Malware analysis pw-free-online.exe Malicious activity

Add for printing

File name:	pw-free-online.exe
Full analysis:	https://app.any.run/tasks/03dff6de-673e-4dfe-a4f6-e739d22b997d
Verdict:	Malicious activity
Analysis date:	December 15, 2023, 10:53:04
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	B00F4EF87125599AE72DEF4555E48175
SHA1:	8B1073B0CEC1D85A6CA39842E43C8A9F49526953
SHA256:	BC917C4424C078290C3CBBB13E5F2F9C2939222D058D70056688718AE33E13A9
SSDEEP:	98304:UkL2991YngbfnLTccGEE7kc7EF2DKlVcu/xI9Gu1:j2991OgDtQIc7E4Wcu/xI911

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - pw-free-online.exe (PID: 1996)
  - pw-free-online.exe (PID: 2424)
  - pw-free-online.tmp (PID: 2108)
  - SmDownloader.exe (PID: 3388)
  - pwfree-32bit-online.exe (PID: 3000)
  - pw_sm_setup_x86.exe (PID: 3736)
  - partitionwizard.exe (PID: 3704)
  - pw_sm_setup_x86.tmp (PID: 3900)
  - pwfree-32bit-online.tmp (PID: 3308)
- Creates a writable file in the system directory
  - partitionwizard.exe (PID: 3704)
SUSPICIOUS
- Uses TASKKILL.EXE to kill process
  - pw-free-online.tmp (PID: 2108)
  - pw_sm_setup_x86.tmp (PID: 3900)
- Reads the Windows owner or organization settings
  - pw-free-online.tmp (PID: 2108)
  - pwfree-32bit-online.tmp (PID: 3308)
  - pw_sm_setup_x86.tmp (PID: 3900)
- Process drops legitimate windows executable
  - pw-free-online.tmp (PID: 2108)
  - pw_sm_setup_x86.tmp (PID: 3900)
  - pwfree-32bit-online.tmp (PID: 3308)
- The process drops C-runtime libraries
  - pw-free-online.tmp (PID: 2108)
  - pw_sm_setup_x86.tmp (PID: 3900)
  - pwfree-32bit-online.tmp (PID: 3308)
- Reads the Internet Settings
  - pw-free-online.tmp (PID: 2108)
  - partitionwizard.exe (PID: 3704)
- Drops 7-zip archiver for unpacking
  - pwfree-32bit-online.tmp (PID: 3308)
  - pw_sm_setup_x86.tmp (PID: 3900)
- Drops a system driver (possible attempt to evade defenses)
  - pw_sm_setup_x86.tmp (PID: 3900)
  - pwfree-32bit-online.tmp (PID: 3308)
  - partitionwizard.exe (PID: 3704)
- Executes as Windows Service
  - vds.exe (PID: 1436)
- Reads the BIOS version
  - partitionwizard.exe (PID: 3704)
- Reads settings of System Certificates
  - partitionwizard.exe (PID: 3704)
- Checks Windows Trust Settings
  - partitionwizard.exe (PID: 3704)
- Reads Microsoft Outlook installation path
  - partitionwizard.exe (PID: 3704)
- Reads Internet Explorer settings
  - partitionwizard.exe (PID: 3704)
- Reads security settings of Internet Explorer
  - partitionwizard.exe (PID: 3704)
INFO
- Checks supported languages
  - pw-free-online.exe (PID: 1996)
  - pw-free-online.tmp (PID: 280)
  - pw-free-online.exe (PID: 2424)
  - pw-free-online.tmp (PID: 2108)
  - SmDownloader.exe (PID: 3388)
  - SmDownloader.exe (PID: 2364)
  - pwfree-32bit-online.exe (PID: 3000)
  - pwfree-32bit-online.tmp (PID: 3308)
  - wmpnscfg.exe (PID: 3936)
  - pw_sm_setup_x86.tmp (PID: 3900)
  - pw_sm_setup_x86.exe (PID: 3736)
  - updatechecker.exe (PID: 2968)
  - partitionwizard.exe (PID: 3704)
- Reads the computer name
  - pw-free-online.tmp (PID: 280)
  - pw-free-online.tmp (PID: 2108)
  - SmDownloader.exe (PID: 2364)
  - wmpnscfg.exe (PID: 3936)
  - pwfree-32bit-online.tmp (PID: 3308)
  - SmDownloader.exe (PID: 3388)
  - updatechecker.exe (PID: 2968)
  - pw_sm_setup_x86.tmp (PID: 3900)
  - partitionwizard.exe (PID: 3704)
- Create files in a temporary directory
  - pw-free-online.exe (PID: 1996)
  - pw-free-online.exe (PID: 2424)
  - pw-free-online.tmp (PID: 2108)
  - SmDownloader.exe (PID: 2364)
  - pwfree-32bit-online.exe (PID: 3000)
  - SmDownloader.exe (PID: 3388)
  - pw_sm_setup_x86.exe (PID: 3736)
- Manual execution by a user
  - wmpnscfg.exe (PID: 3936)
  - partitionwizard.exe (PID: 3704)
  - partitionwizard.exe (PID: 2456)
- Creates files in the program directory
  - pwfree-32bit-online.tmp (PID: 3308)
  - pw_sm_setup_x86.tmp (PID: 3900)
  - partitionwizard.exe (PID: 3704)
- Reads the machine GUID from the registry
  - partitionwizard.exe (PID: 3704)
- Checks proxy server information
  - partitionwizard.exe (PID: 3704)
- Creates files or folders in the user directory
  - partitionwizard.exe (PID: 3704)
- Reads CPU info
  - partitionwizard.exe (PID: 3704)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (67.7)
.exe	\|	Win32 EXE PECompact compressed (generic) (25.6)
.exe	\|	Win32 Executable (generic) (2.7)
.exe	\|	Win16/32 Executable Delphi generic (1.2)
.exe	\|	Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:04:14 18:10:23+02:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741888
InitializedDataSize:	406016
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6.1
ImageVersion:	6
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	12.8.0.0
ProductVersionNumber:	12.8.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	MiniTool Software Limited
FileDescription:	MiniTool Partition Wizard Setup
FileVersion:	12.8
LegalCopyright:	Copyright © 2023 MiniTool Software Limited, all rights reserved.
OriginalFileName:
ProductName:	MiniTool Partition Wizard
ProductVersion:	12.8

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

280

"C:\Users\admin\AppData\Local\Temp\is-G18JM.tmp\pw-free-online.tmp" /SL5="$1B0142,2294223,1148928,C:\Users\admin\Desktop\pw-free-online.exe"

C:\Users\admin\AppData\Local\Temp\is-G18JM.tmp\pw-free-online.tmp

—

pw-free-online.exe

User:

admin

Company:

MiniTool Software Limited

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

1073807364

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-g18jm.tmp\pw-free-online.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

1436

C:\Windows\System32\vds.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Virtual Disk Service

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll

1996

"C:\Users\admin\Desktop\pw-free-online.exe"

C:\Users\admin\Desktop\pw-free-online.exe

—

explorer.exe

User:

admin

Company:

MiniTool Software Limited

Integrity Level:

MEDIUM

Description:

MiniTool Partition Wizard Setup

Exit code:

1073807364

Version:

12.8

Modules

Images
c:\users\admin\desktop\pw-free-online.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2108

"C:\Users\admin\AppData\Local\Temp\is-HDBJ2.tmp\pw-free-online.tmp" /SL5="$110156,2294223,1148928,C:\Users\admin\Desktop\pw-free-online.exe" /SPAWNWND=$1A0194 /NOTIFYWND=$1B0142

C:\Users\admin\AppData\Local\Temp\is-HDBJ2.tmp\pw-free-online.tmp

—

pw-free-online.exe

User:

admin

Company:

MiniTool Software Limited

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

1073807364

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-hdbj2.tmp\pw-free-online.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

2364

"C:\Users\admin\AppData\Local\Temp\is-GBHA0.tmp\SmDownloader.exe" /HWND:1114488 /PATH:"C:\Program Files\MiniTool Partition Wizard 12\..\MiniTool ShadowMaker" /URL:https://www.partitionwizard.com/download/online-setup-config/pwfree-v12-bundle-sm.ini /VERYSILENT /USERMSG:1439 /LANG:english

C:\Users\admin\AppData\Local\Temp\is-GBHA0.tmp\SmDownloader.exe

pw-free-online.tmp

User:

admin

Integrity Level:

HIGH

Exit code:

1073807364

Modules

Images
c:\users\admin\appdata\local\temp\is-gbha0.tmp\smdownloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\is-gbha0.tmp\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll

2368

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vdsldr.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Virtual Disk Service Loader

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll

2424

"C:\Users\admin\Desktop\pw-free-online.exe" /SPAWNWND=$1A0194 /NOTIFYWND=$1B0142

C:\Users\admin\Desktop\pw-free-online.exe

pw-free-online.tmp

User:

admin

Company:

MiniTool Software Limited

Integrity Level:

HIGH

Description:

MiniTool Partition Wizard Setup

Exit code:

1073807364

Version:

12.8

Modules

Images
c:\users\admin\desktop\pw-free-online.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2456

"C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exe"

C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exe

—

explorer.exe

User:

admin

Company:

MiniTool Software Limited

Integrity Level:

MEDIUM

Description:

MiniTool Partition Wizard

Exit code:

3221226540

Version:

12.8.0.0

Modules

Images
c:\program files\minitool partition wizard 12\partitionwizard.exe
c:\windows\system32\ntdll.dll

2668

"taskkill.exe" /f /im "updatechecker.exe"

C:\Windows\System32\taskkill.exe

—

pw-free-online.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll

2968

"C:\Program Files\MiniTool Partition Wizard 12\updatechecker.exe" /createtask

C:\Program Files\MiniTool Partition Wizard 12\updatechecker.exe

—

pwfree-32bit-online.tmp

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files\minitool partition wizard 12\updatechecker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\minitool partition wizard 12\qt5core.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

Add for printing

Total events

12 660

Read events

12 607

Write events

Delete events

Modification events


(PID) Process:	(2108) pw-free-online.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2108) pw-free-online.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2108) pw-free-online.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2108) pw-free-online.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(3308) pwfree-32bit-online.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Operation:	delete value	Name:	RegFilesHash
Value: 6299E559F8C9C1F419E4E415861CE81DF739739294F5F49A1283FB9699AB7F53
(PID) Process:	(3308) pwfree-32bit-online.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Operation:	delete value	Name:	RegFiles0000
Value: C:\Program Files\MiniTool Partition Wizard 12\7-zip.dll
(PID) Process:	(3308) pwfree-32bit-online.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Operation:	delete value	Name:	Sequence
Value: 1
(PID) Process:	(3308) pwfree-32bit-online.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Operation:	delete value	Name:	SessionHash
Value: F3A1F1F0B986C4C4817D410701153F8F6656DEF9DE21E36FBA12903669A34E10
(PID) Process:	(3308) pwfree-32bit-online.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Operation:	delete value	Name:	Owner
Value: EC0C0000C43ECBFF442FDA01
(PID) Process:	(3308) pwfree-32bit-online.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

611

Suspicious files

616

Text files

1 399

Unknown types

Dropped files

PID	Process	Filename		Type
2424	pw-free-online.exe	C:\Users\admin\AppData\Local\Temp\is-HDBJ2.tmp\pw-free-online.tmp		executable
		MD5:38088568F4393EDC27739E4E3B3B157A	SHA256:398B1FE38A434790F6D5E82D72BBAEF3B3DFBA13740BDE388FB7749312C1B917
2108	pw-free-online.tmp	C:\Users\admin\AppData\Local\Temp\is-GBHA0.tmp\pwpro.bmp		image
		MD5:91B84953535C8E68D9B8180AE60FF0CE	SHA256:10C9CF3C6885E339A7C9C4808716A7FDE113B4C4EE93FB2D5393240DF2D206B6
2108	pw-free-online.tmp	C:\Users\admin\AppData\Local\Temp\is-GBHA0.tmp\pwbmp.bmp		image
		MD5:C4C50E455CB11D349A5200508F2F7D4F	SHA256:BA68E855CE14DAF9B319E3BA91199FE504804EC58080B722686AAA2CCDE9EF38
1996	pw-free-online.exe	C:\Users\admin\AppData\Local\Temp\is-G18JM.tmp\pw-free-online.tmp		executable
		MD5:38088568F4393EDC27739E4E3B3B157A	SHA256:398B1FE38A434790F6D5E82D72BBAEF3B3DFBA13740BDE388FB7749312C1B917
2108	pw-free-online.tmp	C:\Users\admin\AppData\Local\Temp\is-GBHA0.tmp\unsupport.bmp		image
		MD5:4AC29DE505CFB25BBB88D190AD379D82	SHA256:93A93EC1F9AF7118B2FB05A1ABC420781130E5663B92536A23EC6A4B172A0843
2108	pw-free-online.tmp	C:\Users\admin\AppData\Local\Temp\is-GBHA0.tmp\SmDownloader.exe		executable
		MD5:0BB1BE1CEE6BC878ACBB41B1AF7CFC88	SHA256:166960F92A85A33207DAD124FEA1938740A82809C05DD449FD19F39C2C029038
2108	pw-free-online.tmp	C:\Users\admin\AppData\Local\Temp\is-GBHA0.tmp\line.bmp		image
		MD5:9DC5BF6E4B2CAD053D12AD24260D9327	SHA256:EFB22F0B990C4ED4A8D36868C7D9D3793B61F0728343306CAEAE0AE5F0751447
2108	pw-free-online.tmp	C:\Users\admin\AppData\Local\Temp\is-GBHA0.tmp\libcurl.dll		executable
		MD5:56F4C7D613927081E8311BC46EE0EC92	SHA256:F959786D18020A9DED99DC668E1F576CAC8DD364E22D773D40E4FC693264555C
2108	pw-free-online.tmp	C:\Users\admin\AppData\Local\Temp\is-GBHA0.tmp\support.bmp		image
		MD5:12CA16A9C8707B7F0A257E6CABBBEA3A	SHA256:624677996B347CD36593D4A1107B265C903268086F2F548B50C0F329FD649A33
2108	pw-free-online.tmp	C:\Users\admin\AppData\Local\Temp\is-GBHA0.tmp\libeay32.dll		executable
		MD5:D805C955E95F9B1A753733EA80439C45	SHA256:963B663BAB4B063403D01AF996AB80252718D12FE4AF39F334532B0B26C9DAD3

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3704	partitionwizard.exe	GET	—	104.18.20.161:80	http://www.partitionwizard.com/checking-update/verconfig-v11-free.txt	unknown	—	—	unknown
3704	partitionwizard.exe	GET	301	104.18.20.178:80	http://tracking.minitool.com/pw/launch.php?120800-from-free-v12	unknown	html	272 b	unknown
3704	partitionwizard.exe	GET	200	104.18.20.178:80	http://tracking.minitool.com/pw/launch.html?120800-from-free-v12	unknown	html	521 b	unknown
3704	partitionwizard.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8be229b1a76ba8a7	unknown	compressed	4.66 Kb	unknown
3704	partitionwizard.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b9de9e9115f7e844	unknown	compressed	4.66 Kb	unknown
3704	partitionwizard.exe	GET	200	142.250.74.195:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	binary	1.41 Kb	unknown
3704	partitionwizard.exe	GET	200	142.250.74.195:80	http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D	unknown	binary	724 b	unknown
3704	partitionwizard.exe	GET	200	142.250.74.195:80	http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCZXmpIP%2Bo%2BHhJmodADfw%2Fc	unknown	binary	472 b	unknown
3704	partitionwizard.exe	GET	200	142.250.74.195:80	http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEFWAEhXnhCXkEikk9ZU5A80%3D	unknown	binary	471 b	unknown
3704	partitionwizard.exe	GET	200	142.250.74.195:80	http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEGupzMnM%2BqGaCjIQPyd58u0%3D	unknown	binary	471 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2588	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3388	SmDownloader.exe	104.18.20.161:443	www.partitionwizard.com	CLOUDFLARENET	—	unknown
2364	SmDownloader.exe	104.18.20.161:443	www.partitionwizard.com	CLOUDFLARENET	—	unknown
2364	SmDownloader.exe	104.18.20.178:443	cdn2.minitool.com	CLOUDFLARENET	—	unknown
3388	SmDownloader.exe	104.18.20.178:443	cdn2.minitool.com	CLOUDFLARENET	—	unknown
3704	partitionwizard.exe	104.18.20.161:80	www.partitionwizard.com	CLOUDFLARENET	—	unknown
3704	partitionwizard.exe	104.18.20.178:80	cdn2.minitool.com	CLOUDFLARENET	—	unknown

DNS requests

Domain	IP	Reputation
www.partitionwizard.com	104.18.20.161 104.18.21.161	unknown
cdn2.minitool.com	104.18.20.178 104.18.21.178	unknown
tracking.minitool.com	104.18.20.178 104.18.21.178	unknown
www.googletagmanager.com	216.58.212.168	whitelisted
ctldl.windowsupdate.com	93.184.221.240	whitelisted
ocsp.pki.goog	142.250.74.195	whitelisted
www.google-analytics.com	142.250.184.206	whitelisted
region1.analytics.google.com	216.239.34.36 216.239.32.36	whitelisted
stats.g.doubleclick.net	74.125.133.157 74.125.133.156 74.125.133.155 74.125.133.154	whitelisted
www.google.sk	142.250.186.67	whitelisted

Threats

No threats detected

Add for printing

Process	Message
partitionwizard.exe	QMetaObject::connectSlotsByName: No matching signal for on_caption_menu_button_clicked()
partitionwizard.exe	QMetaObject::connectSlotsByName: No matching signal for on_append_partition_management_tab()
partitionwizard.exe	QMetaObject::connectSlotsByName: No matching signal for on_actionPartitionRecovery_triggered()
partitionwizard.exe	QMetaObject::connectSlotsByName: No matching signal for on_action_change_lanuage()
partitionwizard.exe	Unknown property flat-widget-border-color
partitionwizard.exe	Unknown property flat-widget-border-color
partitionwizard.exe	libpng warning: iCCP: known incorrect sRGB profile
partitionwizard.exe	QMetaObject::connectSlotsByName: No matching signal for on_exit_triggered()
partitionwizard.exe	QMetaObject::connectSlotsByName: No matching signal for on_signal_device_changed()
partitionwizard.exe	QMetaObject::connectSlotsByName: No matching signal for on_checking_license_exited(int)

General Info

pw-free-online.exe

B00F4EF87125599AE72DEF4555E48175

8B1073B0CEC1D85A6CA39842E43C8A9F49526953

BC917C4424C078290C3CBBB13E5F2F9C2939222D058D70056688718AE33E13A9

98304:UkL2991YngbfnLTccGEE7kc7EF2DKlVcu/xI9Gu1:j2991OgDtQIc7E4Wcu/xI911

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Creates a writable file in the system directory

SUSPICIOUS

Uses TASKKILL.EXE to kill process

Reads the Windows owner or organization settings

Process drops legitimate windows executable

The process drops C-runtime libraries

Reads the Internet Settings

Drops 7-zip archiver for unpacking

Drops a system driver (possible attempt to evade defenses)

Executes as Windows Service

Reads the BIOS version

Reads settings of System Certificates

Checks Windows Trust Settings

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Reads security settings of Internet Explorer

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Manual execution by a user

Creates files in the program directory

Reads the machine GUID from the registry

Checks proxy server information

Creates files or folders in the user directory

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings