File name:

portmaster-installer.exe

Full analysis: https://app.any.run/tasks/bae6c654-0ee5-43fb-944d-e34af0c5294a
Verdict: Malicious activity
Analysis date: August 06, 2024, 15:35:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

6A1673929B17A59E4B26C1BD00B92E6D

SHA1:

93E6D222C35FC77A0F013DB152BBBD71F8065D2D

SHA256:

F43A3E6EEF805925D8C3D5BDBE6AA1848BB5B4D8FCA55C1E7E291E20C6A10C92

SSDEEP:

196608:08I09Mb8d/Mi3W3J6sIsgeEwOQo8pgjLs:5Iy/MmW38ZsgeEwNWjLs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • portmaster-installer.exe (PID: 6424)

    • Drops the executable file immediately after the start

      • portmaster-installer.exe (PID: 6424)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • portmaster-installer.exe (PID: 6424)

    • The process creates files with name similar to system file names

      • portmaster-installer.exe (PID: 6424)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • portmaster-installer.exe (PID: 6424)

  • INFO

    • Checks supported languages

      • portmaster-installer.exe (PID: 6424)
      • portmaster-start.exe (PID: 7008)
      • portmaster-start.exe (PID: 1492)

    • Reads Environment values

      • portmaster-start.exe (PID: 1492)
      • portmaster-start.exe (PID: 7008)

    • Reads product name

      • portmaster-start.exe (PID: 1492)
      • portmaster-start.exe (PID: 7008)

    • Reads the computer name

      • portmaster-installer.exe (PID: 6424)
      • portmaster-start.exe (PID: 7008)
      • portmaster-start.exe (PID: 1492)

    • Creates files in the program directory

      • portmaster-installer.exe (PID: 6424)
      • portmaster-start.exe (PID: 7008)
      • portmaster-start.exe (PID: 1492)

    • Create files in a temporary directory

      • portmaster-installer.exe (PID: 6424)

    • Reads the software policy settings

      • portmaster-start.exe (PID: 1492)
      • portmaster-start.exe (PID: 7008)

    • Reads the machine GUID from the registry

      • portmaster-start.exe (PID: 1492)
      • portmaster-start.exe (PID: 7008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:16 00:50:53+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x350d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.13.0
ProductVersionNumber: 1.0.13.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Safing ICS Technologies GmbH
FileDescription: Portmaster Application Firewall
FileVersion: 1.0.13.0
LegalCopyright: Safing ICS Technologies GmbH
ProductName: Portmaster
ProductVersion: 1.0.13.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start portmaster-installer.exe portmaster-start.exe portmaster-start.exe portmaster-installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1492C:\ProgramData\Safing\Portmaster\portmaster-start.exe update --data=C:\ProgramData\Safing\PortmasterC:\ProgramData\Safing\Portmaster\portmaster-start.exe
portmaster-installer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\programdata\safing\portmaster\portmaster-start.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6376"C:\Users\admin\Desktop\portmaster-installer.exe" C:\Users\admin\Desktop\portmaster-installer.exeexplorer.exe
User:
admin
Company:
Safing ICS Technologies GmbH
Integrity Level:
MEDIUM
Description:
Portmaster Application Firewall
Exit code:
3221226540
Version:
1.0.13.0
Modules
Images
c:\users\admin\desktop\portmaster-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6424"C:\Users\admin\Desktop\portmaster-installer.exe" C:\Users\admin\Desktop\portmaster-installer.exe
explorer.exe
User:
admin
Company:
Safing ICS Technologies GmbH
Integrity Level:
HIGH
Description:
Portmaster Application Firewall
Version:
1.0.13.0
Modules
Images
c:\users\admin\desktop\portmaster-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7008C:\ProgramData\Safing\Portmaster\portmaster-start.exe clean-structure --data=C:\ProgramData\Safing\PortmasterC:\ProgramData\Safing\Portmaster\portmaster-start.exe
portmaster-installer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\safing\portmaster\portmaster-start.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
8 102
Read events
8 102
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
14
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
1492portmaster-start.exeC:\ProgramData\Safing\Portmaster\updates\tmp\.geoipv4_v20231201-0-1.mmdb.gz3802429758
MD5:
SHA256:
1492portmaster-start.exeC:\ProgramData\Safing\Portmaster\updates\all\intel\geoip\geoipv4_v20231201-0-1.mmdb.gz
MD5:
SHA256:
1492portmaster-start.exeC:\ProgramData\Safing\Portmaster\updates\tmp\.geoipv6_v20231201-0-1.mmdb.gz356920419
MD5:
SHA256:
1492portmaster-start.exeC:\ProgramData\Safing\Portmaster\updates\all\intel\geoip\geoipv6_v20231201-0-1.mmdb.gz
MD5:
SHA256:
1492portmaster-start.exeC:\ProgramData\Safing\Portmaster\updates\tmp\.base_v20240801-0-0.dsdl3423203262
MD5:
SHA256:
1492portmaster-start.exeC:\ProgramData\Safing\Portmaster\updates\all\intel\lists\base_v20240801-0-0.dsdl
MD5:
SHA256:
1492portmaster-start.exeC:\ProgramData\Safing\Portmaster\updates\tmp\.intermediate_v20240728-0-0.dsdl591578512
MD5:
SHA256:
1492portmaster-start.exeC:\ProgramData\Safing\Portmaster\updates\all\intel\lists\intermediate_v20240728-0-0.dsdl
MD5:
SHA256:
6424portmaster-installer.exeC:\Users\admin\AppData\Local\Temp\nsq638A.tmp\System.dllexecutable
MD5:8CF2AC271D7679B1D68EEFC1AE0C5618
SHA256:6950991102462D84FDC0E3B0AE30C95AF8C192F77CE3D78E8D54E6B22F7C09BA
6424portmaster-installer.exeC:\Users\admin\AppData\Local\Temp\nsq638A.tmp\modern-header.bmpimage
MD5:940C56737BF9BB69CE7A31C623D4E87A
SHA256:766A893FE962AEFD27C574CB05F25CF895D3FC70A00DB5A6FA73D573F571AEFC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
16
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
167.235.104.51:443
https://updates.safing.io/windows_amd64/app/portmaster-app_v0-2-8.zip
unknown
GET
200
167.235.104.51:443
https://updates.safing.io/all/ui/modules/assets_v0-3-1.zip
unknown
compressed
5.90 Mb
GET
200
167.235.104.51:443
https://updates.safing.io/all/intel/lists/intermediate_v20240728-0-0.dsdl
unknown
binary
6.38 Mb
GET
200
167.235.104.51:443
https://updates.safing.io/all/intel/lists/index_v2023-6-13.dsd
unknown
binary
4.49 Kb
GET
200
167.235.104.51:443
https://updates.safing.io/all/ui/modules/portmaster_v0-8-6.zip
unknown
compressed
4.23 Mb
GET
200
167.235.104.51:443
https://updates.safing.io/all/ui/modules/assets_v0-3-1.zip.sig
unknown
text
477 b
GET
200
167.235.104.51:443
https://updates.safing.io/all/intel/intel.json
unknown
binary
367 b
GET
200
167.235.104.51:443
https://updates.safing.io/all/ui/modules/portmaster_v0-8-6.zip.sig
unknown
text
482 b
GET
200
167.235.104.51:443
https://updates.safing.io/stable.v2.json
unknown
binary
2.70 Kb
GET
200
167.235.104.51:443
https://updates.safing.io/stable.v2.json.sig
unknown
text
457 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3028
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5112
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3028
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
7008
portmaster-start.exe
167.235.104.51:443
updates.safing.io
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.78
whitelisted
updates.safing.io
  • 167.235.104.51
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
portmaster-installer.exe