File name:

PDFFlex-v4.102.1215.0.msi

Full analysis: https://app.any.run/tasks/39641234-11d4-44c4-8cfd-8ff694dbd27f
Verdict: Malicious activity
Analysis date: June 18, 2024, 21:04:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: PDFFlex, Author: PDFFlex.io, Keywords: Installer, MSI, Database, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o PDFFlex., Create Time/Date: Mon May 27 08:55:12 2024, Name of Creating Application: PDFFlex, Security: 0, Template: ;1033, Last Saved By: ;1046, Revision Number: {A101E974-EF6E-40A4-8532-07B644806946}4.102.1215.0;{A101E974-EF6E-40A4-8532-07B644806946}4.102.1215.0;{50C54027-847F-4B86-849A-9C02C888EE0B}, Number of Pages: 450, Number of Characters: 63
MD5:

F1C8A85FCE3AEC53C4B2BB45452D453A

SHA1:

9476A698165F4C3E89D370BD3135108D8D3DD476

SHA256:

2F9F2BB7999A0FA67A92203A5AE4E7DF47818835845BC170C50063CE333FE92B

SSDEEP:

98304:r9ISotSpkqN/2Wgx0xaAW9o+9DE+mzSE5lIP4GASazPtiG6CPUF0csMof+iZZjDJ:iNGPJx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2940)
      • powershell.exe (PID: 1420)
      • powershell.exe (PID: 3524)

    • Changes powershell execution policy (Bypass)

      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 2328)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3708)
      • msiexec.exe (PID: 2328)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 3708)

  • SUSPICIOUS

    • Reads the Internet Settings

      • msiexec.exe (PID: 3700)
      • powershell.exe (PID: 1420)
      • msiexec.exe (PID: 2108)
      • powershell.exe (PID: 3524)
      • msiexec.exe (PID: 2328)

    • The process executes Powershell scripts

      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 2328)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 2328)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 2328)

    • The process hide an interactive prompt from the user

      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 2328)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2864)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 3708)
      • msiexec.exe (PID: 2328)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3708)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3708)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2328)
      • msiexec.exe (PID: 2108)

    • Node.exe was dropped

      • msiexec.exe (PID: 2328)

  • INFO

    • An automatically generated document

      • msiexec.exe (PID: 3700)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3700)
      • powershell.exe (PID: 2940)
      • powershell.exe (PID: 1420)
      • powershell.exe (PID: 3524)

    • Checks supported languages

      • msiexec.exe (PID: 3708)
      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 2328)
      • PDFFlex.exe (PID: 3300)
      • PDFFlex.exe (PID: 3748)
      • node.exe (PID: 2776)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3700)
      • msiexec.exe (PID: 3708)
      • msiexec.exe (PID: 2328)
      • PDFFlex.exe (PID: 3300)

    • Application launched itself

      • msiexec.exe (PID: 3708)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 3708)
      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 2328)

    • Reads the software policy settings

      • msiexec.exe (PID: 3700)
      • msiexec.exe (PID: 3708)
      • msiexec.exe (PID: 2328)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3700)
      • msiexec.exe (PID: 2108)
      • powershell.exe (PID: 2940)
      • powershell.exe (PID: 1420)
      • msiexec.exe (PID: 2328)
      • msiexec.exe (PID: 3708)
      • powershell.exe (PID: 3524)

    • Reads the computer name

      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 3708)
      • msiexec.exe (PID: 2328)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3700)
      • msiexec.exe (PID: 3708)
      • msiexec.exe (PID: 2328)

    • Reads Environment values

      • msiexec.exe (PID: 2108)
      • msiexec.exe (PID: 2328)
      • node.exe (PID: 2776)

    • Manual execution by a user

      • explorer.exe (PID: 3856)
      • notepad++.exe (PID: 3644)
      • PDFFlex.exe (PID: 3748)
      • notepad++.exe (PID: 184)
      • wscript.exe (PID: 1788)
      • node.exe (PID: 2776)
      • notepad++.exe (PID: 2332)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3700)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 2940)
      • powershell.exe (PID: 1420)
      • powershell.exe (PID: 3524)

    • Disables trace logs

      • powershell.exe (PID: 1420)
      • powershell.exe (PID: 3524)

    • Checks proxy server information

      • msiexec.exe (PID: 2328)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3708)

    • Reads product name

      • node.exe (PID: 2776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {7832C14D-212E-47F1-A394-F04540F58CE1}
Words: 10
Subject: PDFFlex
Author: PDFFlex.io
LastModifiedBy: -
Software: PDFFlex
Template: ;1033,1046,3082,1055
Comments: PDFFlex 4.102.1215.0
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2024:05:27 08:55:29
ModifyDate: 2024:05:27 08:55:29
LastPrinted: 2024:05:27 08:55:29
Pages: 450
Characters: 63
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
16
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs powershell.exe no specs vssvc.exe no specs explorer.exe no specs msiexec.exe powershell.exe notepad++.exe powershell.exe pdfflex.exe wscript.exe no specs notepad++.exe pdfflex.exe notepad++.exe node.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
184"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\PDFFlex\PDFFlex.ini"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1420 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pss1855.ps1" -propFile "C:\Users\admin\AppData\Local\Temp\msi1823.txt" -scriptFile "C:\Users\admin\AppData\Local\Temp\scr1824.ps1" -scriptArgsFile "C:\Users\admin\AppData\Local\Temp\scr1825.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1788"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\PDFFlex\node_modules\node-fetch\browser.js" C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2108C:\Windows\system32\MsiExec.exe -Embedding 00967D43813C38D01BA0D057205F2EC0 CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2328C:\Windows\system32\MsiExec.exe -Embedding 5EA15EF48C294EFCDCC989B1DCF84249C:\Windows\System32\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2332"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\PDFFlex\node_modules\node-fetch\browser.js"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2776"C:\Users\admin\AppData\Local\PDFFlex\node.exe" C:\Users\admin\AppData\Local\PDFFlex\node.exeexplorer.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Exit code:
3221225786
Version:
12.15.0
Modules
Images
c:\users\admin\appdata\local\pdfflex\node.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
2864C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2940 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pssE89A.ps1" -propFile "C:\Users\admin\AppData\Local\Temp\msiE887.txt" -scriptFile "C:\Users\admin\AppData\Local\Temp\scrE888.ps1" -scriptArgsFile "C:\Users\admin\AppData\Local\Temp\scrE889.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3300"C:\Users\admin\AppData\Local\PDFFlex\PDFFlex.exe" /registerC:\Users\admin\AppData\Local\PDFFlex\PDFFlex.exe
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
4.102.1215.0
Modules
Images
c:\users\admin\appdata\local\pdfflex\pdfflex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\pdfflex\webview2loader.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
33 208
Read events
32 820
Write events
370
Delete events
18

Modification events

(PID) Process:(3700) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000000AEE1833C3C1DA017C0E000074090000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
400000000000000064501B33C3C1DA017C0E000074090000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
75
(PID) Process:(3708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000B4F9C633C3C1DA017C0E000074090000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000000E5CC933C3C1DA017C0E0000C4030000E8030000010000000000000000000000B6701BBF18A5514799F8FD81576A81C10000000000000000
(PID) Process:(2864) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000076E5D233C3C1DA01300B0000A40B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2864) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000076E5D233C3C1DA01300B00000C0C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2864) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000076E5D233C3C1DA01300B0000080C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2864) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000076E5D233C3C1DA01300B0000B4050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
Executable files
21
Suspicious files
36
Text files
32
Unknown types
0

Dropped files

PID
Process
Filename
Type
2108msiexec.exeC:\Users\admin\AppData\Local\Temp\msiE887.txt
MD5:
SHA256:
2108msiexec.exeC:\Users\admin\AppData\Local\Temp\scrE888.ps1
MD5:
SHA256:
2108msiexec.exeC:\Users\admin\AppData\Local\Temp\scrE889.txt
MD5:
SHA256:
2108msiexec.exeC:\Users\admin\AppData\Local\Temp\pssE89A.ps1
MD5:
SHA256:
3708msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3708msiexec.exeC:\Windows\Installer\514d7.msi
MD5:
SHA256:
2328msiexec.exeC:\Users\admin\AppData\Local\Temp\msi1823.txt
MD5:
SHA256:
2328msiexec.exeC:\Users\admin\AppData\Local\Temp\scr1824.ps1
MD5:
SHA256:
2328msiexec.exeC:\Users\admin\AppData\Local\Temp\scr1825.txt
MD5:
SHA256:
2328msiexec.exeC:\Users\admin\AppData\Local\Temp\pss1855.ps1
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
19
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2328
msiexec.exe
GET
200
52.84.193.90:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
unknown
3700
msiexec.exe
GET
200
2.19.126.137:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1eaa58c43db535d5
unknown
unknown
3700
msiexec.exe
GET
200
104.18.21.226:80
http://secure.globalsign.com/cacert/codesigningrootr45.crt
unknown
unknown
1372
svchost.exe
GET
304
173.222.108.226:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1420
powershell.exe
POST
200
18.66.107.68:80
http://d1jorhhovk7rc8.cloudfront.net/
unknown
unknown
1372
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1060
svchost.exe
GET
304
173.222.108.243:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5e5d86b7c9b09139
unknown
unknown
2328
msiexec.exe
GET
200
18.67.244.224:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
unknown
unknown
2328
msiexec.exe
GET
304
173.222.108.226:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?17bbfcc83bf105d4
unknown
unknown
2328
msiexec.exe
GET
200
108.138.2.173:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3700
msiexec.exe
104.18.21.226:80
secure.globalsign.com
CLOUDFLARENET
shared
3700
msiexec.exe
2.19.126.137:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1420
powershell.exe
18.66.107.68:80
d1jorhhovk7rc8.cloudfront.net
AMAZON-02
US
unknown
2328
msiexec.exe
18.244.38.12:443
dn0diw4x4ljz4.cloudfront.net
US
unknown
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2328
msiexec.exe
173.222.108.226:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown

DNS requests

Domain
IP
Reputation
secure.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
ctldl.windowsupdate.com
  • 2.19.126.137
  • 2.19.126.163
  • 173.222.108.226
  • 173.222.108.147
  • 173.222.108.243
whitelisted
d1jorhhovk7rc8.cloudfront.net
  • 18.66.107.68
  • 18.66.107.187
  • 18.66.107.107
  • 18.66.107.193
unknown
dn0diw4x4ljz4.cloudfront.net
  • 18.244.38.12
  • 18.244.38.201
  • 18.244.38.95
  • 18.244.38.81
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
o.ss2.us
  • 108.138.2.173
  • 108.138.2.195
  • 108.138.2.10
  • 108.138.2.107
whitelisted
ocsp.rootg2.amazontrust.com
  • 18.67.244.224
whitelisted
ocsp.rootca1.amazontrust.com
  • 52.84.193.90
shared

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PDFFlex-v4.102.1215.0.msi