File name:

PDFShaper.exe.7z

Full analysis: https://app.any.run/tasks/a963b75c-9f38-47fc-ad8c-2ba3c9db2457
Verdict: Malicious activity
Analysis date: June 26, 2024, 08:19:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

1789E272B6040E4B9DE4E6BF48791E7A

SHA1:

55F8B0D604B5A26AC01C42246BF11EC15D6EAD8A

SHA256:

FD92F75534DBA58C835D92A086B23ABD34B484569EABA76A1A4F2C37557F78C6

SSDEEP:

98304:OPssclOB9PO5h/9ttcpj2mzE0H1juGxKhfKLDD3xJkpAALKvY9VatvO6gw84FKYm:TQrQFvb7AvnV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3424)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3424)
      • PDFShaper.exe (PID: 3396)

    • Reads the Internet Settings

      • PDFShaper.exe (PID: 3396)

    • Reads settings of System Certificates

      • PDFShaper.exe (PID: 3396)

    • Checks Windows Trust Settings

      • PDFShaper.exe (PID: 3396)

  • INFO

    • Checks proxy server information

      • PDFShaper.exe (PID: 3396)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3424)

    • Checks supported languages

      • PDFShaper.exe (PID: 3396)

    • Reads the computer name

      • PDFShaper.exe (PID: 3396)

    • Reads the machine GUID from the registry

      • PDFShaper.exe (PID: 3396)

    • Creates files or folders in the user directory

      • PDFShaper.exe (PID: 3396)

    • Create files in a temporary directory

      • PDFShaper.exe (PID: 3396)

    • Reads the software policy settings

      • PDFShaper.exe (PID: 3396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe pdfshaper.exe

Process information

PID
CMD
Path
Indicators
Parent process
3396"C:\Users\admin\AppData\Local\Temp\Rar$EXb3424.30308\PDFShaper.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3424.30308\PDFShaper.exe
WinRAR.exe
User:
admin
Company:
Glorylogic
Integrity Level:
MEDIUM
Description:
Welcome
Exit code:
0
Version:
2.7.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3424.30308\pdfshaper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3424"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\PDFShaper.exe.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
7 617
Read events
7 546
Write events
65
Delete events
6

Modification events

(PID) Process:(3424) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3424) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3424) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3424) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3424) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3424) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3424) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PDFShaper.exe.7z
(PID) Process:(3424) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3424) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3424) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3396PDFShaper.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34E2EA748E5E48B51E91CFD9546905FAbinary
MD5:7CCE6EAF4A47759E180C769CE2CFCB13
SHA256:7D476117DE43DADDE5C1FA57D029C5AC540F17896416103C97D3579E81C485DA
3396PDFShaper.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:822467B728B7A66B081C91795373789A
SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9
3396PDFShaper.exeC:\Users\admin\AppData\Local\Temp\WD16AC.tmphtml
MD5:0D24858C93D4B405780D3211586FFA9E
SHA256:86FFECF0E99E72870CC7C60C7DB5A35C09D45FF8E12576756DD850433D461A52
3396PDFShaper.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:4BD26D2D95C970C5E1EB699440E008DB
SHA256:24B619EE62BD79D619A0FF2288D41691470E6246469FD4CCB69D93CD0C84A06D
3396PDFShaper.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:8E21AA496D1ED34EE622523670DFD6D1
SHA256:53C9F76E20B6520D5A727B2B3D23B30BFDC043CB17010CC9D1659FC5E7FD426E
3424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3424.30308\PDFShaper.exeexecutable
MD5:F948650CD4EB548593341AC52A1095D7
SHA256:4897F66B9348533913E283296904F902AB4657440084CFFB97EFB77FDE44FBAF
3396PDFShaper.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34E2EA748E5E48B51E91CFD9546905FAbinary
MD5:88FC2070083D1B2AC9D4FE6614A249C5
SHA256:765E3D84B4A50234AE63CBA8BA0E6B6488971DF359653ADE1C1344815A796FFE
3396PDFShaper.exeC:\Users\admin\AppData\Local\pdfshaper.initext
MD5:66054E54C239DDE48EDF98DBA9C9D9CB
SHA256:D02AAA60CE20D8552DF5A451CBAA6DE7FD69F0B0076A498DA34DC1FA6D053168
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
14
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3396
PDFShaper.exe
GET
301
46.21.150.243:80
http://www.glorylogic.com/upd_shaper.ini
unknown
unknown
3396
PDFShaper.exe
GET
200
23.53.40.144:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgPtFjeCeOWRXWimP8Oa0H%2BBJA%3D%3D
unknown
unknown
1372
svchost.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
23.53.40.49:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?67a3611ec3c0260d
unknown
unknown
1372
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3396
PDFShaper.exe
GET
200
23.192.153.142:80
http://x1.c.lencr.org/
unknown
unknown
3396
PDFShaper.exe
GET
304
23.53.40.35:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5df159c2fea8970b
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
3396
PDFShaper.exe
46.21.150.243:80
www.glorylogic.com
HVC-AS
US
unknown
3396
PDFShaper.exe
46.21.150.243:443
www.glorylogic.com
HVC-AS
US
unknown
3396
PDFShaper.exe
23.53.40.35:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3396
PDFShaper.exe
23.192.153.142:80
x1.c.lencr.org
AKAMAI-AS
GB
unknown
3396
PDFShaper.exe
23.53.40.144:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.glorylogic.com
  • 46.21.150.243
unknown
ctldl.windowsupdate.com
  • 23.53.40.35
  • 23.53.40.49
whitelisted
x1.c.lencr.org
  • 23.192.153.142
whitelisted
r3.o.lencr.org
  • 23.53.40.144
  • 23.53.40.154
shared
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PDFShaper.exe.7z