortable\FreeCommanderPortable.exe"C:\Users\admin\Documents\FreeCommanderPortable\FreeCommanderPortable.exe
FreeCommanderPortable_2024_Build_901.paf.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
FreeCommander XE Portable (PortableApps.com Launcher)
Exit code:
0
Version:
2.2.2.1
Modules
Images
c:\users\admin\documents\freecommanderportable\freecommanderportable.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
34 015
Read events
33 023
Write events
364
Delete events
628

Modification events

(PID) Process:(3700) FreeCommanderPortable_2024_Build_901.paf.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3700) FreeCommanderPortable_2024_Build_901.paf.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-2
Value:
Access the computers and devices that are on your network.
(PID) Process:(3700) FreeCommanderPortable_2024_Build_901.paf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Width
Value:
318
(PID) Process:(3700) FreeCommanderPortable_2024_Build_901.paf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Height
Value:
288
(PID) Process:(3700) FreeCommanderPortable_2024_Build_901.paf.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%CommonProgramFiles%\system\wab32res.dll,-10200
Value:
Contains Contact files.
(PID) Process:(2848) FreeCommander.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2848) FreeCommander.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{863AA9FD-42DF-457B-8E4D-0DE1B8015C60} {000214E6-0000-0000-C000-000000000046} 0xFFFF
Value:
01000000000000009862CEB7E675DA01
(PID) Process:(2848) FreeCommander.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2848) FreeCommander.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2848) FreeCommander.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
19
Suspicious files
16
Text files
124
Unknown types
7

Dropped files

PID
Process
Filename
Type
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\AppData\Local\Temp\nsc6F2.tmp\modern-wizard.bmpimage
MD5:4DF53EFCAA2C52F39618B2AAD77BB552
SHA256:EE13539F3D66CC0592942EA1A4C35D8FD9AF67B1A7F272D0D791931E6E9CE4EB
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\AppData\Local\Temp\nsc6F2.tmp\System.dllexecutable
MD5:4ADD245D4BA34B04F213409BFE504C07
SHA256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\AppData\Local\Temp\nsc6F2.tmp\LangDLL.dllexecutable
MD5:50016010FB0D8DB2BC4CD258CEB43BE5
SHA256:32230128C18574C1E860DFE4B17FE0334F685740E27BC182E0D525A8948C9C2E
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\AppInfo\appicon_128.pngimage
MD5:6A58D369D1B5AD0587011DDF875C71B6
SHA256:A0A0F21DADEF62AEAB28A1577C59D566DA553EB7DEDD3A931D3AFDEF7E48757E
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\AppInfo\appicon_256.pngimage
MD5:94FB835E0EE427134921B45BA596F75C
SHA256:E78BB9F9EFF37F0704DC0E23D3AF6AA3926BB9AC7D3DA1266928FA064BDFDA4F
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\AppInfo\appicon_16.pngimage
MD5:3C738BFDBF8BFAA71F9A2F8FB58F320C
SHA256:57F804B3CF9AA66F388E5DC2BB460EA9C2A5B0F639C15A61FF9299F5B146F88A
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\AppInfo\appinfo.iniini
MD5:B3B5DF8119CFE1BFD0B6A86F689AFA7E
SHA256:956BEF98021347A80E4B4806BD57222B9C704499BE098E3F6285C747D0D98F90
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\AppInfo\appicon.icoimage
MD5:E96E46BCEC428CA9CAFB7E6D64FCDB72
SHA256:86E96B546DD5386DA3CE7E609F520C296859221799D8001A725404914A57E2BD
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\AppInfo\appicon_32.pngimage
MD5:41CB1F6D29394A5F045585C1B4CB330C
SHA256:24C4BBB1EC34D4671EE29A17A693405A192E64239CD87A0CA6C55C7EC0A8F571
3700FreeCommanderPortable_2024_Build_901.paf.exeC:\Users\admin\Documents\FreeCommanderPortable\App\DefaultData\settings\FreeCommander.fav.xmlxml
MD5:3007FAB6A1EE29614ECB2853BB05E35A
SHA256:42DDF41A074BFB6B45DE365C34E4CFAF5D1DF12C41F291AC816B111011DA903A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
10
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
unknown
828
svchost.exe
239.255.255.250:3702
unknown
2444
svchost.exe
239.255.255.250:1900
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

Domain
IP
Reputation
DESKTOP-JGLLJLD
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FreeCommanderPortable_2024_Build_901.paf.exe