File name:

pdf24-creator-9.3.0-x86.exe

Full analysis: https://app.any.run/tasks/a552bfe7-e049-43d6-9184-57b92fa63ad6
Verdict: Malicious activity
Analysis date: August 01, 2024, 14:51:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2920CE887D2AF28122ADC8087EC7B97E

SHA1:

7E73DD2E5D954DAAB3F65D7A1615FA41BF34D923

SHA256:

1D37D25EDFC815D54416494173778E7937E6902DD25C2226A7B1294733925606

SSDEEP:

393216:REgs1WxtbCZ5705dYiKlaO7hwNlAM4dHx6dzyKHMuOuETEAHp4:Wp1oj53KlamdvuOfdK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • pdf24-creator-9.3.0-x86.exe (PID: 6888)

    • Registers / Runs the DLL via REGSVR32.EXE

      • pdf24-creator-9.3.0-x86.tmp (PID: 7100)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • pdf24-creator-9.3.0-x86.exe (PID: 6888)
      • pdf24-creator-9.3.0-x86.exe (PID: 7076)
      • pdf24-creator-9.3.0-x86.tmp (PID: 7100)
      • pdf24-PrinterInstall.exe (PID: 5552)

    • Reads security settings of Internet Explorer

      • pdf24-creator-9.3.0-x86.tmp (PID: 6908)
      • pdf24-creator-9.3.0-x86.tmp (PID: 7100)

    • Reads the date of Windows installation

      • pdf24-creator-9.3.0-x86.tmp (PID: 6908)
      • pdf24-creator-9.3.0-x86.tmp (PID: 7100)

    • Reads the Windows owner or organization settings

      • pdf24-creator-9.3.0-x86.tmp (PID: 7100)

    • Uses WMIC.EXE to obtain data on processes

      • pdf24-creator-9.3.0-x86.tmp (PID: 7100)

    • Executes as Windows Service

      • pdf24.exe (PID: 6824)

  • INFO

    • Checks supported languages

      • pdf24-creator-9.3.0-x86.tmp (PID: 6908)
      • pdf24-creator-9.3.0-x86.exe (PID: 6888)
      • pdf24-creator-9.3.0-x86.exe (PID: 7076)
      • pdf24-creator-9.3.0-x86.tmp (PID: 7100)

    • Reads the computer name

      • pdf24-creator-9.3.0-x86.tmp (PID: 6908)
      • pdf24-creator-9.3.0-x86.tmp (PID: 7100)

    • Create files in a temporary directory

      • pdf24-creator-9.3.0-x86.exe (PID: 6888)
      • pdf24-creator-9.3.0-x86.exe (PID: 7076)
      • pdf24-creator-9.3.0-x86.tmp (PID: 7100)

    • Process checks computer location settings

      • pdf24-creator-9.3.0-x86.tmp (PID: 6908)
      • pdf24-creator-9.3.0-x86.tmp (PID: 7100)

    • Application launched itself

      • msedge.exe (PID: 2580)
      • msedge.exe (PID: 1492)

    • Manual execution by a user

      • msedge.exe (PID: 1492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 147968
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 9.3.0.0
ProductVersionNumber: 9.3.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: geek software GmbH
FileDescription: PDF24 Creator
FileVersion: 9.3.0
LegalCopyright: https://www.pdf24.org
OriginalFileName:
ProductName: PDF24 Creator
ProductVersion: 9.3.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
180
Monitored processes
61
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start pdf24-creator-9.3.0-x86.exe pdf24-creator-9.3.0-x86.tmp no specs pdf24-creator-9.3.0-x86.exe pdf24-creator-9.3.0-x86.tmp sc.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs pdf24-printerinstall.exe conhost.exe no specs pdf24-printerinstall.exe no specs conhost.exe no specs pdf24-printerinstall.exe no specs conhost.exe no specs pdf24.exe no specs pdf24.exe no specs pdf24.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepdf24-PrinterInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
840"C:\Windows\System32\wbem\WMIC.exe" PROCESS WHERE "Name='pdf24-Reader.exe' AND CommandLine LIKE '%/shellPreview%'" CALL TERMINATEC:\Windows\SysWOW64\wbem\WMIC.exepdf24-creator-9.3.0-x86.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1224"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6896 --field-trial-handle=2236,i,17424302436117345976,16789634232584514999,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
1492"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate --single-argument https://www.pdf24.org/products/pdf-creator/afterInstall.php?version=9.3.0&iid=63355C32-BA64-4246-B35E-41F876D81708&language=enC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
1860\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2064"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=5144 --field-trial-handle=2236,i,17424302436117345976,16789634232584514999,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
2128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepdf24-PrinterInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2248"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4672 --field-trial-handle=2236,i,17424302436117345976,16789634232584514999,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
2360"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5632 --field-trial-handle=2236,i,17424302436117345976,16789634232584514999,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
2392"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6708 --field-trial-handle=2236,i,17424302436117345976,16789634232584514999,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Total events
1 818
Read events
1 807
Write events
11
Delete events
0

Modification events

(PID) Process:(7100) pdf24-creator-9.3.0-x86.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
BC1B00007EC5386F22E4DA01
(PID) Process:(7100) pdf24-creator-9.3.0-x86.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
3607F24D20E5CAC3EC0317274F5DE83C9EB0EA7D98AEE6A5B1AE2BD8E6D19580
(PID) Process:(7100) pdf24-creator-9.3.0-x86.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(7100) pdf24-creator-9.3.0-x86.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7100) pdf24-creator-9.3.0-x86.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7100) pdf24-creator-9.3.0-x86.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7100) pdf24-creator-9.3.0-x86.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
201
Suspicious files
334
Text files
1 073
Unknown types
237

Dropped files

PID
Process
Filename
Type
7076pdf24-creator-9.3.0-x86.exeC:\Users\admin\AppData\Local\Temp\is-640VQ.tmp\pdf24-creator-9.3.0-x86.tmpexecutable
MD5:8A305EAFD750DDE3221FB9592D211653
SHA256:5C2328C36A7A8DC007EE89D2B7DDBB197D940BE8AC00E7452C49753BB62F67AC
6888pdf24-creator-9.3.0-x86.exeC:\Users\admin\AppData\Local\Temp\is-E4HAL.tmp\pdf24-creator-9.3.0-x86.tmpexecutable
MD5:8A305EAFD750DDE3221FB9592D211653
SHA256:5C2328C36A7A8DC007EE89D2B7DDBB197D940BE8AC00E7452C49753BB62F67AC
7100pdf24-creator-9.3.0-x86.tmpC:\Program Files (x86)\PDF24\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:4AC2407DB6686FD3B1958B4A5A6F21EF
SHA256:086B854A80F086EAAF6EDACEF86FFAF3C62873F6FD0912633613D8EA915502DA
7100pdf24-creator-9.3.0-x86.tmpC:\Program Files (x86)\PDF24\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:08AAE87199CF7BD540CE4B87FBAA8735
SHA256:DE2874E7922DC7BA0535B0D5BE04CAFBF4C7D63F55B75ECE64B5F3779F635149
7100pdf24-creator-9.3.0-x86.tmpC:\Program Files (x86)\PDF24\is-LI7T0.tmpexecutable
MD5:FADB2E9DC88E83742D40E9162409C388
SHA256:45865986E00B678AC9FE3016F44C1666965E3BAD501890EBBFF015EE90887E58
7100pdf24-creator-9.3.0-x86.tmpC:\Program Files (x86)\PDF24\is-PS36R.tmpexecutable
MD5:2DB87E528F871BF9FD7A7AA25E8D5C69
SHA256:4720E2DF9706043E2491D61F16687A08F17DD2CC11F61011A7AFE06D2A6D8706
7100pdf24-creator-9.3.0-x86.tmpC:\Program Files (x86)\PDF24\is-SMBJ5.tmpexecutable
MD5:4AC2407DB6686FD3B1958B4A5A6F21EF
SHA256:086B854A80F086EAAF6EDACEF86FFAF3C62873F6FD0912633613D8EA915502DA
7100pdf24-creator-9.3.0-x86.tmpC:\Users\admin\AppData\Local\Temp\is-VJDNT.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7100pdf24-creator-9.3.0-x86.tmpC:\Program Files (x86)\PDF24\api-ms-win-core-console-l1-2-0.dllexecutable
MD5:E500919807C7DCF9D2E57FCBD8A64AE8
SHA256:02C94B106370DA1C627EEBA7BEA5CE60F9DE4F1C3CB34D1007D486F5D75BFB4E
7100pdf24-creator-9.3.0-x86.tmpC:\Program Files (x86)\PDF24\is-LPS10.tmpexecutable
MD5:61F9D1296D5EEB3C575E80280BF48939
SHA256:7E71B0E955E25AE0840F755DFDE4712C440205A7AEA7C3734240413B57CB3C55
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
117
TCP/UDP connections
62
DNS requests
118
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
172.67.74.46:443
https://www.pdf24.org/products/pdf-creator/afterInstall.php?version=9.3.0&iid=63355C32-BA64-4246-B35E-41F876D81708&language=en
unknown
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
GET
304
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=38&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
GET
200
204.79.197.239:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
binary
479 b
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=38&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
binary
735 b
GET
401
13.107.6.158:443
https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox
unknown
binary
586 b
POST
204
184.86.251.16:443
https://www.bing.com/threshold/xls.aspx
unknown
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=38&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
binary
15.9 Kb
GET
142.250.181.232:443
https://www.googletagmanager.com/gtag/js?id=G-J5BFLTV8SB
unknown
GET
200
168.119.243.154:443
https://geoip.pdf24.org/lite
unknown
binary
98 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
239.255.255.250:1900
unknown
192.168.100.255:137
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
104.26.3.31:443
www.pdf24.org
unknown
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
13.107.246.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
unknown
google.com
  • 142.250.181.238
unknown
config.edge.skype.com
  • 13.107.42.16
unknown
www.pdf24.org
  • 104.26.3.31
  • 104.26.2.31
  • 172.67.74.46
unknown
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
unknown
business.bing.com
  • 13.107.6.158
unknown
edge-mobile-static.azureedge.net
  • 13.107.246.45
unknown
www.bing.com
  • 184.86.251.25
  • 184.86.251.19
  • 184.86.251.10
  • 184.86.251.22
  • 184.86.251.17
  • 184.86.251.18
  • 184.86.251.15
  • 184.86.251.27
  • 184.86.251.16
  • 184.86.251.28
  • 2.23.209.168
  • 2.23.209.162
  • 2.23.209.161
  • 2.23.209.158
  • 2.23.209.173
  • 2.23.209.160
  • 2.23.209.171
  • 2.23.209.169
  • 2.23.209.166
unknown
tools.pdf24.org
  • 104.26.3.31
  • 172.67.74.46
  • 104.26.2.31
unknown
bzib.nelreports.net
  • 23.48.23.51
  • 23.48.23.26
unknown

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pdf24-creator-9.3.0-x86.exe