download:

/download/PDFPdq.exe

Full analysis: https://app.any.run/tasks/45707303-ebf6-462a-9bd9-48a5d7152e41
Verdict: Malicious activity
Analysis date: February 27, 2026, 18:53:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

761FC3F5F44FE8E76749EB5A077D0C51

SHA1:

A8F75C022CCFDC5EF0B826F260005993F63A4649

SHA256:

349B076871225038696D6DDAA30E7F672BE1A92B03256487F1C4CBBAF04131B3

SSDEEP:

98304:HLycx2D4P+dOTfw9XxdyvU5tqdFMNxU4HcczIYAD0bQ3uvnrs5Nh+9avuPlKCzr3:M22vyLtVKBCz6HTHOSYyKki8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • PDFPdq.exe (PID: 8744)

    • Changes the autorun value in the registry

      • PDFPdq.exe (PID: 8744)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PDFPdq.exe (PID: 8744)
      • PDFPdq.exe (PID: 8820)
      • rundll32.exe (PID: 6596)
      • rundll32.exe (PID: 8892)
      • rundll32.exe (PID: 7664)
      • rundll32.exe (PID: 476)

    • The process creates files with name similar to system file names

      • PDFPdq.exe (PID: 8744)

    • Searches for installed software

      • PDFPdq.exe (PID: 8744)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 8196)

    • Uses RUNDLL32.EXE to run a file without a DLL extension

      • rundll32.exe (PID: 6596)
      • rundll32.exe (PID: 8892)
      • rundll32.exe (PID: 7664)
      • rundll32.exe (PID: 476)

  • INFO

    • Checks supported languages

      • PDFPdq.exe (PID: 8820)
      • PDFPdq.exe (PID: 8744)
      • msiexec.exe (PID: 8196)
      • msiexec.exe (PID: 5304)

    • The sample compiled with english language support

      • PDFPdq.exe (PID: 8820)
      • PDFPdq.exe (PID: 8744)

    • Create files in a temporary directory

      • PDFPdq.exe (PID: 8820)
      • PDFPdq.exe (PID: 8744)
      • rundll32.exe (PID: 6596)
      • rundll32.exe (PID: 8892)
      • rundll32.exe (PID: 7664)
      • rundll32.exe (PID: 476)

    • Reads the machine GUID from the registry

      • PDFPdq.exe (PID: 8744)

    • Reads the computer name

      • PDFPdq.exe (PID: 8744)
      • msiexec.exe (PID: 8196)
      • msiexec.exe (PID: 5304)

    • Reads security settings of Internet Explorer

      • PDFPdq.exe (PID: 8744)

    • Creates files or folders in the user directory

      • PDFPdq.exe (PID: 8744)
      • msiexec.exe (PID: 8196)

    • Creates a software uninstall entry

      • PDFPdq.exe (PID: 8744)
      • msiexec.exe (PID: 8196)

    • Launching a file from a Registry key

      • PDFPdq.exe (PID: 8744)

    • Checks proxy server information

      • rundll32.exe (PID: 6596)
      • rundll32.exe (PID: 7664)

    • Disables trace logs

      • rundll32.exe (PID: 6596)
      • rundll32.exe (PID: 7664)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 8196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:22 22:06:13+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.38
CodeSize: 443392
InitializedDataSize: 252928
UninitializedDataSize: -
EntryPoint: 0x48650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: PDFPdq
FileDescription: PDFPdq
FileVersion: 2.0.0
InternalName: burn
OriginalFileName: PDFPdq.exe
ProductName: PDFPdq
ProductVersion: 2.0.0
LegalCopyright: Copyright (c) PDFPdq. All rights reserved.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
9
Malicious processes
1
Suspicious processes
5

Behavior graph

Click at the process to see the details
start pdfpdq.exe pdfpdq.exe msiexec.exe msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe rundll32.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
476rundll32.exe "C:\WINDOWS\Installer\MSI6582.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1992093 14 RequestSender!RequestSender.CustomActions.OpenUrlC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5304C:\Windows\syswow64\MsiExec.exe -Embedding D46E3DDE81A5A055EF81B44A191AC44DC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6596rundll32.exe "C:\WINDOWS\Installer\MSI5A05.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1989203 2 RequestSender!RequestSender.CustomActions.StartC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7664rundll32.exe "C:\WINDOWS\Installer\MSI6032.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1990734 10 RequestSender!RequestSender.CustomActions.FinishC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
8196C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
8548C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8744"C:\Users\admin\AppData\Local\Temp\{68803ADF-C8C5-41A4-94A3-33A3D19965D4}\.cr\PDFPdq.exe" -burn.clean.room="C:\Users\admin\Downloads\PDFPdq.exe" -burn.filehandle.attached=700 -burn.filehandle.self=696C:\Users\admin\AppData\Local\Temp\{68803ADF-C8C5-41A4-94A3-33A3D19965D4}\.cr\PDFPdq.exe
PDFPdq.exe
User:
admin
Company:
PDFPdq
Integrity Level:
MEDIUM
Description:
PDFPdq
Exit code:
0
Version:
2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\{68803adf-c8c5-41a4-94a3-33a3d19965d4}\.cr\pdfpdq.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
8820"C:\Users\admin\Downloads\PDFPdq.exe" C:\Users\admin\Downloads\PDFPdq.exe
explorer.exe
User:
admin
Company:
PDFPdq
Integrity Level:
MEDIUM
Description:
PDFPdq
Exit code:
0
Version:
2.0.0
Modules
Images
c:\users\admin\downloads\pdfpdq.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
8892rundll32.exe "C:\WINDOWS\Installer\MSI5E8A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1990312 6 RequestSender!RequestSender.CustomActions.CreateScheduledTaskC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
10 119
Read events
9 935
Write events
168
Delete events
16

Modification events

(PID) Process:(8744) PDFPdq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}
Operation:writeName:BundleCachePath
Value:
C:\Users\admin\AppData\Local\Package Cache\{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}\PDFPdq.exe
(PID) Process:(8744) PDFPdq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}
Operation:writeName:BundleUpgradeCode
Value:
{3E193566-79CA-40D6-B31D-A1DF54C146B6}
(PID) Process:(8744) PDFPdq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}
Operation:writeName:BundleAddonCode
Value:
(PID) Process:(8744) PDFPdq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}
Operation:writeName:BundleDetectCode
Value:
(PID) Process:(8744) PDFPdq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}
Operation:writeName:BundlePatchCode
Value:
(PID) Process:(8744) PDFPdq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}
Operation:writeName:BundleVersion
Value:
2.0.0
(PID) Process:(8744) PDFPdq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}
Operation:writeName:VersionMajor
Value:
2
(PID) Process:(8744) PDFPdq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}
Operation:writeName:VersionMinor
Value:
0
(PID) Process:(8744) PDFPdq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}
Operation:writeName:BundleProviderKey
Value:
{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}
(PID) Process:(8744) PDFPdq.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{671EE361-7BD3-4D03-9ADC-F5B08C67E7EC}
Operation:writeName:BundleTag
Value:
Executable files
51
Suspicious files
20
Text files
38
Unknown types
0

Dropped files

PID
Process
Filename
Type
8744PDFPdq.exeC:\Users\admin\AppData\Local\Temp\{9D006A5E-1AFC-4E1A-A128-50C5AFB0E60C}\.ba\mbapreq.pngimage
MD5:A356956FD269567B8F4612A33802637B
SHA256:A401A225ADDAF89110B4B0F6E8CF94779E7C0640BCDD2D670FFCF05AAB0DAD03
8744PDFPdq.exeC:\Users\admin\AppData\Local\Temp\{9D006A5E-1AFC-4E1A-A128-50C5AFB0E60C}\.ba\WixToolset.Mba.Host.configxml
MD5:A6968E2E812933FF17FF3F4B31805572
SHA256:CE8B05A2019456B18778C8FFE2D3E2650971862891B4AD45401AEF63FB8E2DE7
8744PDFPdq.exeC:\Users\admin\AppData\Local\Temp\{9D006A5E-1AFC-4E1A-A128-50C5AFB0E60C}\.ba\mbanative.dllexecutable
MD5:5441EC98C2136783BB902259B6CDD647
SHA256:659FF12D11D77A18962D25292FED64CDC94A1BD99470F7E17111CE57EFCCA83E
8744PDFPdq.exeC:\Users\admin\AppData\Local\Temp\{9D006A5E-1AFC-4E1A-A128-50C5AFB0E60C}\.ba\Bootstrapper.dllexecutable
MD5:7ED402760E9BCCA43A7C00D217824B9E
SHA256:9D19E14E83FAC5D65061E37D4F08A10567C3CE7FD067F065362DC214BD455CBE
8744PDFPdq.exeC:\Users\admin\AppData\Local\Temp\{9D006A5E-1AFC-4E1A-A128-50C5AFB0E60C}\.ba\mbahost.dllexecutable
MD5:013033CFFC1F318DF1D5048BA40A31DF
SHA256:B43F1B674894E2997AAE9DB0C5B5C95D2A14010E9AB95F63E2908E381768A148
8820PDFPdq.exeC:\Users\admin\AppData\Local\Temp\{68803ADF-C8C5-41A4-94A3-33A3D19965D4}\.cr\PDFPdq.exeexecutable
MD5:B45961E54553910AB1102E78153F33D6
SHA256:9B8CD8E321470C92C71AC98FD6280D9253A2829E7BD9903608E23A0C37A503E4
8744PDFPdq.exeC:\Users\admin\AppData\Local\Temp\{9D006A5E-1AFC-4E1A-A128-50C5AFB0E60C}\.ba\1038\mbapreq.wxltext
MD5:D89ED930DEE15FA52CBE158ACFAC1000
SHA256:D903E6EC1B56F57486DFF6C557769288966BB1E22203761F2E5D612EB3216FC5
8744PDFPdq.exeC:\Users\admin\AppData\Local\Temp\{9D006A5E-1AFC-4E1A-A128-50C5AFB0E60C}\.ba\1036\mbapreq.wxltext
MD5:A01304EE732A6984192D0708DFB51DA1
SHA256:8AD366E974A3F144C8FA25FFC3B8442137AA9EA9C86DAAC8B975B05EB96F4767
8744PDFPdq.exeC:\Users\admin\AppData\Local\Temp\{9D006A5E-1AFC-4E1A-A128-50C5AFB0E60C}\.ba\1041\mbapreq.wxltext
MD5:0CC03EC40E3384FE6FBE1834A5753205
SHA256:7A01A46EB7EB57C53490C248E2689560D4CEE4752D167D21DBF22FACF57FA169
8744PDFPdq.exeC:\Users\admin\AppData\Local\Temp\{9D006A5E-1AFC-4E1A-A128-50C5AFB0E60C}\.ba\1040\mbapreq.wxltext
MD5:D7B2C65CDE5162303B615134281C9655
SHA256:7AB561AA2C07CD2BDA60DAB419846CCBB656E8B46573F83FF0BBB987D63863FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
26
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6596
rundll32.exe
GET
200
185.111.111.155:443
https://c.pdf-pdq.com/start
GB
unknown
7664
rundll32.exe
GET
200
185.111.111.155:443
https://c.pdf-pdq.com/finish
GB
unknown
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
7208
svchost.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
3168
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3168
SIHClient.exe
GET
200
74.179.77.164:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
3168
SIHClient.exe
GET
200
135.232.92.137:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
3168
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
356
svchost.exe
POST
200
20.190.160.17:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
356
svchost.exe
POST
200
20.190.160.17:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7208
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
2684
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3412
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6596
rundll32.exe
185.111.111.155:443
c.pdf-pdq.com
CDNEXT
GB
whitelisted
7664
rundll32.exe
185.111.111.155:443
c.pdf-pdq.com
CDNEXT
GB
whitelisted
356
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
356
svchost.exe
162.159.142.9:80
ocsp.digicert.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
self.events.data.microsoft.com
  • 104.208.16.91
whitelisted
google.com
  • 142.251.208.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
c.pdf-pdq.com
  • 185.111.111.155
whitelisted
login.live.com
  • 20.190.160.17
  • 40.126.32.134
  • 20.190.160.64
  • 20.190.160.67
  • 20.190.160.14
  • 40.126.32.136
  • 40.126.32.68
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 162.159.142.9
  • 172.66.2.5
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.16.241.205
  • 2.16.241.207
  • 2.16.241.222
whitelisted
crl.microsoft.com
  • 23.55.110.193
  • 23.55.110.211
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.59.18.102
whitelisted

Threats

PID
Process
Class
Message
7208
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/download/PDFPdq.exe