File name:

pdfsetup.exe

Full analysis: https://app.any.run/tasks/e0e6bd99-6bd6-48b2-9a5f-bf33c752bcbe
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Analysis date: October 22, 2025, 13:44:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
inno
installer
adware
innosetup
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

0C64563E71991AE57736DD9DB07B0EB7

SHA1:

12D8053B93E6C62EDF1758E9897CDDBA75AD1FCC

SHA256:

51C9DD59E1F32DD8D2E61EE600E08BDB78D1FC0530DBCD0FCCEA57BA85037FE4

SSDEEP:

98304:nLVIF8P3n1BLHxtD59KEKjSvDXMY5lCh8AKmawhO3SSIL4qECo6xjbVHE33bsjEb:xMRMRLCiRmaixE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • pdfsetup.exe (PID: 7624)
      • pdfsetup.tmp (PID: 7644)
    • Reads the Windows owner or organization settings

      • pdfsetup.tmp (PID: 7644)
    • Process drops legitimate windows executable

      • pdfsetup.tmp (PID: 7644)
    • Application launched itself

      • PDFSpark.exe (PID: 5400)
    • Reads security settings of Internet Explorer

      • PDFSpark.exe (PID: 5400)
  • INFO

    • Reads Environment values

      • pdfsetup.exe (PID: 7624)
      • pdfsetup.tmp (PID: 7644)
      • PDFSpark.exe (PID: 5400)
      • PDFSpark.exe (PID: 7808)
    • Checks supported languages

      • pdfsetup.exe (PID: 7624)
      • pdfsetup.tmp (PID: 7644)
      • PDFSpark.exe (PID: 7704)
      • PDFSpark.exe (PID: 4972)
      • PDFSpark.exe (PID: 5400)
      • PDFSpark.exe (PID: 7808)
    • Create files in a temporary directory

      • pdfsetup.exe (PID: 7624)
      • pdfsetup.tmp (PID: 7644)
      • PDFSpark.exe (PID: 5400)
    • Checks proxy server information

      • pdfsetup.tmp (PID: 7644)
      • PDFSpark.exe (PID: 5400)
      • slui.exe (PID: 1416)
    • Reads the computer name

      • pdfsetup.tmp (PID: 7644)
      • PDFSpark.exe (PID: 5400)
      • PDFSpark.exe (PID: 4972)
      • PDFSpark.exe (PID: 7704)
    • The sample compiled with english language support

      • pdfsetup.tmp (PID: 7644)
    • Reads the software policy settings

      • pdfsetup.tmp (PID: 7644)
      • PDFSpark.exe (PID: 5400)
      • slui.exe (PID: 1416)
    • Compiled with Borland Delphi (YARA)

      • pdfsetup.exe (PID: 7624)
      • pdfsetup.tmp (PID: 7644)
    • Detects InnoSetup installer (YARA)

      • pdfsetup.tmp (PID: 7644)
      • pdfsetup.exe (PID: 7624)
    • Creates a software uninstall entry

      • pdfsetup.tmp (PID: 7644)
    • Creates files or folders in the user directory

      • pdfsetup.tmp (PID: 7644)
      • PDFSpark.exe (PID: 5400)
      • PDFSpark.exe (PID: 7704)
    • Reads product name

      • PDFSpark.exe (PID: 5400)
      • PDFSpark.exe (PID: 7808)
    • Process checks computer location settings

      • PDFSpark.exe (PID: 7808)
      • PDFSpark.exe (PID: 5400)
    • Manual execution by a user

      • PDFSpark.exe (PID: 5400)
    • Reads the machine GUID from the registry

      • PDFSpark.exe (PID: 5400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:03 14:45:36+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 704512
InitializedDataSize: 466944
UninitializedDataSize: -
EntryPoint: 0xacfe0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Mainstay Crypto LLC
FileDescription: PDF Spark Setup
FileVersion: 1.0.0.0
LegalCopyright: Mainstay Crypto LLC 2025
OriginalFileName:
ProductName: PDF Spark
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
8
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start pdfsetup.exe pdfsetup.tmp pdfspark.exe no specs pdfspark.exe no specs pdfspark.exe pdfspark.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1416C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2276C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4972"C:\Users\admin\AppData\Local\Programs\PDF Spark\PDFSpark.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\pdf-spark-nativefier-41608d" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1704,i,13617784113903741905,11216421681832234667,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Users\admin\AppData\Local\Programs\PDF Spark\PDFSpark.exePDFSpark.exe
User:
admin
Company:
Jia Hao
Integrity Level:
LOW
Description:
PDF Spark
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\programs\pdf spark\pdfspark.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5400"C:\Users\admin\AppData\Local\Programs\PDF Spark\PDFSpark.exe" C:\Users\admin\AppData\Local\Programs\PDF Spark\PDFSpark.exeexplorer.exe
User:
admin
Company:
Jia Hao
Integrity Level:
MEDIUM
Description:
PDF Spark
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\programs\pdf spark\pdfspark.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\rpcrt4.dll
7624"C:\Users\admin\AppData\Local\Temp\pdfsetup.exe" C:\Users\admin\AppData\Local\Temp\pdfsetup.exe
explorer.exe
User:
admin
Company:
Mainstay Crypto LLC
Integrity Level:
MEDIUM
Description:
PDF Spark Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\pdfsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
7644"C:\Users\admin\AppData\Local\Temp\is-USKO9.tmp\pdfsetup.tmp" /SL5="$6033C,9359096,1172480,C:\Users\admin\AppData\Local\Temp\pdfsetup.exe" C:\Users\admin\AppData\Local\Temp\is-USKO9.tmp\pdfsetup.tmp
pdfsetup.exe
User:
admin
Company:
Mainstay Crypto LLC
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-usko9.tmp\pdfsetup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
7704"C:\Users\admin\AppData\Local\Programs\PDF Spark\PDFSpark.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\pdf-spark-nativefier-41608d" --mojo-platform-channel-handle=2036 --field-trial-handle=1704,i,13617784113903741905,11216421681832234667,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Users\admin\AppData\Local\Programs\PDF Spark\PDFSpark.exe
PDFSpark.exe
User:
admin
Company:
Jia Hao
Integrity Level:
MEDIUM
Description:
PDF Spark
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\programs\pdf spark\pdfspark.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7808"C:\Users\admin\AppData\Local\Programs\PDF Spark\PDFSpark.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\pdf-spark-nativefier-41608d" --app-user-model-id=pdf-spark-nativefier-41608d --app-path="C:\Users\admin\AppData\Local\Programs\PDF Spark\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2448 --field-trial-handle=1704,i,13617784113903741905,11216421681832234667,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1C:\Users\admin\AppData\Local\Programs\PDF Spark\PDFSpark.exePDFSpark.exe
User:
admin
Company:
Jia Hao
Integrity Level:
MEDIUM
Description:
PDF Spark
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\programs\pdf spark\pdfspark.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\users\admin\appdata\local\programs\pdf spark\ffmpeg.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
606
Read events
581
Write events
25
Delete events
0

Modification events

(PID) Process:(7644) pdfsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
DC1D000093A455045A43DC01
(PID) Process:(7644) pdfsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
3649C3DC4BEAA6CB5C665DC28B8C38A9827EFD913D5E1BCC7D83B3823CA6CB9B
(PID) Process:(7644) pdfsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(7644) pdfsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDF Spark_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.4.3
(PID) Process:(7644) pdfsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDF Spark_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\Programs\PDF Spark
(PID) Process:(7644) pdfsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDF Spark_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\PDF Spark\
(PID) Process:(7644) pdfsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDF Spark_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(7644) pdfsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDF Spark_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(7644) pdfsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDF Spark_is1
Operation:writeName:Inno Setup: Selected Tasks
Value:
desktopicon
(PID) Process:(7644) pdfsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDF Spark_is1
Operation:writeName:Inno Setup: Deselected Tasks
Value:
Executable files
16
Suspicious files
176
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
7644pdfsetup.tmpC:\Users\admin\AppData\Local\Temp\is-QBQAU.tmp\is-U0J05.tmp
MD5:
SHA256:
7644pdfsetup.tmpC:\Users\admin\AppData\Local\Temp\is-QBQAU.tmp\PDFSpark_files.7z
MD5:
SHA256:
7644pdfsetup.tmpC:\Users\admin\AppData\Local\Programs\PDF Spark\is-15R8T.tmp
MD5:
SHA256:
7644pdfsetup.tmpC:\Users\admin\AppData\Local\Programs\PDF Spark\LICENSES.chromium.html
MD5:
SHA256:
7644pdfsetup.tmpC:\Users\admin\AppData\Local\Temp\is-QBQAU.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7644pdfsetup.tmpC:\Users\admin\AppData\Local\Programs\PDF Spark\ffmpeg.dllexecutable
MD5:B41B5CA7E8CDF2669494AE42BF476ECA
SHA256:308D47179729E3E06F5153C26621BB67AF12FCA73A37123987176DF5FE9BE218
7644pdfsetup.tmpC:\Users\admin\AppData\Local\Programs\PDF Spark\is-IGUPL.tmpimage
MD5:F54BD60198E6A27BDF18B2AECB6954F2
SHA256:D074A6B6095580BC4D87A28949FFE6E4E1634EC48C742CADCFE2A3BF20995757
7644pdfsetup.tmpC:\Users\admin\AppData\Local\Programs\PDF Spark\chrome_200_percent.pakbinary
MD5:D88936315A5BD83C1550E5B8093EB1E6
SHA256:F49ABD81E93A05C1E53C1201A5D3A12F2724F52B6971806C8306B512BF66AA25
7644pdfsetup.tmpC:\Users\admin\AppData\Local\Programs\PDF Spark\is-ANVOH.tmpexecutable
MD5:6B509CFF5329A416A51CBE46F50CD475
SHA256:DF00F9484FCE6791A5DCFD5AC70AB7F91D94A182E01CB048E1B24F8C0789CF33
7644pdfsetup.tmpC:\Users\admin\AppData\Local\Programs\PDF Spark\is-SGU3H.tmpbinary
MD5:0CF9DE69DCFD8227665E08C644B9499C
SHA256:D2C299095DBBD3A3CB2B4639E5B3BD389C691397FFD1A681E586F2CFE0E2AB88
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
41
DNS requests
25
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7088
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
DE
binary
313 b
whitelisted
4568
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
4568
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
7872
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
DE
binary
471 b
whitelisted
7896
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
DE
binary
471 b
whitelisted
2220
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
DE
binary
813 b
whitelisted
2220
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
DE
binary
402 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2144
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5384
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5596
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2144
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7644
pdfsetup.tmp
52.219.232.226:443
pdfsparkcomponents.s3.us-east-2.amazonaws.com
US
malicious
7088
SearchApp.exe
2.16.241.206:443
www.bing.com
Akamai International B.V.
DE
whitelisted
7088
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4568
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.46
whitelisted
pdfsparkcomponents.s3.us-east-2.amazonaws.com
  • 52.219.232.226
  • 3.5.133.52
  • 3.5.131.246
  • 16.12.66.66
  • 52.219.106.194
  • 52.219.178.250
  • 16.12.65.170
  • 52.219.179.218
malicious
www.bing.com
  • 2.16.241.206
  • 2.16.241.203
  • 2.16.241.197
  • 2.16.241.204
  • 2.16.241.205
  • 2.16.241.224
  • 2.16.241.201
  • 2.16.241.207
  • 2.16.241.200
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.134
  • 20.190.160.2
  • 20.190.160.17
  • 20.190.160.3
  • 20.190.160.14
  • 20.190.160.130
  • 20.190.160.67
whitelisted
th.bing.com
  • 2.16.241.200
  • 2.16.241.206
  • 2.16.241.203
  • 2.16.241.197
  • 2.16.241.204
  • 2.16.241.205
  • 2.16.241.224
  • 2.16.241.201
  • 2.16.241.207
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
arc.msn.com
  • 20.223.35.26
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
No debug info