File name:

PDFsamEnhanced7Installer.exe

Full analysis: https://app.any.run/tasks/86f3b1d2-98dd-4eeb-a146-daf5ec80b35d
Verdict: Malicious activity
Analysis date: July 17, 2024, 17:54:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6BA3074A25AE6394697BD1EA38DBC4CC

SHA1:

149D684B03AE51A1FB926200C2553B5B673A8ACF

SHA256:

3BFD9B556E82598DE86AEB8F1F06B4FA9ABD02790FB4EA28D082532CC8B86913

SSDEEP:

98304:zs0TkCNa0ITOO74rO80VEy7zXqOymNHqJuhaKPkc5W+Kc9aYxNiQgYe7mBodTfs0:HmTIZMwJ26

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PDFsamEnhanced7Installer.exe (PID: 3200)

    • Registers / Runs the DLL via REGSVR32.EXE

      • PDFsamEnhanced7Installer.exe (PID: 3200)

  • SUSPICIOUS

    • Reads the Internet Settings

      • PDFsamEnhanced7Installer.exe (PID: 3200)

    • Executable content was dropped or overwritten

      • PDFsamEnhanced7Installer.exe (PID: 3200)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2108)

    • Reads security settings of Internet Explorer

      • PDFsamEnhanced7Installer.exe (PID: 3200)

    • Checks Windows Trust Settings

      • PDFsamEnhanced7Installer.exe (PID: 3200)

    • Reads settings of System Certificates

      • PDFsamEnhanced7Installer.exe (PID: 3200)

    • Adds/modifies Windows certificates

      • PDFsamEnhanced7Installer.exe (PID: 3200)

    • Starts itself from another location

      • PDFsamEnhanced7Installer.exe (PID: 3200)

  • INFO

    • Reads the machine GUID from the registry

      • PDFsamEnhanced7Installer.exe (PID: 3200)
      • msiexec.exe (PID: 3652)

    • Reads the computer name

      • PDFsamEnhanced7Installer.exe (PID: 3200)
      • msiexec.exe (PID: 3652)
      • PDFsam_Enhanced_7_Installer.exe (PID: 3856)

    • Creates files in the program directory

      • PDFsamEnhanced7Installer.exe (PID: 3200)

    • Checks supported languages

      • PDFsamEnhanced7Installer.exe (PID: 3200)
      • msiexec.exe (PID: 3652)
      • PDFsam_Enhanced_7_Installer.exe (PID: 3856)

    • Checks proxy server information

      • PDFsamEnhanced7Installer.exe (PID: 3200)

    • Reads the software policy settings

      • PDFsamEnhanced7Installer.exe (PID: 3200)

    • Creates files or folders in the user directory

      • PDFsamEnhanced7Installer.exe (PID: 3200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:05 17:12:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 9158656
InitializedDataSize: 6602752
UninitializedDataSize: -
EntryPoint: 0x785375
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 7.0.75.2299
ProductVersionNumber: 7.0.75.2299
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 7.0.75.2299
ProductVersion: 7.0.75.2299
CompanyName: Andrea Vacondio
FileDescription: PDFsam Enhanced 7 Installer
InternalName: PDFsam_Enhanced_7_Installer.exe
LegalCopyright: Copyright 2021 Sober Lemur S.a.s di Vacondio Andrea.
OriginalFileName: PDFsam_Enhanced_7_Installer.exe
ProductName: PDFsam Enhanced 7 Installer
CommitID: e7b40a92b9b6c5087d49c7ad5a50f14836f78a33
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pdfsamenhanced7installer.exe regsvr32.exe no specs server no specs msiexec.exe no specs pdfsam_enhanced_7_installer.exe no specs pdfsamenhanced7installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1952C:\Windows\system32\DllHost.exe /Processid:{77EC23C5-BB68-4A7B-AE5C-F4AD0B6C678D}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2108regsvr32.exe /s "C:\ProgramData\PDFsam Enhanced 7\Installation\analytics.dll"C:\Windows\System32\regsvr32.exePDFsamEnhanced7Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3200"C:\Users\admin\AppData\Local\Temp\PDFsamEnhanced7Installer.exe" C:\Users\admin\AppData\Local\Temp\PDFsamEnhanced7Installer.exe
explorer.exe
User:
admin
Company:
Andrea Vacondio
Integrity Level:
HIGH
Description:
PDFsam Enhanced 7 Installer
Version:
7.0.75.2299
Modules
Images
c:\users\admin\appdata\local\temp\pdfsamenhanced7installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3344"C:\Users\admin\AppData\Local\Temp\PDFsamEnhanced7Installer.exe" C:\Users\admin\AppData\Local\Temp\PDFsamEnhanced7Installer.exeexplorer.exe
User:
admin
Company:
Andrea Vacondio
Integrity Level:
MEDIUM
Description:
PDFsam Enhanced 7 Installer
Exit code:
3221226540
Version:
7.0.75.2299
Modules
Images
c:\users\admin\appdata\local\temp\pdfsamenhanced7installer.exe
c:\windows\system32\ntdll.dll
3652C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3856"C:\ProgramData\PDFsam Enhanced 7\Installation\PDFsam_Enhanced_7_Installer.exe" /RegServerC:\ProgramData\PDFsam Enhanced 7\Installation\PDFsam_Enhanced_7_Installer.exePDFsamEnhanced7Installer.exe
User:
admin
Company:
Andrea Vacondio
Integrity Level:
HIGH
Description:
PDFsam Enhanced 7 Installer
Exit code:
0
Version:
7.0.75.2299
Modules
Images
c:\programdata\pdfsam enhanced 7\installation\pdfsam_enhanced_7_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
10 578
Read events
10 334
Write events
172
Delete events
72

Modification events

(PID) Process:(3200) PDFsamEnhanced7Installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\PDFsam Enhanced 7\Installation
Operation:writeName:INSTALL_FOLDER
Value:
C:\Program Files\PDFsam Enhanced 7
(PID) Process:(3200) PDFsamEnhanced7Installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D1C14C37-7707-434E-8D35-5F2D38964D4C}
Operation:writeName:LaunchPermission
Value:
010014804C0000005C000000140000003000000002001C0001000000110014000400000001010000000000100010000002001C0001000000000014000B0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000
(PID) Process:(3200) PDFsamEnhanced7Installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D1C14C37-7707-434E-8D35-5F2D38964D4C}
Operation:writeName:AccessPermission
Value:
010014804C0000005C000000140000003000000002001C0001000000110014000400000001010000000000100010000002001C0001000000000014000B0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000
(PID) Process:(3200) PDFsamEnhanced7Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3200) PDFsamEnhanced7Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3200) PDFsamEnhanced7Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3200) PDFsamEnhanced7Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3200) PDFsamEnhanced7Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3200) PDFsamEnhanced7Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3200) PDFsamEnhanced7Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
Executable files
2
Suspicious files
5
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3200PDFsamEnhanced7Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94929790B3119AF4B3F5D66C747B122B_9D3E7DA6D1C14765DEA87A941A911388der
MD5:1CA476C7892D7C88B7691DF8064C43F1
SHA256:CE60B212C0FD7C771CAD6876F295AAF867FD527686174ACBDA00F8A75ED5DA74
3200PDFsamEnhanced7Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\581998720255AB96BEC857C21F96064Cbinary
MD5:4BDCD607400E4A293C8536962B0BCAC9
SHA256:BE6A7A933851216F614811170C2C4A826DE50B9BACD5589664F30CD24BAA547C
3200PDFsamEnhanced7Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94929790B3119AF4B3F5D66C747B122B_9D3E7DA6D1C14765DEA87A941A911388binary
MD5:AB314B4430B47BDEB9DC52ABD93D48B0
SHA256:97FE377E58E79D61A9530D0C9B239FE211B4E16C4B37A0EA666BA6D99CEC5AD5
3200PDFsamEnhanced7Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\581998720255AB96BEC857C21F96064Cder
MD5:0E12ED0C2FF370EA2B5B5BB4EB4A3179
SHA256:E88E8C8E42362E10285C4811B3090832219F22635EB648816880F85054988D75
3200PDFsamEnhanced7Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:E7144679FDD776DA3CDB2AF9DF7133D0
SHA256:9F8E3EBFDE072772EA49F63ADCF5AD3829D07A1A8DF780B6FE10CAAED2691A84
3200PDFsamEnhanced7Installer.exeC:\ProgramData\PDFsam Enhanced 7\Installation\PDFsam_Enhanced_7_Installer.exeexecutable
MD5:6BA3074A25AE6394697BD1EA38DBC4CC
SHA256:3BFD9B556E82598DE86AEB8F1F06B4FA9ABD02790FB4EA28D082532CC8B86913
3200PDFsamEnhanced7Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\439F613B3D55693954E1B080DE3085B4_13A9E648A032C61467BDA0380F67EA43binary
MD5:43CA98F8ED6AB3A45A95840576A149DF
SHA256:9C9020C782295272A78CAF7966410DF3CC74E59FF6AF28F97D6D7D95AC4F71F2
3200PDFsamEnhanced7Installer.exeC:\ProgramData\PDFsam Enhanced 7\Installation\analytics.dllexecutable
MD5:932F160DE3322EB6DA13E1E10FA788C8
SHA256:8D21E901F91A137ABD0DE9E44037858C28ED8CA008AAA6C094015BDC519C7FD4
3200PDFsamEnhanced7Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\439F613B3D55693954E1B080DE3085B4_13A9E648A032C61467BDA0380F67EA43binary
MD5:CB6D9DAB89D554A783FF8AC21C26EFD0
SHA256:04D4B331949664E09B037DD561F9B270DBCEFE3EC251FBE91870BA9AF2DBD2C7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
21
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3200
PDFsamEnhanced7Installer.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?182139713dd43289
unknown
whitelisted
3200
PDFsamEnhanced7Installer.exe
GET
200
104.18.21.226:80
http://ocsp2.globalsign.com/rootr6/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRi%2B7TJbHYn9EmJ9W03lecB7P%2BG7QQUrmwFo5MT4qLn4tcc1sfwf8hnU6ACEH8fLJAug9Djtvs77keLXoA%3D
unknown
whitelisted
GET
200
104.18.21.226:80
http://crl.globalsign.com/root-r6.crl
unknown
whitelisted
1372
svchost.exe
GET
200
2.16.164.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3200
PDFsamEnhanced7Installer.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gsgccr6alphasslca2023/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTYuQbxgZqJCf3D06HBxH57o5XEXgQUvQW384qTPHPLefoPhRKhd5YYkXQCDA3ZJFfaA0%2BWNA8nSA%3D%3D
unknown
whitelisted
3200
PDFsamEnhanced7Installer.exe
HEAD
301
64.15.159.234:80
http://downloadenhanced7.pdfsam.org/x86/module/main
unknown
unknown
1372
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3200
PDFsamEnhanced7Installer.exe
GET
301
64.15.159.234:80
http://downloadenhanced7.pdfsam.org/x86/module/main
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
3200
PDFsamEnhanced7Installer.exe
64.15.159.234:443
api-updateservice.pdfsam.org
IWEB-AS
CA
unknown
3200
PDFsamEnhanced7Installer.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3200
PDFsamEnhanced7Installer.exe
104.18.21.226:80
ocsp2.globalsign.com
CLOUDFLARENET
shared
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
api-updateservice.pdfsam.org
  • 64.15.159.234
unknown
wsgeoip.pdfsam.org
  • 64.15.159.234
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp2.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.17
  • 2.16.164.107
  • 2.16.164.128
  • 2.16.164.72
  • 2.16.164.89
  • 2.16.164.98
  • 2.16.164.106
  • 2.16.164.43
  • 2.16.164.82
whitelisted
crl.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

No threats detected
Process
Message
PDFsamEnhanced7Installer.exe
unknown property 'pointer-events' at (app://base/styles/components.css(120))
PDFsamEnhanced7Installer.exe
unknown property 'enable-background' at (app://base/images/logo.svg(6))
PDFsamEnhanced7Installer.exe
unknown property 'clip-rule' at (app://base/images/checkbox-checked.svg(7))
PDFsamEnhanced7Installer.exe
unknown property 'pointer-events' at (app://base/styles/components.css(120))
PDFsamEnhanced7Installer.exe
unknown property 'pointer-events' at (app://base/styles/components.css(120))
PDFsamEnhanced7Installer.exe
unknown property 'pointer-events' at (app://base/styles/components.css(120))
PDFsamEnhanced7Installer.exe
unknown property 'pointer-events' at (app://base/styles/components.css(120))
PDFsamEnhanced7Installer.exe
unknown property 'enable-background' at (app://base/images/logo.svg(6))
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PDFsamEnhanced7Installer.exe