Windows Analysis Report
SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe

Overview

General Information

Sample name: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe
Analysis ID: 1544040
MD5: de33be5614d00e60edcc7f0188826233
SHA1: c4d3b63dbae6226ad2c71d22f8afc729c38af2ec
SHA256: fc57a1e56ec50da6e17a351bb29d6598d5f8ddb043e28331e474e0d8efac73a5
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Initial sample is a PE file and has a suspicious name
Contains functionality to check if a debugger is running (IsDebuggerPresent)
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe ReversingLabs: Detection: 13%
Uses 32bit PE files
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /v1/log?product=imageshow&version=1.2.3.8&timestamp=1730137026&sign=8c9ca8f6cf36d8135001e1e08ebb1e21 HTTP/1.1Content-Type: application/jsonHost: report.pdfxd.comContent-Length: 171Connection: Keep-AliveCache-Control: no-cacheData Raw: 7b 22 61 63 74 69 6f 6e 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 64 65 76 69 63 65 5f 69 64 22 3a 22 39 65 35 35 37 64 63 32 66 38 66 63 37 37 31 36 39 63 32 33 66 66 32 66 33 37 38 32 30 31 63 38 22 2c 22 6f 73 22 3a 22 31 36 33 38 34 32 22 2c 22 70 72 6f 64 75 63 74 22 3a 22 69 6d 61 67 65 73 68 6f 77 22 2c 22 71 64 22 3a 22 48 6f 6d 65 22 2c 22 72 61 6e 64 6f 6d 22 3a 22 37 31 34 31 38 32 38 22 2c 22 73 74 61 74 75 73 22 3a 22 73 74 61 72 74 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 31 2e 32 2e 33 2e 38 22 7d Data Ascii: {"action":"install","device_id":"9e557dc2f8fc77169c23ff2f378201c8","os":"163842","product":"imageshow","qd":"Home","random":"7141828","status":"start","version":"1.2.3.8"}
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: report.pdfxd.com
Source: unknown HTTP traffic detected: POST /v1/log?product=imageshow&version=1.2.3.8&timestamp=1730137026&sign=8c9ca8f6cf36d8135001e1e08ebb1e21 HTTP/1.1Content-Type: application/jsonHost: report.pdfxd.comContent-Length: 171Connection: Keep-AliveCache-Control: no-cacheData Raw: 7b 22 61 63 74 69 6f 6e 22 3a 22 69 6e 73 74 61 6c 6c 22 2c 22 64 65 76 69 63 65 5f 69 64 22 3a 22 39 65 35 35 37 64 63 32 66 38 66 63 37 37 31 36 39 63 32 33 66 66 32 66 33 37 38 32 30 31 63 38 22 2c 22 6f 73 22 3a 22 31 36 33 38 34 32 22 2c 22 70 72 6f 64 75 63 74 22 3a 22 69 6d 61 67 65 73 68 6f 77 22 2c 22 71 64 22 3a 22 48 6f 6d 65 22 2c 22 72 61 6e 64 6f 6d 22 3a 22 37 31 34 31 38 32 38 22 2c 22 73 74 61 74 75 73 22 3a 22 73 74 61 72 74 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 31 2e 32 2e 33 2e 38 22 7d Data Ascii: {"action":"install","device_id":"9e557dc2f8fc77169c23ff2f378201c8","os":"163842","product":"imageshow","qd":"Home","random":"7141828","status":"start","version":"1.2.3.8"}
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe String found in binary or memory: http://api.pdfxd.com/pdf-service/v1/reportSwa94oarrFLiR6DxVTXxgsP5In8oeidPtimestamp%I64dsend_date%s?
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://report.pdfxd.com/v1/log
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://report.pdfxd.com/v1/log?product=imageshow
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://report.pdfxd.com/v1/log?product=imageshow&version=1.2.3.8&timestamp=1730137026&sign=8c9ca8f6c
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://report.pdfxd.com/v1/logs
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/account/v1/api/auth/code
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/account/v1/api/forgetpwd/step/first?
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/account/v1/api/forgetpwd/step/second?
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe String found in binary or memory: https://apis.pdfxd.com/account/v1/api/forgetpwd/step/submit?
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/account/v1/api/passport/logout
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/account/v1/api/registert
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/account/v1/api/user/bind
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/account/v1/api/user/bind/list
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/account/v1/api/user/info/
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/account/v3/mobile/login
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/account/v3/passport/login/bind%
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/account/v3/passport/loginRPCRT4
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/app/cloud
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/cloud/v1/api/upgradep#
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/customer/cloud/active
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/customer/dump/uploadB
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/customer/support
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/third/anonymous
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/third/phone/sms/codep#
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/third/qq/login/connect5
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/third/wx/qrcode/login#
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.pdfxd.com/third/wx/qrcode/login/noticel
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe String found in binary or memory: https://dev.pdfxd.com/account/v1/api/forgetpwd/step/submit?
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe String found in binary or memory: https://dev.pdfxd.com/third/wx/qrcode/login/noticehttps://dev.pdfxd.com/third/wx/qrcode/loginhttps:/
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passport.pdfxd.com/bind_phone_pic
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passport.pdfxd.com/coupon_pic
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passport.pdfxd.com/login_pic
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passport.pdfxd.com/pay_pic
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003E47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passport.pdfxd.com/pic-interests
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe String found in binary or memory: https://pic.pdfxd.com/protocol.html

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: Resource name: RT_RCDATA type: 7-zip archive data, version 0.4
Uses 32bit PE files
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal52.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe File created: C:\Users\user\AppData\Roaming\XDImageShowData Jump to behavior
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe ReversingLabs: Detection: 13%
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe String found in binary or memory: </InstallEnd>
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static file information: File size 43003376 > 1048576
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x27eea00
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Code function: 0_2_00F520DC push ecx; ret 0_2_00F520EF
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe File opened: PhysicalDrive0 Jump to behavior
Source: SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003EC5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe, 00000000.00000002.3396318509.0000000003EB6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Code function: 0_2_00F567F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F567F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Code function: 0_2_00F567F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F567F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Code function: 0_2_00F5192D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00F5192D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe Code function: 0_2_00F524C8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00F524C8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544040 Sample: SecuriteInfo.com.Riskware.P... Startdate: 28/10/2024 Architecture: WINDOWS Score: 52 9 report.pdfxd.com 2->9 13 Multi AV Scanner detection for submitted file 2->13 15 Initial sample is a PE file and has a suspicious name 2->15 6 SecuriteInfo.com.Riskware.Pdfxd.1445.707.exe 2 27 2->6         started        signatures3 process4 dnsIp5 11 report.pdfxd.com 123.56.218.178, 49706, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 6->11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
123.56.218.178
 report.pdfxd.com China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false

Contacted Domains

Name IP Active
report.pdfxd.com 123.56.218.178 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://report.pdfxd.com/v1/log?product=imageshow&version=1.2.3.8&timestamp=1730137026&sign=8c9ca8f6cf36d8135001e1e08ebb1e21 false
    		unknown