File name:

PDFArchitect9Installer.exe

Full analysis: https://app.any.run/tasks/33ad787e-4a58-4335-ac23-3c8acfb993e1
Verdict: Malicious activity
Analysis date: March 05, 2024, 01:57:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9D93288C7AC3AB7D2E8ED9A67DA078C7

SHA1:

0CF4116195CD9ED6BE0ED496B826E9709D49E007

SHA256:

FE7A620F6DFD994EAA3EC5C3A36CA1914BFBDB6BB48EC457B71FDF1BE44911F3

SSDEEP:

98304:MscQs9C4+v19NPXw7umhHRyWEdYr6ChGmiHll1LMQlF2hvIoxeurV+cgYASDNX62:U6G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PDFArchitect9Installer.exe (PID: 2844)

  • SUSPICIOUS

    • Reads the Internet Settings

      • PDFArchitect9Installer.exe (PID: 2844)

    • Reads security settings of Internet Explorer

      • PDFArchitect9Installer.exe (PID: 2844)

    • Reads settings of System Certificates

      • PDFArchitect9Installer.exe (PID: 2844)

    • Checks Windows Trust Settings

      • PDFArchitect9Installer.exe (PID: 2844)

    • Executable content was dropped or overwritten

      • PDFArchitect9Installer.exe (PID: 2844)

    • Starts itself from another location

      • PDFArchitect9Installer.exe (PID: 2844)

  • INFO

    • Reads the computer name

      • PDFArchitect9Installer.exe (PID: 2844)
      • PDF_Architect_9_Installer.exe (PID: 4044)

    • Checks supported languages

      • PDFArchitect9Installer.exe (PID: 2844)
      • PDF_Architect_9_Installer.exe (PID: 4044)

    • Reads the machine GUID from the registry

      • PDFArchitect9Installer.exe (PID: 2844)

    • Creates files in the program directory

      • PDFArchitect9Installer.exe (PID: 2844)

    • Reads the software policy settings

      • PDFArchitect9Installer.exe (PID: 2844)

    • Checks proxy server information

      • PDFArchitect9Installer.exe (PID: 2844)

    • Creates files or folders in the user directory

      • PDFArchitect9Installer.exe (PID: 2844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:16 10:48:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.37
CodeSize: 8331264
InitializedDataSize: 4504064
UninitializedDataSize: -
EntryPoint: 0x6c0199
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 9.0.45.3187
ProductVersionNumber: 9.0.45.3187
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: pdfforge GmbH.
FileDescription: PDF Architect 9 Installer
FileVersion: 9.0.45.3187
InternalName: PDF_Architect_9_Installer.exe
LegalCopyright: © pdfforge GmbH. All rights reserved.
OriginalFileName: PDF_Architect_9_Installer.exe
ProductName: PDF Architect 9 Installer
ProductVersion: 9.0.45.3187
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pdfarchitect9installer.exe pdf_architect_9_installer.exe no specs pdfarchitect9installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Users\admin\AppData\Local\Temp\PDFArchitect9Installer.exe" C:\Users\admin\AppData\Local\Temp\PDFArchitect9Installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\pdfarchitect9installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3864"C:\Users\admin\AppData\Local\Temp\PDFArchitect9Installer.exe" C:\Users\admin\AppData\Local\Temp\PDFArchitect9Installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\pdfarchitect9installer.exe
c:\windows\system32\ntdll.dll
4044"C:\ProgramData\PDF Architect 9\Installation\PDF_Architect_9_Installer.exe" /RegServerC:\ProgramData\PDF Architect 9\Installation\PDF_Architect_9_Installer.exePDFArchitect9Installer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\pdf architect 9\installation\pdf_architect_9_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
8 807
Read events
8 748
Write events
50
Delete events
9

Modification events

(PID) Process:(2844) PDFArchitect9Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2844) PDFArchitect9Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2844) PDFArchitect9Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2844) PDFArchitect9Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2844) PDFArchitect9Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(2844) PDFArchitect9Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(2844) PDFArchitect9Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(2844) PDFArchitect9Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(2844) PDFArchitect9Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2844) PDFArchitect9Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
1
Suspicious files
2
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2844PDFArchitect9Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464binary
MD5:8202A1CD02E7D69597995CABBE881A12
SHA256:58F381C3A0A0ACE6321DA22E40BD44A597BD98B9C9390AB9258426B5CF75A7A5
2844PDFArchitect9Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:A845621FD0ADF4C2A91B0C3086F5F334
SHA256:CCBB5EC8B9844351C360B7213EFA42A962EC4B5674A0FCC35EDDBB5419E37A6E
2844PDFArchitect9Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:CA9F234EC9EC7290A26F1C8710763D8B
SHA256:ADCC15CF93B12A3CC1934C8E9BF19384F11A331A5915C80A56275DAAE5BCEE63
2844PDFArchitect9Installer.exeC:\ProgramData\PDF Architect 9\Installation\PDF_Architect_9_Installer.exeexecutable
MD5:9D93288C7AC3AB7D2E8ED9A67DA078C7
SHA256:FE7A620F6DFD994EAA3EC5C3A36CA1914BFBDB6BB48EC457B71FDF1BE44911F3
2844PDFArchitect9Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464binary
MD5:7BA0963B64C007F5B08FD5E56B693059
SHA256:53A388F6ADEA0E9625F8C2ED537EB751A7F1CC4E8C250DBE1230595D161F96FE
2844PDFArchitect9Installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:DA40C6D56DC1593331F13378801236E4
SHA256:0DBC18A03E323D9A8EE133E7F7F4E83792F08D1BEE034B60F07C1DAAD06437B9
2844PDFArchitect9Installer.exeC:\ProgramData\PDF Architect 9\Installation\installer-cachetext
MD5:007E15C91E949AFB944A7B68C25FC728
SHA256:B9EAAC1B9D14184860F055BF6BEA9984951FF8F26B3B7560806A89EB9E0607A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
13
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2844
PDFArchitect9Installer.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
2844
PDFArchitect9Installer.exe
GET
302
172.67.68.166:80
http://download9.pdfarchitect.org/x86/module/main
unknown
unknown
2844
PDFArchitect9Installer.exe
HEAD
302
172.67.68.166:80
http://download9.pdfarchitect.org/x86/module/main
unknown
unknown
2844
PDFArchitect9Installer.exe
GET
304
95.101.75.90:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?61d568f6b6567f60
unknown
unknown
2844
PDFArchitect9Installer.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
1080
svchost.exe
GET
200
95.101.75.90:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e90c163b6659448e
unknown
compressed
67.5 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2844
PDFArchitect9Installer.exe
104.26.4.195:443
wsgeoip.pdfarchitect.org
CLOUDFLARENET
US
unknown
2844
PDFArchitect9Installer.exe
95.101.75.90:80
ctldl.windowsupdate.com
Akamai International B.V.
NL
unknown
2844
PDFArchitect9Installer.exe
142.250.185.227:80
ocsp.pki.goog
GOOGLE
US
whitelisted
2844
PDFArchitect9Installer.exe
172.67.68.166:443
wsgeoip.pdfarchitect.org
CLOUDFLARENET
US
unknown
2844
PDFArchitect9Installer.exe
172.67.68.166:80
wsgeoip.pdfarchitect.org
CLOUDFLARENET
US
unknown
2844
PDFArchitect9Installer.exe
216.239.34.21:443
download.pdfforge.org
GOOGLE
US
whitelisted
2844
PDFArchitect9Installer.exe
188.240.13.5:443
cdn.download.pdfforge.org
DataWeb Global Group B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
wsgeoip.pdfarchitect.org
  • 104.26.4.195
  • 172.67.68.166
  • 104.26.5.195
unknown
ctldl.windowsupdate.com
  • 95.101.75.90
  • 95.101.75.105
  • 95.101.75.120
whitelisted
ocsp.pki.goog
  • 142.250.185.227
whitelisted
api-updateservice.pdfarchitect.org
  • 172.67.68.166
  • 104.26.5.195
  • 104.26.4.195
unknown
download9.pdfarchitect.org
  • 172.67.68.166
  • 104.26.5.195
  • 104.26.4.195
unknown
download.pdfforge.org
  • 216.239.34.21
  • 216.239.38.21
  • 216.239.32.21
  • 216.239.36.21
unknown
cdn.download.pdfforge.org
  • 188.240.13.5
  • 188.240.13.6
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
Process
Message
PDFArchitect9Installer.exe
unknown property 'isolation' at (app://base/ui/images/welcome-img.svg(66))
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PDFArchitect9Installer.exe