File name:

PDFescape_Desktop_Installer.exe

Full analysis: https://app.any.run/tasks/4f927008-d079-42f3-8575-49275f35a347
Verdict: Malicious activity
Analysis date: July 05, 2024, 10:13:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

87D28B3D2DF1CAB3711BF8D3B5B520C2

SHA1:

1987A4BF2A37F6538C701461357A52B0BCE1B980

SHA256:

88472E266EFD1A24182CF902E34E9D6B08A7B5E301BE837343FFD34FE5560977

SSDEEP:

196608:QOxr8zTyYcFI5g50JxgKREeeSHGrqNh63maD40p9foSh8cBoMIB+xHJPvDQ1:QOYXDgQLeLrqNhAmiVp9fAcBoMIB+lJi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PDFescape_Desktop_Installer.exe (PID: 3204)

    • Registers / Runs the DLL via REGSVR32.EXE

      • PDFescape_Desktop_Installer.exe (PID: 3204)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • PDFescape_Desktop_Installer.exe (PID: 3204)

    • Reads security settings of Internet Explorer

      • PDFescape_Desktop_Installer.exe (PID: 3204)

    • Executable content was dropped or overwritten

      • PDFescape_Desktop_Installer.exe (PID: 3204)

    • Reads the Internet Settings

      • PDFescape_Desktop_Installer.exe (PID: 3204)

    • Adds/modifies Windows certificates

      • PDFescape_Desktop_Installer.exe (PID: 3204)

    • Checks Windows Trust Settings

      • PDFescape_Desktop_Installer.exe (PID: 3204)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2948)

    • Starts itself from another location

      • PDFescape_Desktop_Installer.exe (PID: 3204)

  • INFO

    • Checks proxy server information

      • PDFescape_Desktop_Installer.exe (PID: 3204)

    • Creates files in the program directory

      • PDFescape_Desktop_Installer.exe (PID: 3204)

    • Reads the computer name

      • PDFescape_Desktop_Installer.exe (PID: 3204)
      • PDFescapeDesktopInstaller.exe (PID: 2900)
      • msiexec.exe (PID: 3528)

    • Creates files or folders in the user directory

      • PDFescape_Desktop_Installer.exe (PID: 3204)

    • Checks supported languages

      • PDFescape_Desktop_Installer.exe (PID: 3204)
      • msiexec.exe (PID: 3528)
      • PDFescapeDesktopInstaller.exe (PID: 2900)

    • Reads the machine GUID from the registry

      • PDFescape_Desktop_Installer.exe (PID: 3204)
      • msiexec.exe (PID: 3528)

    • Reads the software policy settings

      • PDFescape_Desktop_Installer.exe (PID: 3204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ax | DirectShow filter (61.7)
.exe | Win32 Executable (generic) (1.3)
.exe | Generic Win/DOS Executable (0.6)
.exe | DOS Executable Generic (0.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:11:28 17:41:22+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 6181376
InitializedDataSize: 6180864
UninitializedDataSize: -
EntryPoint: 0x440a99
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 4.0.24.1356
ProductVersionNumber: 4.0.24.1356
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 4.0.24.1356
ProductVersion: 4.0.24.1356
CompanyName: © RedSoftware
FileDescription: PDFescape Installer
InternalName: PDFescapeDesktopInstaller.exe
LegalCopyright: © RedSoftware. All rights reserved.
OriginalFileName: PDFescapeDesktopInstaller.exe
ProductName: PDFescape Installer
CommitID: 6d9b4088c3b9fc122b4bfaf6550622c592ef096c
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pdfescape_desktop_installer.exe regsvr32.exe no specs pdfescapedesktopinstaller.exe no specs server no specs msiexec.exe no specs pdfescape_desktop_installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
980C:\Windows\system32\DllHost.exe /Processid:{2BC47158-F746-4E22-B116-D481B09E9674}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2900"C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe" /RegServerC:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exePDFescape_Desktop_Installer.exe
User:
admin
Company:
© RedSoftware
Integrity Level:
HIGH
Description:
PDFescape Installer
Exit code:
0
Version:
4.0.24.1356
Modules
Images
c:\programdata\pdfescape desktop\installation\pdfescapedesktopinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
2948regsvr32.exe /s "C:\ProgramData\PDFescape Desktop\Installation\Statistics.dll"C:\Windows\System32\regsvr32.exePDFescape_Desktop_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3204"C:\Users\admin\AppData\Local\Temp\PDFescape_Desktop_Installer.exe" C:\Users\admin\AppData\Local\Temp\PDFescape_Desktop_Installer.exe
explorer.exe
User:
admin
Company:
© RedSoftware
Integrity Level:
HIGH
Description:
PDFescape Installer
Version:
4.0.24.1356
Modules
Images
c:\users\admin\appdata\local\temp\pdfescape_desktop_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
3384"C:\Users\admin\AppData\Local\Temp\PDFescape_Desktop_Installer.exe" C:\Users\admin\AppData\Local\Temp\PDFescape_Desktop_Installer.exeexplorer.exe
User:
admin
Company:
© RedSoftware
Integrity Level:
MEDIUM
Description:
PDFescape Installer
Exit code:
3221226540
Version:
4.0.24.1356
Modules
Images
c:\users\admin\appdata\local\temp\pdfescape_desktop_installer.exe
c:\windows\system32\ntdll.dll
3528C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
8 482
Read events
8 289
Write events
145
Delete events
48

Modification events

(PID) Process:(3204) PDFescape_Desktop_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3204) PDFescape_Desktop_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3204) PDFescape_Desktop_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3204) PDFescape_Desktop_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3204) PDFescape_Desktop_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3204) PDFescape_Desktop_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3204) PDFescape_Desktop_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3204) PDFescape_Desktop_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3204) PDFescape_Desktop_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3204) PDFescape_Desktop_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
2
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3204PDFescape_Desktop_Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BEbinary
MD5:9DEE0AF9EB574AB87ED6856EC48188BE
SHA256:45B32DE95EAF6EE1197ACAFCB4C7A1A7C44467C8D4AF011840FE44F91E3EDAE4
3204PDFescape_Desktop_Installer.exeC:\ProgramData\PDFescape Desktop\Installation\common-data.dat.zipcompressed
MD5:1BD904088438C3178145CB35C8174930
SHA256:7BC57B82CA13C4E0BDADE8F82C6B176C17B966C0E4D0F2920C1F5A52FCA6B05D
3204PDFescape_Desktop_Installer.exeC:\ProgramData\PDFescape Desktop\Installation\Statistics.dllexecutable
MD5:E5A591C125FDF21381CF543ED7706C66
SHA256:15B8775A3BAE497325056103DB0B14842FA8AE5592DCAACD9CCE593099F5DEE6
3204PDFescape_Desktop_Installer.exeC:\ProgramData\PDFescape Desktop\Installation\common-data.datbinary
MD5:4F8C2414DB50095F6BCB512248230D60
SHA256:480715D455FD8DBA9E26855DED17B9FBF55A1A2E1A284DBA11E9DC9F710E39D5
3204PDFescape_Desktop_Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:AE20D22D259D7D9F6A53AFBB0B80AC8A
SHA256:844263BB351F3FFFFC0BEBB65F2A852E5CB999267CC0F1226F940A1DAD5FB206
3204PDFescape_Desktop_Installer.exeC:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exeexecutable
MD5:87D28B3D2DF1CAB3711BF8D3B5B520C2
SHA256:88472E266EFD1A24182CF902E34E9D6B08A7B5E301BE837343FFD34FE5560977
3204PDFescape_Desktop_Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\773CFF2C7835D48C4E76FE153DBA9F81_3E54895A05528CE24A2352BCFA8D0F53binary
MD5:3FE8F86A39D5F39297955F172CEF133F
SHA256:C51DF4FC7122408C95CDA832C10D94685164CDCA0FD4A6D874EEA053F7346119
3204PDFescape_Desktop_Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\773CFF2C7835D48C4E76FE153DBA9F81_3E54895A05528CE24A2352BCFA8D0F53binary
MD5:5BC5C38E48CF16B6892B763CC3DC98E2
SHA256:48BEDDA935F40F8A64F4AAB3359FB12CC7B2CDCFEF255B5980C92BD74F1EC8C4
3204PDFescape_Desktop_Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BEbinary
MD5:BE0BC234A4C1E3451774383E98917B6F
SHA256:CB2EDC800BA1D7257F7DC62F8D2B8E6B7946E30A21740EC840E818F6C73C803B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
15
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3204
PDFescape_Desktop_Installer.exe
GET
304
2.16.10.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f22c59ef9af7248c
unknown
unknown
3204
PDFescape_Desktop_Installer.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsllCLO2YEqFaBOmVKKDvo%3D
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3204
PDFescape_Desktop_Installer.exe
GET
200
192.229.221.95:80
http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJiUKgT2m88fZ4nxc1Lu6M%2FjvkagQUDNtsgkkPSmcKuBTuesRIUojrVjgCEAsHDV38dhr9mP70lXf9ANI%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
3204
PDFescape_Desktop_Installer.exe
64.15.159.227:443
wsgeoip.pdfescape.com
IWEB-AS
CA
unknown
3204
PDFescape_Desktop_Installer.exe
2.16.10.172:80
ctldl.windowsupdate.com
Akamai International B.V.
AT
unknown
3204
PDFescape_Desktop_Installer.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
wsgeoip.pdfescape.com
  • 64.15.159.227
unknown
ctldl.windowsupdate.com
  • 2.16.10.172
  • 2.16.10.176
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
status.rapidssl.com
  • 192.229.221.95
shared
update.pdfescape.com
  • 64.15.159.227
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PDFescape_Desktop_Installer.exe