File name:

FileAlyzerPortable_2.0.5.57_English.paf.exe

Full analysis: https://app.any.run/tasks/6a179bd8-65b6-4443-9538-f34a04d6afbf
Verdict: Malicious activity
Analysis date: December 26, 2024, 17:30:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pecompact
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

DFFEED138C9201D681E9A4F571FB25A3

SHA1:

38204046BA3F7D3C5C2306A29D202FB35CF28FAE

SHA256:

A300FEC2AE5EED7452CAE3AC88E4F7274BD0D2378EC71E58C3F4465C2F27F5F5

SSDEEP:

98304:KzaX2MvZJ8SCfM6gEVZot7TZtICVfoG579BC5mla8kJITzCB6d7PyehjGUvdpSzD:5FrfPvA9AZO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • FileAlyzerPortable.exe (PID: 6708)
      • FileAlyzer2.exe (PID: 6748)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FileAlyzerPortable.exe (PID: 6708)
      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)

    • The process creates files with name similar to system file names

      • FileAlyzerPortable.exe (PID: 6708)
      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)

    • Executable content was dropped or overwritten

      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)
      • FileAlyzerPortable.exe (PID: 6708)

    • Reads security settings of Internet Explorer

      • FileAlyzerPortable.exe (PID: 6708)
      • FileAlyzer2.exe (PID: 6748)

    • Reads Internet Explorer settings

      • FileAlyzer2.exe (PID: 6748)

  • INFO

    • The sample compiled with english language support

      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)

    • Checks supported languages

      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)
      • FileAlyzerPortable.exe (PID: 6708)
      • FileAlyzer2.exe (PID: 6748)

    • Create files in a temporary directory

      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)
      • FileAlyzerPortable.exe (PID: 6708)

    • Reads the computer name

      • FileAlyzerPortable_2.0.5.57_English.paf.exe (PID: 6456)
      • FileAlyzerPortable.exe (PID: 6708)
      • FileAlyzer2.exe (PID: 6748)

    • Reads the machine GUID from the registry

      • FileAlyzer2.exe (PID: 6748)

    • UPX packer has been detected

      • FileAlyzer2.exe (PID: 6748)

    • PECompact has been detected (YARA)

      • FileAlyzer2.exe (PID: 6748)

    • Checks proxy server information

      • FileAlyzer2.exe (PID: 6748)

    • Sends debugging messages

      • FileAlyzer2.exe (PID: 6748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:59+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28672
InitializedDataSize: 445952
UninitializedDataSize: 16896
EntryPoint: 0x39e3
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.0.5.57
ProductVersionNumber: 2.0.5.57
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: For additional details, visit PortableApps.com
CompanyName: PortableApps.com
FileDescription: FileAlyzer Portable
FileVersion: 2.0.5.57
InternalName: FileAlyzer Portable
LegalCopyright: PortableApps.com Installer Copyright 2007-2012 PortableApps.com.
LegalTrademarks: PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFileName: FileAlyzerPortable_2.0.5.57_English.paf.exe
PortableAppscomAppID: FileAlyzerPortable
PortableAppscomFormatVersion: 3.0.5
PortableAppscomInstallerVersion: 3.0.5.0
ProductName: FileAlyzer Portable
ProductVersion: 2.0.5.57
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start filealyzerportable_2.0.5.57_english.paf.exe filealyzerportable.exe filealyzer2.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3928C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6456"C:\Users\admin\Desktop\FileAlyzerPortable_2.0.5.57_English.paf.exe" C:\Users\admin\Desktop\FileAlyzerPortable_2.0.5.57_English.paf.exe
explorer.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
FileAlyzer Portable
Exit code:
0
Version:
2.0.5.57
Modules
Images
c:\users\admin\desktop\filealyzerportable_2.0.5.57_english.paf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6708"C:\Users\admin\Desktop\FileAlyzerPortable\FileAlyzerPortable.exe"C:\Users\admin\Desktop\FileAlyzerPortable\FileAlyzerPortable.exe
FileAlyzerPortable_2.0.5.57_English.paf.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
FileAlyzer Portable (PortableApps.com Launcher)
Version:
2.2.0.0
Modules
Images
c:\users\admin\desktop\filealyzerportable\filealyzerportable.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6748"C:\Users\admin\Desktop\FileAlyzerPortable\App\FileAlyzer\FileAlyzer2.exe"C:\Users\admin\Desktop\FileAlyzerPortable\App\FileAlyzer\FileAlyzer2.exe
FileAlyzerPortable.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
MEDIUM
Description:
File analysis tool
Version:
2.0.5.57
Modules
Images
c:\users\admin\desktop\filealyzerportable\app\filealyzer\filealyzer2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
5 443
Read events
5 354
Write events
84
Delete events
5

Modification events

(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
040000000E0000000300000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:writeName:MRUListEx
Value:
010000000000000004000000050000000200000003000000FFFFFFFF
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\1
Operation:writeName:3
Value:
6E003100000000009A59D58B100046494C45414C7E310000560009000400EFBE9A59D48B9A59D58B2E0000008D5D050000000B000000000000000000000000000000BB640701460069006C00650041006C0079007A006500720050006F0072007400610062006C006500000018000000
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\1\3
Operation:delete valueName:MRUList
Value:
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\1
Operation:writeName:MRUListEx
Value:
03000000020000000100000000000000FFFFFFFF
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\1\3
Operation:writeName:NodeSlot
Value:
254
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\1\3
Operation:writeName:MRUListEx
Value:
FFFFFFFF
(PID) Process:(6748) FileAlyzer2.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\254\Shell
Operation:writeName:SniffedFolderType
Value:
Generic
Executable files
12
Suspicious files
2
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\FileAlyzerPortable.exeexecutable
MD5:223D7689BBF3FBF0DC2EAD33AD704689
SHA256:86AC33ADBB8C70FECA8ACDEA7B6357230AEE29FC46EAC21DDF950EC4BBDCABB1
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsx5C8D.tmp\w7tbp.dllexecutable
MD5:9A3031CC4CEF0DBA236A28EECDF0AFB5
SHA256:53BB519E3293164947AC7CBD7E612F637D77A7B863E3534BA1A7E39B350D3C00
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsx5C8D.tmp\modern-header.bmpimage
MD5:8A11A211CC4FBD815C45DEF43A244B12
SHA256:AA744B4B762249BFB8AC781DCE99FA25713DA92126D7AB9732C1081E53BDE6A9
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsx5C8D.tmp\ioSpecial.initext
MD5:6F98FCDA445825382121E480A64AE24C
SHA256:689A67B30946CBE12DCE92D17207EC0488E850A806BE608E6FB174F853F86B57
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\App\FileAlyzer\DelZip190.dllexecutable
MD5:2275D8E9845BF04A8D1422EC7698E73A
SHA256:ECD7A84FF031ED0AE7FE414753FF06EC8F969794DDCD4155EFB8EDE4F7EE97CF
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsx5C8D.tmp\modern-wizard.bmpimage
MD5:55204D08CFF24975E88885403F13FD59
SHA256:0A9A711B205DC87B6B0FE491253BC1DDB4A46A02F26AB622C209B1311125DD20
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\App\readme.txttext
MD5:1FF43513DFFFB37B2C8B8C1041350F3B
SHA256:9F55FB681307FEDCB0107AA1B39740DD4424EBA2C74DEBF3B0B6D191179F9384
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\help.htmlhtml
MD5:04159EDE152EA1A24944815C3C640741
SHA256:9A49B4A9B681795C8D40C0E70BCAAB1B214AE8C513F806A41E175F6684CFFFB5
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\App\AppInfo\appicon.icoimage
MD5:2999B0B6500E03A4946826E21CCE4CB5
SHA256:362D3398CFD4280F787F17949C4F7B43DD3CD0FFD15A5AD2CF0F786CCD0220D4
6456FileAlyzerPortable_2.0.5.57_English.paf.exeC:\Users\admin\Desktop\FileAlyzerPortable\App\AppInfo\appicon_16.pngimage
MD5:2A485135AFFE89B67D62A93369DA1AE4
SHA256:3BE0C3D42C5D6D626B7387F25DAC6BFC10A128984D80D3903FCCC4A6D500168D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
34
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2356
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4864
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7048
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6748
FileAlyzer2.exe
GET
200
142.250.186.78:80
http://maps.google.com/maps/api/js?sensor=true
unknown
whitelisted
7048
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2356
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
2356
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.138
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 172.217.18.14
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.155
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.136
  • 104.126.37.170
  • 104.126.37.161
  • 104.126.37.162
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.136
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.20
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.140
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

No threats detected
Process
Message
FileAlyzer2.exe
Request to cache 000000FF at 00000000000000FF
FileAlyzer2.exe
Request to cache 00000000 at 0000000000000000
FileAlyzer2.exe
Request to cache 000000FF at 00000000000000F2
FileAlyzer2.exe
Request to cache 000000FF at 00000000000002F4
FileAlyzer2.exe
Request to cache 000000FF at 00000000000001F8
FileAlyzer2.exe
Request to cache 000000FF at 00000000000002F7
FileAlyzer2.exe
Request to cache 000000FF at 0000000000000000
FileAlyzer2.exe
Request to cache 000000FF at 00000000000000FF
FileAlyzer2.exe
Request to cache 000000FF at 00000000000000FC
FileAlyzer2.exe
Request to cache 000000FF at 00000000000001FB
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FileAlyzerPortable_2.0.5.57_English.paf.exe