File name:

PDFSparkOnSoft_693145.exe

Full analysis: https://app.any.run/tasks/ef5f902c-8019-415e-938e-45c220cc1794
Verdict: Malicious activity
Analysis date: October 27, 2025, 21:31:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
phishing
inno
installer
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

9731FEE06A5BDCCD85BF913DE5F8BF7D

SHA1:

6946D58E0DF54023FD893164BB1521FEE318A3B1

SHA256:

415B6D1BB78CB74A468B29E7AF09E885999CFCABF2C413F3BF533C2191D4E626

SSDEEP:

98304:xLVIF8P3n1BLHxtD59KEKjSvDXMY5lCh8AKmawhO3SSIL4qECo6xjkVHE33bsjEH:znRMRLCiR/x/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • svchost.exe (PID: 2276)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PDFSparkOnSoft_693145.exe (PID: 7448)
      • PDFSparkOnSoft_693145.tmp (PID: 7508)

    • Reads the Windows owner or organization settings

      • PDFSparkOnSoft_693145.tmp (PID: 7508)

  • INFO

    • Create files in a temporary directory

      • PDFSparkOnSoft_693145.tmp (PID: 7508)
      • PDFSparkOnSoft_693145.exe (PID: 7448)

    • Checks supported languages

      • PDFSparkOnSoft_693145.exe (PID: 7448)
      • PDFSparkOnSoft_693145.tmp (PID: 7508)

    • Reads the computer name

      • PDFSparkOnSoft_693145.tmp (PID: 7508)

    • The sample compiled with english language support

      • PDFSparkOnSoft_693145.tmp (PID: 7508)

    • Compiled with Borland Delphi (YARA)

      • PDFSparkOnSoft_693145.exe (PID: 7448)
      • PDFSparkOnSoft_693145.tmp (PID: 7508)

    • Detects InnoSetup installer (YARA)

      • PDFSparkOnSoft_693145.exe (PID: 7448)
      • PDFSparkOnSoft_693145.tmp (PID: 7508)

    • Checks proxy server information

      • slui.exe (PID: 8176)

    • Reads the software policy settings

      • slui.exe (PID: 8176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:03 14:45:36+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 704512
InitializedDataSize: 466944
UninitializedDataSize: -
EntryPoint: 0xacfe0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Mainstay Crypto LLC
FileDescription: PDF Spark Setup
FileVersion: 1.0.0.0
LegalCopyright: Mainstay Crypto LLC 2025
OriginalFileName:
ProductName: PDF Spark
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pdfsparkonsoft_693145.exe pdfsparkonsoft_693145.tmp #PHISHING svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2276C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7448"C:\Users\admin\Desktop\PDFSparkOnSoft_693145.exe" C:\Users\admin\Desktop\PDFSparkOnSoft_693145.exe
explorer.exe
User:
admin
Company:
Mainstay Crypto LLC
Integrity Level:
MEDIUM
Description:
PDF Spark Setup
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\pdfsparkonsoft_693145.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
7508"C:\Users\admin\AppData\Local\Temp\is-4C4P3.tmp\PDFSparkOnSoft_693145.tmp" /SL5="$7016A,9353863,1172480,C:\Users\admin\Desktop\PDFSparkOnSoft_693145.exe" C:\Users\admin\AppData\Local\Temp\is-4C4P3.tmp\PDFSparkOnSoft_693145.tmp
PDFSparkOnSoft_693145.exe
User:
admin
Company:
Mainstay Crypto LLC
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-4c4p3.tmp\pdfsparkonsoft_693145.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
8176C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 834
Read events
3 834
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7508PDFSparkOnSoft_693145.tmpC:\Users\admin\AppData\Local\Temp\is-34UEA.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7448PDFSparkOnSoft_693145.exeC:\Users\admin\AppData\Local\Temp\is-4C4P3.tmp\PDFSparkOnSoft_693145.tmpexecutable
MD5:3F02C0209FC0F8691D43447DF33304A2
SHA256:C1F686082EB39DB8CD58F36247E894B22C95D10672E9D50380B824AB9F2E2F46
7508PDFSparkOnSoft_693145.tmpC:\Users\admin\AppData\Local\Temp\is-34UEA.tmp\turbojpeg.dllexecutable
MD5:B39F6F02AEE9DE33E5711E509760FBE8
SHA256:86B1F566839C9B39E24D69666011E0CE99F881FCCA2C77309498B32DD7F35192
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
42
DNS requests
15
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5372
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
POST
200
104.26.6.162:443
https://pdfsetup.com/
unknown
text
32 b
unknown
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
29.1 Kb
unknown
7988
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
29.1 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
5372
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5512
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5596
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5372
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3440
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2784
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5512
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5524
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.31.3
  • 40.126.31.2
  • 40.126.31.0
  • 40.126.31.69
  • 40.126.31.131
  • 20.190.159.75
  • 40.126.31.128
  • 20.190.159.128
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.181.238
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
pdfsetup.com
  • 104.26.7.162
  • 172.67.69.90
  • 104.26.6.162
unknown
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 4.154.209.85
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2276
svchost.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing Domain (pdfsetup .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PDFSparkOnSoft_693145.exe