File name:

PDFTool-v3.2.1233.0_49804298.msi

Full analysis: https://app.any.run/tasks/de660b8a-dc39-4f21-827c-eb7b1acfa733
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 29, 2025, 14:45:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
advancedinstaller
adware
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: PDFTool, Author: PDFTool, Keywords: Installer, MSI, Database, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o PDFTool., Create Time/Date: Tue Jun 11 00:43:18 2024, Name of Creating Application: PDFTool, Security: 0, Template: ;1033, Last Saved By: ;1046, Revision Number: {FDB85B32-9B81-43D8-8670-E0B3CC28C504}3.2.1233.0;{FDB85B32-9B81-43D8-8670-E0B3CC28C504}3.2.1233.0;{A0D9FBCF-6C79-4E3B-B7A0-54DCC675BD69}, Number of Pages: 450, Number of Characters: 63
MD5:

615BE873A5FF5041D9D376F1B28B0695

SHA1:

1CB3DFCA3A92AF9E6BEAB6C38EE47DC32203F5C2

SHA256:

0DBC1C15CEFBCD850388CC9A31B690CC1254B9E724F9CD8CD9165E775DF48307

SSDEEP:

98304:N9ISoMSpkCN/2W4x0xaAW9BvOqPgBGs8fck3JrOrSLDunNurEQsIN9j6x4XWPUIJ:DR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1324)
      • powershell.exe (PID: 1864)

    • Changes powershell execution policy (Bypass)

      • msiexec.exe (PID: 2756)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 3288)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 4648)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3288)

    • Detects AdvancedInstaller (YARA)

      • msiexec.exe (PID: 5300)
      • msiexec.exe (PID: 3288)

    • The process hide an interactive prompt from the user

      • msiexec.exe (PID: 2756)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 2756)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 2756)

    • The process executes Powershell scripts

      • msiexec.exe (PID: 2756)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3288)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2756)
      • msiexec.exe (PID: 4528)

    • Node.exe was dropped

      • msiexec.exe (PID: 2756)

    • Executes application which crashes

      • PDFTool.exe (PID: 7116)
      • PDFTool.exe (PID: 2428)
      • PDFTool.exe (PID: 2276)

    • Executes script using NodeJS

      • node.exe (PID: 1472)

  • INFO

    • An automatically generated document

      • msiexec.exe (PID: 5300)

    • Reads the computer name

      • msiexec.exe (PID: 4528)
      • msiexec.exe (PID: 3288)
      • msiexec.exe (PID: 2756)
      • PDFTool.exe (PID: 2428)
      • PDFTool.exe (PID: 7116)
      • node.exe (PID: 1472)
      • PDFTool.exe (PID: 2276)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 5300)
      • powershell.exe (PID: 1324)
      • powershell.exe (PID: 1864)

    • Checks supported languages

      • msiexec.exe (PID: 3288)
      • msiexec.exe (PID: 4528)
      • msiexec.exe (PID: 2756)
      • PDFTool.exe (PID: 7116)
      • PDFTool.exe (PID: 2428)
      • node.exe (PID: 1472)
      • PDFTool.exe (PID: 2276)

    • The sample compiled with english language support

      • msiexec.exe (PID: 5300)
      • msiexec.exe (PID: 3288)
      • msiexec.exe (PID: 2756)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 5300)
      • msiexec.exe (PID: 2756)
      • msiexec.exe (PID: 3288)
      • WerFault.exe (PID: 2808)
      • node.exe (PID: 1472)
      • WerFault.exe (PID: 2460)
      • WerFault.exe (PID: 4916)

    • Reads the software policy settings

      • msiexec.exe (PID: 5300)
      • msiexec.exe (PID: 3288)
      • msiexec.exe (PID: 2756)
      • powershell.exe (PID: 1864)
      • WerFault.exe (PID: 2460)
      • WerFault.exe (PID: 2808)
      • slui.exe (PID: 4864)
      • WerFault.exe (PID: 4916)
      • powershell.exe (PID: 1324)

    • Checks proxy server information

      • msiexec.exe (PID: 5300)
      • powershell.exe (PID: 1324)
      • msiexec.exe (PID: 2756)
      • powershell.exe (PID: 1864)
      • WerFault.exe (PID: 2460)
      • WerFault.exe (PID: 4916)
      • slui.exe (PID: 4864)
      • WerFault.exe (PID: 2808)

    • Reads Environment values

      • msiexec.exe (PID: 4528)
      • msiexec.exe (PID: 2756)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5300)
      • msiexec.exe (PID: 3288)
      • msiexec.exe (PID: 2756)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 3288)
      • msiexec.exe (PID: 2756)
      • PDFTool.exe (PID: 2428)
      • PDFTool.exe (PID: 7116)
      • PDFTool.exe (PID: 2276)

    • Manages system restore points

      • SrTasks.exe (PID: 1392)

    • Disables trace logs

      • powershell.exe (PID: 1324)
      • powershell.exe (PID: 1864)

    • Create files in a temporary directory

      • powershell.exe (PID: 1324)
      • msiexec.exe (PID: 2756)
      • powershell.exe (PID: 1864)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1324)
      • powershell.exe (PID: 1864)

    • Launching a file from a Registry key

      • msiexec.exe (PID: 3288)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3288)

    • Process checks computer location settings

      • msiexec.exe (PID: 4528)

    • Manual execution by a user

      • PDFTool.exe (PID: 2428)
      • PDFTool.exe (PID: 2276)
      • cmd.exe (PID: 1288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {031EEC89-8030-412F-8ECA-FA0060F08B61}
Words: 10
Subject: PDFTool
Author: PDFTool
LastModifiedBy: -
Software: PDFTool
Template: ;1033,1046,3082,1055
Comments: PDFTool 3.2.1233.0
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2024:06:11 00:43:40
ModifyDate: 2024:06:11 00:43:40
LastPrinted: 2024:06:11 00:43:40
Pages: 450
Characters: 63
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
22
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs pdftool.exe werfault.exe slui.exe pdftool.exe werfault.exe cmd.exe no specs conhost.exe no specs node.exe conhost.exe no specs pdftool.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1288cmd /c "start /min /d "C:\Users\admin\AppData\Local\PDFTool\" node.exe update.js --reboot"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
1324 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pss17A8.ps1" -propFile "C:\Users\admin\AppData\Local\Temp\msi1795.txt" -scriptFile "C:\Users\admin\AppData\Local\Temp\scr1796.ps1" -scriptArgsFile "C:\Users\admin\AppData\Local\Temp\scr1797.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1392C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1412\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenode.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1472"C:\Users\admin\AppData\Local\PDFTool\node.exe" update.js --rebootC:\Users\admin\AppData\Local\PDFTool\node.exe
cmd.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Exit code:
0
Version:
12.15.0
Modules
Images
c:\users\admin\appdata\local\pdftool\node.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1864 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\PDFTool\pss3C4D.ps1" -propFile "C:\Users\admin\AppData\Local\PDFTool\msi3C4A.txt" -scriptFile "C:\Users\admin\AppData\Local\PDFTool\scr3C4B.ps1" -scriptArgsFile "C:\Users\admin\AppData\Local\PDFTool\scr3C4C.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2276"C:\Users\admin\AppData\Local\PDFTool\PDFTool.exe" C:\Users\admin\AppData\Local\PDFTool\PDFTool.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WebView2App
Exit code:
3762504530
Version:
3.2.1233.0
Modules
Images
c:\users\admin\appdata\local\pdftool\pdftool.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
2428"C:\Users\admin\AppData\Local\PDFTool\PDFTool.exe" C:\Users\admin\AppData\Local\PDFTool\PDFTool.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WebView2App
Exit code:
3762504530
Version:
3.2.1233.0
Modules
Images
c:\users\admin\appdata\local\pdftool\pdftool.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2460C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2428 -s 1760C:\Windows\SysWOW64\WerFault.exe
PDFTool.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
39 996
Read events
39 671
Write events
303
Delete events
22

Modification events

(PID) Process:(3288) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000399330769700DC01D80C0000F4180000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3288) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000399330769700DC01D80C0000F4180000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3288) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000385254769700DC01D80C0000F4180000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3288) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(3288) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000B82297769700DC01D80C0000B4040000E8030000010000000000000000000000F0FFF6FA53767846B4C109B0F7D6527300000000000000000000000000000000
(PID) Process:(4648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000DE94AC769700DC012812000048190000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4648) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
480000000000000084F6AE769700DC0128120000F41A0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3288) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000A8ED51769700DC01D80C0000F4180000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3288) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000385254769700DC01D80C0000F4180000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3288) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000191959769700DC01D80C0000F4180000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
30
Suspicious files
37
Text files
25
Unknown types
17

Dropped files

PID
Process
Filename
Type
3288msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3288msiexec.exeC:\Windows\Installer\191563.msi
MD5:
SHA256:
2756msiexec.exeC:\Users\admin\AppData\Local\Temp\msi1795.txt
MD5:
SHA256:
2756msiexec.exeC:\Users\admin\AppData\Local\Temp\scr1796.ps1
MD5:
SHA256:
2756msiexec.exeC:\Users\admin\AppData\Local\Temp\scr1797.txt
MD5:
SHA256:
2756msiexec.exeC:\Users\admin\AppData\Local\Temp\pss17A8.ps1
MD5:
SHA256:
5300msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Eder
MD5:7E47E0AA3A0B47AC76BB2AEB3AF5D07A
SHA256:0701A3FBD378014F6A70F99716AADD1F6D4DC5978CCE413D6CFB2839C4343C3B
5300msiexec.exeC:\Users\admin\AppData\Local\Temp\MSICDBC.tmpexecutable
MD5:D0C9613582605F3793FDAD7279DE428B
SHA256:8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
5300msiexec.exeC:\Users\admin\AppData\Local\Temp\MSICEAA.tmpexecutable
MD5:D0C9613582605F3793FDAD7279DE428B
SHA256:8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
5300msiexec.exeC:\Users\admin\AppData\Local\Temp\MSICD4D.tmpexecutable
MD5:D0C9613582605F3793FDAD7279DE428B
SHA256:8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
53
DNS requests
31
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5300
msiexec.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
5644
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1324
powershell.exe
POST
200
54.239.192.79:80
http://d25xn4y1w1xf3s.cloudfront.net/
unknown
whitelisted
1268
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2756
msiexec.exe
GET
200
18.173.189.168:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
whitelisted
1688
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2808
WerFault.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2940
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5824
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5300
msiexec.exe
104.18.21.226:80
ocsp.globalsign.com
CLOUDFLARENET
whitelisted
4
System
192.168.100.255:138
whitelisted
5644
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5644
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.216.77.41:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.0
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.64
  • 40.126.31.131
  • 20.190.159.4
  • 40.126.31.129
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.216.77.41
  • 23.216.77.18
  • 23.216.77.20
  • 23.216.77.42
  • 23.216.77.15
  • 23.216.77.6
  • 23.216.77.36
  • 23.216.77.30
  • 23.216.77.28
  • 23.216.77.35
whitelisted
www.microsoft.com
  • 69.192.161.161
  • 23.35.229.160
whitelisted
www.bing.com
  • 92.123.104.47
  • 92.123.104.58
  • 92.123.104.49
  • 92.123.104.50
  • 92.123.104.62
  • 92.123.104.41
  • 92.123.104.52
  • 92.123.104.59
  • 92.123.104.34
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
d25xn4y1w1xf3s.cloudfront.net
  • 54.239.192.79
  • 54.239.192.5
  • 54.239.192.44
  • 54.239.192.174
whitelisted

Threats

PID
Process
Class
Message
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Process
Message
PDFTool.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
PDFTool.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
PDFTool.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
PDFTool.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
PDFTool.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
PDFTool.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PDFTool-v3.2.1233.0_49804298.msi