URL:

https://az32125.vo.msecnd.net/download/Download$/power-pdf/5.0/ppdf_ia_Std_24208_0100.exe

Full analysis: https://app.any.run/tasks/cdca1e16-a071-4cdb-8db2-fe8e9cb171ad
Verdict: Malicious activity
Analysis date: June 12, 2024, 09:19:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

8F484FEE1D758BB75D2A11D130415C2F

SHA1:

1A5965BE3DD6EF4FB3B38F1C6F9F400732691C81

SHA256:

4018700990445D0B710850B3076C4F3CBEDD9B77A858B7CF0482064CB9201304

SSDEEP:

3:N8ffQIWAcBIsBKLcSLJf3lMvVOr7EdRMXT5/J:2QrF8bt36VqeRMNh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ppdf_ia_Std_24208_0100.exe (PID: 1368)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ppdf_ia_Std_24208_0100.exe (PID: 1368)

    • Reads Internet Explorer settings

      • Installation Assistant.exe (PID: 616)

    • Reads the Internet Settings

      • Installation Assistant.exe (PID: 616)

    • Reads settings of System Certificates

      • Installation Assistant.exe (PID: 616)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3972)

    • Checks supported languages

      • ppdf_ia_Std_24208_0100.exe (PID: 1368)
      • wmpnscfg.exe (PID: 1840)
      • Installation Assistant.exe (PID: 616)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1840)

    • Reads the computer name

      • Installation Assistant.exe (PID: 616)
      • wmpnscfg.exe (PID: 1840)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 4036)
      • iexplore.exe (PID: 3972)

    • Reads the machine GUID from the registry

      • Installation Assistant.exe (PID: 616)

    • Reads Environment values

      • Installation Assistant.exe (PID: 616)

    • Reads the software policy settings

      • Installation Assistant.exe (PID: 616)

    • Disables trace logs

      • Installation Assistant.exe (PID: 616)

    • Create files in a temporary directory

      • Installation Assistant.exe (PID: 616)
      • ppdf_ia_Std_24208_0100.exe (PID: 1368)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 4036)
      • iexplore.exe (PID: 3972)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3972)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe ppdf_ia_std_24208_0100.exe no specs ppdf_ia_std_24208_0100.exe wmpnscfg.exe no specs installation assistant.exe

Process information

PID
CMD
Path
Indicators
Parent process
616"C:\Users\admin\AppData\Local\Temp\NuD35GopW0\Installation Assistant.exe"C:\Users\admin\AppData\Local\Temp\NuD35GopW0\Installation Assistant.exe
ppdf_ia_Std_24208_0100.exe
User:
admin
Company:
Kofax
Integrity Level:
HIGH
Description:
Kofax Installation Assistant Core
Version:
51.00.24208.0100
Modules
Images
c:\users\admin\appdata\local\temp\nud35gopw0\installation assistant.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1184"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ppdf_ia_Std_24208_0100.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ppdf_ia_Std_24208_0100.exeiexplore.exe
User:
admin
Company:
Kofax
Integrity Level:
MEDIUM
Description:
Kofax Power PDF Assistant
Exit code:
3221226540
Version:
51.00.24208.0100
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\ppdf_ia_std_24208_0100.exe
c:\windows\system32\ntdll.dll
1368"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ppdf_ia_Std_24208_0100.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ppdf_ia_Std_24208_0100.exe
iexplore.exe
User:
admin
Company:
Kofax
Integrity Level:
HIGH
Description:
Kofax Power PDF Assistant
Exit code:
0
Version:
51.00.24208.0100
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\ppdf_ia_std_24208_0100.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1840"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3972"C:\Program Files\Internet Explorer\iexplore.exe" "https://az32125.vo.msecnd.net/download/Download$/power-pdf/5.0/ppdf_ia_Std_24208_0100.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4036"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3972 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
19 796
Read events
19 655
Write events
103
Delete events
38

Modification events

(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31112361
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31112361
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
24
Suspicious files
5
Text files
9
Unknown types
2

Dropped files

PID
Process
Filename
Type
4036iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\ppdf_ia_Std_24208_0100[1].exeexecutable
MD5:14F1C00BB7F1B89FA28A557092A7E813
SHA256:D8D39B63599CA293AA22D5D2EA8709F49E18E9A9CDF5B6AA148C8EBAE06605E4
4036iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ppdf_ia_Std_24208_0100.exe.pnqqeg9.partialexecutable
MD5:C7F63C28333D8F5AF8274F67A61E79F1
SHA256:A191066EBC62196B415FA3CEF84830E687AB8813A18428A72DD62923A8EB9473
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{DF433991-289C-11EF-9E36-12A9866C77DE}.datbinary
MD5:C3D56E5F902EB3F6E97E3DCBFC1FDB1C
SHA256:1C000EB6DD617926983E7B4D19EC055469ADA7011555C026D6E0D47E0CA8C814
3972iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD34D86AEF0BDAF54.TMPbinary
MD5:FF03B48921F906FAAD2C37595A2ED108
SHA256:466F204E406AE562B28B921DF26E76DB0AFD2E3D2ECAA92A6982209DE51D1E71
4036iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:92B977B33E55BDB2F1D81BE478FBF998
SHA256:F8FFCED650E41671079F201C37C790DC50F946A6A1A3F5873F7D063D333ABB72
4036iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:005C48A85F674B2F8EC6A1ABD09A6CE3
SHA256:AEEC22152B00C3DA8774B9CED6C8AD864F8E5208EAD3C69BBA90240E059F37F1
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ppdf_ia_Std_24208_0100.exe.pnqqeg9.partial:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
1368ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\cs\Installation Assistant.resources.dllexecutable
MD5:9A49D39C3D87BFFCBF11A9D5B1294125
SHA256:F4CE9E07643B323110D69C505B332610B387A4703E324DE90CEB855EE4D9CB7B
1368ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\Installation Assistant.exe.configxml
MD5:BAAF1E48DD23BBFF07CC816979E0665A
SHA256:F5627A3500E016A82D28A917A75DCBCB7EC148052070FB55C3A04148F939B426
3972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ppdf_ia_Std_24208_0100.exeexecutable
MD5:C7F63C28333D8F5AF8274F67A61E79F1
SHA256:A191066EBC62196B415FA3CEF84830E687AB8813A18428A72DD62923A8EB9473
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4036
iexplore.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e89a37fe52d1f203
unknown
unknown
4036
iexplore.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?098b2ca3f74ef2d4
unknown
unknown
4036
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
1088
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e523dd86aac30a8d
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4036
iexplore.exe
152.199.19.161:443
az32125.vo.msecnd.net
EDGECAST
US
whitelisted
4036
iexplore.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
4036
iexplore.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
4036
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
616
Installation Assistant.exe
104.102.44.10:443
imagingcontent.kofax.com
AKAMAI-AS
DE
unknown
1088
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
az32125.vo.msecnd.net
  • 152.199.19.161
unknown
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
imagingcontent.kofax.com
  • 104.102.44.10
unknown

Threats

No threats detected
Process
Message
Installation Assistant.exe
1 > 6/12/2024 10:19:37.625: -I- Application started
Installation Assistant.exe
1 > 6/12/2024 10:19:37.719: -E- Initializing 'FormInitialization' dialog.
Installation Assistant.exe
1 > 6/12/2024 10:19:37.735: -I- Initialize the downloader.
Installation Assistant.exe
3 > 6/12/2024 10:19:38.016: -I- DownloadSetupResources.DoWork
Installation Assistant.exe
3 > 6/12/2024 10:19:38.047: -I- DownloadPreviousFiles.GetInfo
Installation Assistant.exe
3 > 6/12/2024 10:19:38.047: -I- Downloader.StartDownload
Installation Assistant.exe
3 > 6/12/2024 10:19:38.047: -I- Downloading the setup information file.
Installation Assistant.exe
1 > 6/12/2024 10:19:38.047: -I- DownloadSetupResources.ProgressChanged: '10'
Installation Assistant.exe
3 > 6/12/2024 10:19:38.063: -I- Downloader.DownloadFile: Downloading 'https://imagingcontent.kofax.com/PowerPDF/Pro/5_1/EFGDISWABTMJKPRYZNCHU/info_Std_24208_0100.xml'
Installation Assistant.exe
3 > 6/12/2024 10:20:12.500: -I- The setup information file was downloaded.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://az32125.vo.msecnd.net/download/Download$/power-pdf/5.0/ppdf_ia_Std_24208_0100.exe