File name:

FileAlyzerPortable_2.0.5.57_English.paf.exe

Full analysis: https://app.any.run/tasks/6a179bd8-65b6-4443-9538-f34a04d6afbf
Verdict: Malicious activity
Analysis date: December 26, 2024, 17:30:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pecompact
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

DFFEED138C9201D681E9A4F571FB25A3

SHA1:

38204046BA3F7D3C5C2306A29D202FB35CF28FAE

SHA256:

A300FEC2AE5EED7452CAE3AC88E4F7274BD0D2378EC71E58C3F4465C2F27F5F5

SSDEEP:

98304:KzaX2MvZJ8SCfM6gEVZot7TZtICVfoG579BC5mla8kJITzCB6d7PyehjGUvdpSzD:5FrfPvA9AZO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • FileAlyzer2.exe (PID: 6748)
      • FileAlyzerPortable.exe (PID: 6708)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)
      • FileAlyzerPortable.exe (PID: 6708)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)
      • FileAlyzerPortable.exe (PID: 6708)

    • Executable content was dropped or overwritten

      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)
      • FileAlyzerPortable.exe (PID: 6708)

    • Reads security settings of Internet Explorer

      • FileAlyzer2.exe (PID: 6748)
      • FileAlyzerPortable.exe (PID: 6708)

    • Reads Internet Explorer settings

      • FileAlyzer2.exe (PID: 6748)

  • INFO

    • The sample compiled with english language support

      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)

    • Reads the computer name

      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)
      • FileAlyzer2.exe (PID: 6748)
      • FileAlyzerPortable.exe (PID: 6708)

    • Checks supported languages

      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)
      • FileAlyzer2.exe (PID: 6748)
      • FileAlyzerPortable.exe (PID: 6708)

    • Reads the machine GUID from the registry

      • FileAlyzer2.exe (PID: 6748)

    • Create files in a temporary directory

      • FileAlyzerPortable.exe (PID: 6708)
      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)

    • UPX packer has been detected

      • FileAlyzer2.exe (PID: 6748)

    • PECompact has been detected (YARA)

      • FileAlyzer2.exe (PID: 6748)

    • Checks proxy server information

      • FileAlyzer2.exe (PID: 6748)

    • Sends debugging messages

      • FileAlyzer2.exe (PID: 6748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:59+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28672
InitializedDataSize: 445952
UninitializedDataSize: 16896
EntryPoint: 0x39e3
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.0.5.57
ProductVersionNumber: 2.0.5.57
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: For additional details, visit PortableApps.com
CompanyName: PortableApps.com
FileDescription: FileAlyzer Portable
FileVersion: 2.0.5.57
InternalName: FileAlyzer Portable
LegalCopyright: PortableApps.com Installer Copyright 2007-2012 PortableApps.com.
LegalTrademarks: PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFileName: FileAlyzerPortable_2.0.5.57_English.paf.exe
PortableAppscomAppID: FileAlyzerPortable
PortableAppscomFormatVersion: 3.0.5
PortableAppscomInstallerVersion: 3.0.5.0
ProductName: FileAlyzer Portable
ProductVersion: 2.0.5.57
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start filealyzerportable_2.0.5.57_english.paf.exe filealyzerportable.exe filealyzer2.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3928C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6456"C:\Users\admin\Desktop\FileAlyzerPortable_2.0.5.57_English.paf.exe" C:\Users\admin\Desktop\FileAlyzerPortable_2.0.5.57_English.paf.exe
explorer.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
FileAlyzer Portable
Exit code:
0
Version:
2.0.5.57
Modules
Images
c:\users\admin\desktop\filealyzerportable_2.0.5.57_english.paf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6708"C:\Users\admin\Desktop\FileAlyzerPortable\FileAlyzerPortable.exe"C:\Users\admin\Desktop\FileAlyzerPortable\FileAlyzerPortable.exe
FileAlyzerPortable_2.0.5.57_English.paf.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
FileAlyzer Portable (PortableApps.com Launcher)
Version:
2.2.0.0
Modules
Images
c:\users\admin\desktop\filealyzerportable\filealyzerportable.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6748"C:\Users\admin\Desktop\FileAlyzerPortable\App\FileAlyzer\FileAlyzer2.exe"C:\Users\admin\Desktop\FileAlyzerPortable\App\FileAlyzer\FileAlyzer2.exe
FileAlyzerPortable.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
MEDIUM
Description:
File analysis tool
Version:
2.0.5.57
Modules
Images
c:\users\admin\desktop\filealyzerportable\app\filealyzer\filealyzer2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
5 443
Read events
5 354
Write events
84
Delete events
5

Modification events

(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
040000000E0000000300000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:writeName:MRUListEx
Value:
010000000000000004000000050000000200000003000000FFFFFFFF
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\1
Operation:writeName:3
Value:
6E003100000000009A59D58B100046494C45414C7E310000560009000400EFBE9A59D48B9A59D58B2E0000008D5D050000000B000000000000000000000000000000BB640701460069006C00650041006C0079007A006500720050006F0072007400610062006C006500000018000000
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\1\3
Operation:delete valueName:MRUList
Value:
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\1
Operation:writeName:MRUListEx
Value:
03000000020000000100000000000000FFFFFFFF
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\1\3
Operation:writeName:NodeSlot
Value:
254
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\1\3
Operation:writeName:MRUListEx
Value:
FFFFFFFF
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\254\Shell
Operation:writeName:SniffedFolderType
Value:
Generic
Executable files
12
Suspicious files
2
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsx5C8D.tmp\System.dllexecutable
MD5:BF712F32249029466FA86756F5546950
SHA256:7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\App\AppInfo\appicon_32.pngimage
MD5:BB929A5D3934CE47C2D14268409CC869
SHA256:B071105AFC4E6874DA2EBDB52319C0653F2E0C3236D2C5BBE29026E3F396CD8A
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsx5C8D.tmp\InstallOptions.dllexecutable
MD5:89351A0A6A89519C86C5531E20DAB9EA
SHA256:F530069EF87A1C163C4FD63A3D5B053420CE3D7A98739C70211B4A99F90D6277
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\App\readme.txttext
MD5:1FF43513DFFFB37B2C8B8C1041350F3B
SHA256:9F55FB681307FEDCB0107AA1B39740DD4424EBA2C74DEBF3B0B6D191179F9384
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsx5C8D.tmp\modern-wizard.bmpimage
MD5:55204D08CFF24975E88885403F13FD59
SHA256:0A9A711B205DC87B6B0FE491253BC1DDB4A46A02F26AB622C209B1311125DD20
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\help.htmlhtml
MD5:04159EDE152EA1A24944815C3C640741
SHA256:9A49B4A9B681795C8D40C0E70BCAAB1B214AE8C513F806A41E175F6684CFFFB5
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\FileAlyzerPortable.exeexecutable
MD5:223D7689BBF3FBF0DC2EAD33AD704689
SHA256:86AC33ADBB8C70FECA8ACDEA7B6357230AEE29FC46EAC21DDF950EC4BBDCABB1
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\App\AppInfo\appicon_16.pngimage
MD5:2A485135AFFE89B67D62A93369DA1AE4
SHA256:3BE0C3D42C5D6D626B7387F25DAC6BFC10A128984D80D3903FCCC4A6D500168D
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\App\AppInfo\appicon.icoimage
MD5:2999B0B6500E03A4946826E21CCE4CB5
SHA256:362D3398CFD4280F787F17949C4F7B43DD3CD0FFD15A5AD2CF0F786CCD0220D4
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\App\FileAlyzer\CompatDB.datbinary
MD5:8351ADCF47A1C253F217907E1A2B4390
SHA256:970ED33003FA3D7E03B875B0894AFC5AFE8415A0ECE342E06AB9D576C48C7DE9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
34
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2356
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4864
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7048
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7048
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6748
FileAlyzer2.exe
GET
200
142.250.186.78:80
http://maps.google.com/maps/api/js?sensor=true
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2356
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
2356
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.138
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 172.217.18.14
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.155
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.136
  • 104.126.37.170
  • 104.126.37.161
  • 104.126.37.162
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.136
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.20
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.140
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

No threats detected
Process
Message
FileAlyzer2.exe
Request to cache 000000FF at 00000000000000FF
FileAlyzer2.exe
Request to cache 00000000 at 0000000000000000
FileAlyzer2.exe
Request to cache 000000FF at 00000000000000F2
FileAlyzer2.exe
Request to cache 000000FF at 00000000000002F4
FileAlyzer2.exe
Request to cache 000000FF at 00000000000001F8
FileAlyzer2.exe
Request to cache 000000FF at 00000000000002F7
FileAlyzer2.exe
Request to cache 000000FF at 0000000000000000
FileAlyzer2.exe
Request to cache 000000FF at 00000000000000FF
FileAlyzer2.exe
Request to cache 000000FF at 00000000000000FC
FileAlyzer2.exe
Request to cache 000000FF at 00000000000001FB
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FileAlyzerPortable_2.0.5.57_English.paf.exe