File name:

ppdf_ia_Std_24208_0100.exe

Full analysis: https://app.any.run/tasks/e42f44f3-8b5b-49a8-8c68-fd8edcfb8578
Verdict: Malicious activity
Analysis date: July 07, 2025, 09:41:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

C7F63C28333D8F5AF8274F67A61E79F1

SHA1:

F07165FC989F01EEE3E94607CA1B56EF64A4E538

SHA256:

A191066EBC62196B415FA3CEF84830E687AB8813A18428A72DD62923A8EB9473

SSDEEP:

49152:h1y12hpbC48Nb9kpfp+a3vwq64Mpz0YA6QwsQe:Xy8hpbh8NNaYqf96rpe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 3832)
      • msiexec.exe (PID: 7000)

    • Registers / Runs the DLL via REGSVR32.EXE

      • msiexec.exe (PID: 7000)
      • msiexec.exe (PID: 3832)
      • RegistryController.exe (PID: 5352)
      • DefaultViewer.exe (PID: 4104)
      • DefaultViewer.exe (PID: 6664)

  • SUSPICIOUS

    • Reads Internet Explorer settings

      • Installation Assistant.exe (PID: 2232)
      • PowerPDF.exe (PID: 3028)

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 2800)
      • Installation Assistant.exe (PID: 2232)
      • MicrosoftEdgeUpdate.exe (PID: 4844)
      • Analytics.exe (PID: 2760)
      • DefaultViewer.exe (PID: 4104)
      • Analytics.exe (PID: 1852)
      • PowerPDF.exe (PID: 3028)
      • Analytics.exe (PID: 4832)
      • Analytics.exe (PID: 888)
      • DefaultViewer.exe (PID: 6664)

    • Reads the date of Windows installation

      • Setup.exe (PID: 2800)
      • Installation Assistant.exe (PID: 2232)

    • Executable content was dropped or overwritten

      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 5244)
      • ppdf_ia_Std_24208_0100.exe (PID: 6172)
      • Installation Assistant.exe (PID: 2232)
      • _setup.exe (PID: 2512)

    • Disables SEHOP

      • MicrosoftEdgeUpdate.exe (PID: 4844)

    • Process drops legitimate windows executable

      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 5244)
      • MicrosoftEdgeUpdate.exe (PID: 4844)
      • msiexec.exe (PID: 3832)
      • msiexec.exe (PID: 7000)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 4844)

    • Adds/modifies Windows certificates

      • msiexec.exe (PID: 3832)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3832)

    • Starts itself from another location

      • _setup.exe (PID: 2512)

    • There is functionality for taking screenshot (YARA)

      • _setup.exe (PID: 4040)
      • _setup.exe (PID: 2512)
      • PowerPDF.exe (PID: 3028)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 3832)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 3832)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 6036)
      • regsvr32.exe (PID: 868)
      • regsvr32.exe (PID: 4052)
      • regsvr32.exe (PID: 4080)
      • msiexec.exe (PID: 3832)
      • regsvr32.exe (PID: 1180)
      • regsvr32.exe (PID: 3724)
      • regsvr32.exe (PID: 5908)
      • RegistryController.exe (PID: 5352)
      • regsvr32.exe (PID: 4032)
      • regsvr32.exe (PID: 1588)
      • regsvr32.exe (PID: 3876)
      • regsvr32.exe (PID: 1840)
      • regsvr32.exe (PID: 7048)
      • regsvr32.exe (PID: 892)
      • regsvr32.exe (PID: 7128)
      • regsvr32.exe (PID: 2836)
      • regsvr32.exe (PID: 4796)
      • regsvr32.exe (PID: 1148)
      • regsvr32.exe (PID: 6068)

    • Detected use of alternative data streams (AltDS)

      • PPDFLM.exe (PID: 6200)
      • PPDFLM.exe (PID: 6364)

    • The process deletes folder without confirmation

      • _setup.exe (PID: 4040)

    • Starts CMD.EXE for commands execution

      • _setup.exe (PID: 4040)

    • The process executes via Task Scheduler

      • PowerPDF.exe (PID: 3028)

    • Reads Microsoft Outlook installation path

      • PowerPDF.exe (PID: 3028)

  • INFO

    • Reads Environment values

      • Installation Assistant.exe (PID: 2232)
      • MicrosoftEdgeUpdate.exe (PID: 4844)

    • Reads the machine GUID from the registry

      • Installation Assistant.exe (PID: 2232)
      • Setup.exe (PID: 2800)
      • msiexec.exe (PID: 3832)
      • PowerPDF.exe (PID: 3028)

    • Create files in a temporary directory

      • ppdf_ia_Std_24208_0100.exe (PID: 6172)
      • Installation Assistant.exe (PID: 2232)
      • Setup.exe (PID: 2800)
      • _setup.exe (PID: 4040)
      • _setup.exe (PID: 2512)
      • msiexec.exe (PID: 7000)
      • msiexec.exe (PID: 6140)
      • regsvr32.exe (PID: 892)
      • regsvr32.exe (PID: 7128)
      • regsvr32.exe (PID: 2836)
      • PowerPDF.exe (PID: 3028)
      • regsvr32.exe (PID: 6068)
      • regsvr32.exe (PID: 1148)
      • regsvr32.exe (PID: 4796)

    • Disables trace logs

      • Installation Assistant.exe (PID: 2232)

    • Reads the computer name

      • Installation Assistant.exe (PID: 2232)
      • Setup.exe (PID: 2800)
      • MicrosoftEdgeUpdate.exe (PID: 4844)
      • _setup.exe (PID: 2512)
      • msiexec.exe (PID: 3832)
      • msiexec.exe (PID: 6140)
      • _setup.exe (PID: 4040)
      • msiexec.exe (PID: 7000)
      • DMSMgrHelper.exe (PID: 1700)
      • RegistryController.exe (PID: 5352)
      • PdfAttachHelper.exe (PID: 1068)
      • PdfAttachHelper.exe (PID: 3624)
      • Analytics.exe (PID: 2760)
      • NPDFIEBroker.exe (PID: 5288)
      • SPDFIEBroker.exe (PID: 1044)
      • DefaultViewer.exe (PID: 4104)
      • PPDFLM.exe (PID: 6364)
      • PPDFLM.exe (PID: 6200)
      • Analytics.exe (PID: 1852)
      • PrinterDriver.exe (PID: 1156)
      • PowerPDF.exe (PID: 3028)
      • Analytics.exe (PID: 4832)
      • DefaultViewer.exe (PID: 6664)
      • Analytics.exe (PID: 888)

    • Checks supported languages

      • Installation Assistant.exe (PID: 2232)
      • ppdf_ia_Std_24208_0100.exe (PID: 6172)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 5244)
      • Setup.exe (PID: 2800)
      • MicrosoftEdgeUpdate.exe (PID: 4844)
      • _setup.exe (PID: 4040)
      • msiexec.exe (PID: 3832)
      • msiexec.exe (PID: 6140)
      • _setup.exe (PID: 2512)
      • msiexec.exe (PID: 7000)
      • DMSMgrHelper.exe (PID: 1700)
      • PPDFLM.exe (PID: 5496)
      • RegistryController.exe (PID: 5352)
      • PdfAttachHelper.exe (PID: 1068)
      • FileToPDFHelper.exe (PID: 5460)
      • PPDFAssist.exe (PID: 3820)
      • PdfAttachHelper.exe (PID: 3624)
      • RnRsdLogU.exe (PID: 4088)
      • Analytics.exe (PID: 2760)
      • PPDFLM.exe (PID: 3688)
      • SPDFIEBroker.exe (PID: 1044)
      • NPDFIEBroker.exe (PID: 5288)
      • DefaultViewer.exe (PID: 4104)
      • Analytics.exe (PID: 1852)
      • PowerPDF.exe (PID: 3028)
      • PPDFLM.exe (PID: 6200)
      • PrinterDriver.exe (PID: 1156)
      • PPDFLM.exe (PID: 6364)
      • Analytics.exe (PID: 4832)
      • DefaultViewer.exe (PID: 6664)
      • Analytics.exe (PID: 888)

    • The sample compiled with english language support

      • ppdf_ia_Std_24208_0100.exe (PID: 6172)
      • Installation Assistant.exe (PID: 2232)
      • MicrosoftEdgeUpdate.exe (PID: 4844)
      • _setup.exe (PID: 2512)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 5244)
      • msiexec.exe (PID: 3832)
      • msiexec.exe (PID: 6140)
      • msiexec.exe (PID: 7000)

    • Reads the software policy settings

      • Installation Assistant.exe (PID: 2232)
      • MicrosoftEdgeUpdate.exe (PID: 4844)
      • wermgr.exe (PID: 1964)
      • msiexec.exe (PID: 3832)
      • slui.exe (PID: 316)

    • Checks proxy server information

      • Installation Assistant.exe (PID: 2232)
      • MicrosoftEdgeUpdate.exe (PID: 4844)
      • wermgr.exe (PID: 1964)
      • slui.exe (PID: 316)
      • PowerPDF.exe (PID: 3028)

    • Process checks computer location settings

      • Setup.exe (PID: 2800)
      • Installation Assistant.exe (PID: 2232)
      • MicrosoftEdgeUpdate.exe (PID: 4844)
      • DefaultViewer.exe (PID: 4104)
      • PowerPDF.exe (PID: 3028)
      • DefaultViewer.exe (PID: 6664)

    • Creates files in the program directory

      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 5244)
      • Installation Assistant.exe (PID: 2232)
      • PPDFLM.exe (PID: 3688)
      • PPDFLM.exe (PID: 6364)

    • Creates files or folders in the user directory

      • wermgr.exe (PID: 1964)
      • msiexec.exe (PID: 3832)
      • splwow64.exe (PID: 2220)
      • PowerPDF.exe (PID: 3028)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3832)
      • msiexec.exe (PID: 6140)
      • msiexec.exe (PID: 7000)

    • The sample compiled with chinese language support

      • msiexec.exe (PID: 3832)

    • The sample compiled with portuguese language support

      • msiexec.exe (PID: 3832)

    • Launching a file from a Registry key

      • msiexec.exe (PID: 3832)
      • msiexec.exe (PID: 7000)

    • Reads Microsoft Office registry keys

      • msiexec.exe (PID: 3832)
      • OpenWith.exe (PID: 5724)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:04:08 03:11:42+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.37
CodeSize: 82944
InitializedDataSize: 3498496
UninitializedDataSize: -
EntryPoint: 0x40b9
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 51.0.24208.100
ProductVersionNumber: 5.10.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Kofax
FileDescription: Kofax Power PDF Assistant
FileVersion: 51.00.24208.0100
InternalName: SelfExtractor.exe
LegalCopyright: (C) 2015-2024 Tungsten Automation. All rights reserved.
LegalTrademarks: Tungsten Automation, Kofax, Power PDF, ScanSoft, Recognita, OmniPage and OmniPage Capture SDK are registered trademarks of Kofax Inc. in the United States and/or other countries.
OriginalFileName: SelfExtractor.exe
ProductName: Kofax Power PDF Products
ProductVersion: 5.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
220
Monitored processes
72
Malicious processes
12
Suspicious processes
3

Behavior graph

Click at the process to see the details
start ppdf_ia_std_24208_0100.exe installation assistant.exe slui.exe setup.exe microsoftedgewebview2runtimeinstallerx64.exe microsoftedgeupdate.exe wermgr.exe _setup.exe _setup.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe msiexec.exe regsvr32.exe no specs regsvr32.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe regsvr32.exe no specs dmsmgrhelper.exe no specs ppdflm.exe regsvr32.exe no specs registrycontroller.exe no specs pdfattachhelper.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs filetopdfhelper.exe no specs pdfattachhelper.exe no specs ppdfassist.exe no specs rnrsdlogu.exe no specs analytics.exe no specs ppdflm.exe regsvr32.exe no specs regsvr32.exe regsvr32.exe no specs spdfiebroker.exe no specs npdfiebroker.exe no specs defaultviewer.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs printerdriver.exe no specs splwow64.exe no specs ppdflm.exe cmd.exe no specs conhost.exe no specs powerpdf.exe analytics.exe no specs ppdflm.exe analytics.exe no specs defaultviewer.exe no specs defaultviewer.exe openwith.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs analytics.exe no specs ppdf_ia_std_24208_0100.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
868regsvr32.exe /s "C:\Program Files (x86)\Kofax\Power PDF 51\Bin\ActiveXIEHelper_x64.ocx"C:\Windows\System32\regsvr32.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
888"C:\Program Files (x86)\Kofax\Power PDF 51\Analytics.exe" Software\Kofax\PDF\V1|PO-1677-870-24208.0100|UA-108800570-1|ec|Power%20PDF|ea|Create%20PDF|el|BlankC:\Program Files (x86)\Kofax\Power PDF 51\Analytics.exePowerPDF.exe
User:
admin
Company:
Kofax
Integrity Level:
MEDIUM
Description:
Analytics.exe
Exit code:
0
Version:
51.00.24208.0100
Modules
Images
c:\program files (x86)\kofax\power pdf 51\analytics.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
892 /s "C:\Program Files (x86)\Kofax\Power PDF 51\bin\zThumb.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1044"C:\Program Files (x86)\Kofax\Power PDF 51\bin\SPDFIEBroker.exe" /regserverC:\Program Files (x86)\Kofax\Power PDF 51\bin\SPDFIEBroker.exemsiexec.exe
User:
admin
Company:
Kofax.
Integrity Level:
HIGH
Description:
Kofax PDF Create
Exit code:
0
Version:
4.0.0.1
Modules
Images
c:\program files (x86)\kofax\power pdf 51\bin\spdfiebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1044"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Kofax\Power PDF 51\bin\zThumb.dll"C:\Windows\SysWOW64\regsvr32.exeDefaultViewer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1068/regserverC:\Program Files (x86)\Kofax\Power PDF 51\PdfAttachHelper.exeRegistryController.exe
User:
SYSTEM
Company:
Kofax
Integrity Level:
SYSTEM
Description:
Kofax PDF Processor
Exit code:
0
Version:
51.00.24208.0100
Modules
Images
c:\program files (x86)\kofax\power pdf 51\pdfattachhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1148 /s "C:\Program Files (x86)\Kofax\Power PDF 51\bin\zPreview_x64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1156"C:\Program Files (x86)\Kofax\Power PDF 51\PDF Driver\PrinterDriver.exe" /PropertyC:\Program Files (x86)\Kofax\Power PDF 51\PDF Driver\PrinterDriver.exemsiexec.exe
User:
admin
Integrity Level:
HIGH
Description:
Gaaiho PDF Driver
Exit code:
0
Version:
4, 0, 0, 5
Modules
Images
c:\program files (x86)\kofax\power pdf 51\pdf driver\printerdriver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1180regsvr32.exe "C:\Program Files (x86)\Kofax\Power PDF 51\cmpdfpropi.dll" /sC:\Windows\SysWOW64\regsvr32.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
28 964
Read events
25 910
Write events
2 945
Delete events
109

Modification events

(PID) Process:(2232) Installation Assistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Installation Assistant_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2232) Installation Assistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Installation Assistant_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2232) Installation Assistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Installation Assistant_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2232) Installation Assistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Installation Assistant_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2232) Installation Assistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Installation Assistant_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2232) Installation Assistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Installation Assistant_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2232) Installation Assistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Installation Assistant_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2232) Installation Assistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Installation Assistant_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2232) Installation Assistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Installation Assistant_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2232) Installation Assistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Installation Assistant_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
846
Suspicious files
458
Text files
705
Unknown types
102

Dropped files

PID
Process
Filename
Type
6172ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\it\Installation Assistant.resources.dllexecutable
MD5:C857CE67E3A75BB06D49AACFC6543BCC
SHA256:3CADA187030EDF84CB1FE4630BC89923D05B1A72DBB542BE153FFB665112DE70
6172ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\de\Installation Assistant.resources.dllexecutable
MD5:0C31F85BF38BD92A23C44D6A357204CA
SHA256:BD2198045F16F9819DF31B476F18BDD3098F0D29B2C782F9AC54CE559C975570
6172ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\pt-BR\Installation Assistant.resources.dllexecutable
MD5:006BD0FB682969F52149F7472998C757
SHA256:7A87FAA2111ABB5A5B75FC4182E1C45F29F079DAA66C57760F7B0F5DD8DE99E5
6172ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\ko\Installation Assistant.resources.dllexecutable
MD5:08160A8ECA3AC7279B5298463639324F
SHA256:3C69B6F98985A9ABF27355FE6F5F744E013611AA8FF0AB8D7FFBD12C488A0A56
6172ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\pl\Installation Assistant.resources.dllexecutable
MD5:A1ED721198714B53C71E6C51C186B37D
SHA256:23DBF641C0C54BC5F5BC85946CE14CAF31041B95BE14F5E26F93B1B2377B09EC
6172ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\ja\Installation Assistant.resources.dllexecutable
MD5:7E595990C266605C04A43642B32197E1
SHA256:A04E576F452C56F478716DE0BFF185B6BA4E8A8F02504D1689ECA8993D848761
6172ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\fr\Installation Assistant.resources.dllexecutable
MD5:DE874FF4EF84A7927E78B8FED8FF814E
SHA256:D75D5FBA8CFC3030F523972C309B095091C84958ED413403A2A205DCC8DB0785
6172ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\da\Installation Assistant.resources.dllexecutable
MD5:8C6FF25413E78ED6C48FB3E3F7AD9E38
SHA256:CAAF9264A46CE5AD44189F0695C9F9F25B2D656487C2ABBA21DEC00B7B3A33F9
6172ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\hu\Installation Assistant.resources.dllexecutable
MD5:FBE69CA994F14D3D072D8CCB866B25F8
SHA256:8EC9D73B2D9302E6C8C3237DBDC98B4E4577173E92D72166402DB5F71AD30E7D
6172ppdf_ia_Std_24208_0100.exeC:\Users\admin\AppData\Local\Temp\NuD35GopW0\no\Installation Assistant.resources.dllexecutable
MD5:EAD97CA67D4313202B164BA7810A3E85
SHA256:7BC7F40EAD54173A5EA816B137A0896BEAC6770B00FAE8C0BA7A7AB6BC284196
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
47
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
RU
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
2864
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
NL
binary
420 b
whitelisted
2552
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
2864
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
NL
binary
408 b
whitelisted
1964
wermgr.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1964
wermgr.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
3832
msiexec.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
DE
binary
727 b
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
GB
binary
734 b
whitelisted
3832
msiexec.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAySdY6RCO2KN58wTKY2uVk%3D
DE
binary
727 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2072
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2232
Installation Assistant.exe
23.197.132.43:443
imagingcontent.kofax.com
Akamai International B.V.
US
whitelisted
2552
svchost.exe
40.126.31.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2552
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
imagingcontent.kofax.com
  • 23.197.132.43
whitelisted
login.live.com
  • 40.126.31.2
  • 40.126.31.131
  • 40.126.31.67
  • 20.190.159.23
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.128
  • 40.126.31.130
  • 20.190.159.129
  • 20.190.159.130
  • 20.190.159.4
  • 20.190.159.73
  • 40.126.31.0
  • 40.126.32.136
  • 40.126.32.138
  • 20.190.160.66
  • 20.190.160.130
  • 20.190.160.3
  • 40.126.32.133
  • 20.190.160.131
  • 20.190.160.67
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

No threats detected
Process
Message
Installation Assistant.exe
1 > 7/7/2025 09:41:43.963: -I- Application started
Installation Assistant.exe
1 > 7/7/2025 09:41:44.010: -E- Initializing 'FormInitialization' dialog.
Installation Assistant.exe
1 > 7/7/2025 09:41:44.010: -I- Initialize the downloader.
Installation Assistant.exe
3 > 7/7/2025 09:41:44.182: -I- DownloadSetupResources.DoWork
Installation Assistant.exe
3 > 7/7/2025 09:41:44.182: -I- DownloadPreviousFiles.GetInfo
Installation Assistant.exe
3 > 7/7/2025 09:41:44.182: -I- Downloading the setup information file.
Installation Assistant.exe
3 > 7/7/2025 09:41:44.198: -I- Downloader.StartDownload
Installation Assistant.exe
3 > 7/7/2025 09:41:44.198: -I- Downloader.DownloadFile: Downloading 'https://imagingcontent.kofax.com/PowerPDF/Pro/5_1/EFGDISWABTMJKPRYZNCHU/info_Std_24208_0100.xml'
Installation Assistant.exe
1 > 7/7/2025 09:41:44.213: -I- DownloadSetupResources.ProgressChanged: '10'
Installation Assistant.exe
3 > 7/7/2025 09:41:44.339: -I- Downloader.DownloadFile: end
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ppdf_ia_Std_24208_0100.exe