| URL: | http://download.pdfforge.org/download/pdfcreator |
| Full analysis: | https://app.any.run/tasks/65a4f1d2-37a6-4ba8-9d6f-c70cfbdbe7d8 |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | July 23, 2019, 09:17:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 103F79674D7B6E4172AF32EB9739E146 |
| SHA1: | DE2E01BAA47BBEE795EE11D215B0859D19557D25 |
| SHA256: | A2E5A301B97EFC148057062C6397247706098B0E5E9F71422D0BEEB31B3D0295 |
| SSDEEP: | 3:N1KaKElGSFSpQsn:Ca5GSFe |
MALICIOUS
Changes settings of System certificates
- PDFCreator-3_5_1-Setup[1].tmp (PID: 3080)
- architect-setup.exe (PID: 756)
Registers / Runs the DLL via REGSVR32.EXE
- architect-setup.exe (PID: 756)
Loads dropped or rewritten executable
- RegAsm.exe (PID: 3644)
- spoolsv.exe (PID: 1184)
- PrinterHelper.exe (PID: 2240)
- PDFCreator.exe (PID: 2860)
- GenericSetup.exe (PID: 2208)
- GenericSetup.exe (PID: 2344)
- regsvr32.exe (PID: 4000)
- DllHost.exe (PID: 3220)
- SetupHelper.exe (PID: 704)
- SetupHelper.exe (PID: 3128)
- RegAsm.exe (PID: 3620)
- OfferInstaller.exe (PID: 2368)
- updater-ws.exe (PID: 3700)
- stats-com.exe (PID: 3576)
- WebCompanionInstaller.exe (PID: 3704)
- ws.exe (PID: 2604)
- WebCompanion.exe (PID: 3228)
- MsiExec.exe (PID: 2972)
- MsiExec.exe (PID: 2780)
- Lavasoft.WCAssistant.WinService.exe (PID: 3696)
- WebCompanion.exe (PID: 3512)
- MsiExec.exe (PID: 2016)
- MsiExec.exe (PID: 3456)
- creator-app.exe (PID: 2648)
- creator-ws.exe (PID: 2128)
- creator-ws.exe (PID: 1336)
- stats-com.exe (PID: 3988)
- printer-installer-app.exe (PID: 2456)
Application was dropped or rewritten from another process
- PDF_Architect_7_Installer.exe (PID: 3216)
- PrinterHelper.exe (PID: 2240)
- SetupHelper.exe (PID: 704)
- PDFCreator.exe (PID: 2860)
- SetupHelper.exe (PID: 3128)
- installer.exe (PID: 2768)
- GenericSetup.exe (PID: 2208)
- GenericSetup.exe (PID: 2344)
- OfferInstaller.exe (PID: 2368)
- rm32saun.vil.exe (PID: 2868)
- WebCompanionInstaller.exe (PID: 3704)
- ws.exe (PID: 2604)
- stats-com.exe (PID: 3576)
- WebCompanion.exe (PID: 3228)
- updater-ws.exe (PID: 3700)
- Lavasoft.WCAssistant.WinService.exe (PID: 3696)
- WebCompanion.exe (PID: 3512)
- Ad-Aware Web Companion.exe (PID: 2684)
- creator-app.exe (PID: 2648)
- printer-installer-app.exe (PID: 2456)
- creator-ws.exe (PID: 2128)
- creator-ws.exe (PID: 1336)
- stats-com.exe (PID: 3988)
LAVASOFT was detected
- installer.exe (PID: 2768)
Downloads executable files from the Internet
- OfferInstaller.exe (PID: 2368)
Changes internet zones settings
- WebCompanionInstaller.exe (PID: 3704)
Changes the autorun value in the registry
- WebCompanion.exe (PID: 3228)
Starts Visual C# compiler
- WebCompanion.exe (PID: 3228)
SUSPICIOUS
Executable content was dropped or overwritten
- iexplore.exe (PID: 3908)
- iexplore.exe (PID: 3248)
- PDFCreator-3_5_1-Setup[1].exe (PID: 2532)
- DownloadUpdateInfo.exe (PID: 3320)
- PDFCreator-3_5_1-Setup[1].tmp (PID: 3080)
- PDFCreator-3_5_1-Setup[1].exe (PID: 3932)
- DownloadUpdateInfo.tmp (PID: 3788)
- architect-setup.exe (PID: 756)
- PrinterHelper.exe (PID: 2240)
- spoolsv.exe (PID: 1184)
- lsop.exe (PID: 3096)
- rm32saun.vil.exe (PID: 2868)
- InstallCheck.exe (PID: 2328)
- InstallCheck.tmp (PID: 2252)
- WebCompanionInstaller.exe (PID: 3704)
- msiexec.exe (PID: 3688)
- printer-installer-app.exe (PID: 2456)
- OfferInstaller.exe (PID: 2368)
Adds / modifies Windows certificates
- PDFCreator-3_5_1-Setup[1].tmp (PID: 3080)
- architect-setup.exe (PID: 756)
Creates COM task schedule object
- regsvr32.exe (PID: 4000)
- RegAsm.exe (PID: 3620)
- RegAsm.exe (PID: 3644)
- MsiExec.exe (PID: 2780)
- MsiExec.exe (PID: 2972)
- MsiExec.exe (PID: 2016)
- MsiExec.exe (PID: 3456)
Executed via COM
- DllHost.exe (PID: 3220)
- DrvInst.exe (PID: 3812)
- DrvInst.exe (PID: 2228)
- DrvInst.exe (PID: 3132)
- stats-com.exe (PID: 3988)
Creates files in the program directory
- RegAsm.exe (PID: 3620)
- PrinterHelper.exe (PID: 2240)
- WebCompanionInstaller.exe (PID: 3704)
- WebCompanion.exe (PID: 3228)
- Lavasoft.WCAssistant.WinService.exe (PID: 3696)
- WebCompanion.exe (PID: 3512)
- DllHost.exe (PID: 3220)
- stats-com.exe (PID: 3988)
Starts itself from another location
- architect-setup.exe (PID: 756)
Creates files in the Windows directory
- spoolsv.exe (PID: 1184)
- PrinterHelper.exe (PID: 2240)
- Lavasoft.WCAssistant.WinService.exe (PID: 3696)
- WebCompanion.exe (PID: 3228)
- printer-installer-app.exe (PID: 2456)
- WebCompanionInstaller.exe (PID: 3704)
Removes files from Windows directory
- spoolsv.exe (PID: 1184)
- PrinterHelper.exe (PID: 2240)
- Lavasoft.WCAssistant.WinService.exe (PID: 3696)
- WebCompanionInstaller.exe (PID: 3704)
Reads Environment values
- GenericSetup.exe (PID: 2208)
- GenericSetup.exe (PID: 2344)
- OfferInstaller.exe (PID: 2368)
Reads Windows owner or organization settings
- GenericSetup.exe (PID: 2208)
- GenericSetup.exe (PID: 2344)
- OfferInstaller.exe (PID: 2368)
Reads the Windows organization settings
- GenericSetup.exe (PID: 2208)
- GenericSetup.exe (PID: 2344)
- OfferInstaller.exe (PID: 2368)
Application launched itself
- GenericSetup.exe (PID: 2208)
Searches for installed software
- PDFCreator.exe (PID: 2860)
- GenericSetup.exe (PID: 2344)
- OfferInstaller.exe (PID: 2368)
Starts CMD.EXE for commands execution
- OfferInstaller.exe (PID: 2368)
- WebCompanionInstaller.exe (PID: 3704)
- Lavasoft.WCAssistant.WinService.exe (PID: 3696)
Modifies the open verb of a shell class
- msiexec.exe (PID: 3688)
Starts SC.EXE for service management
- WebCompanionInstaller.exe (PID: 3704)
Creates a software uninstall entry
- WebCompanionInstaller.exe (PID: 3704)
Creates files in the user directory
- WebCompanionInstaller.exe (PID: 3704)
- WebCompanion.exe (PID: 3228)
- creator-ws.exe (PID: 1336)
- architect-setup.exe (PID: 756)
- stats-com.exe (PID: 3988)
- DllHost.exe (PID: 3220)
Uses NETSH.EXE for network configuration
- cmd.exe (PID: 2164)
- cmd.exe (PID: 2628)
Executed as Windows Service
- Lavasoft.WCAssistant.WinService.exe (PID: 3696)
- PresentationFontCache.exe (PID: 3140)
- vssvc.exe (PID: 2620)
- creator-ws.exe (PID: 1336)
Changes the started page of IE
- WebCompanion.exe (PID: 3228)
Reads the cookies of Mozilla Firefox
- stats-com.exe (PID: 3988)
- DllHost.exe (PID: 3220)
Reads the cookies of Google Chrome
- stats-com.exe (PID: 3988)
- DllHost.exe (PID: 3220)
INFO
Changes internet zones settings
- iexplore.exe (PID: 3408)
Creates files in the user directory
- iexplore.exe (PID: 3908)
Application launched itself
- iexplore.exe (PID: 3408)
- msiexec.exe (PID: 3688)
Reads internet explorer settings
- iexplore.exe (PID: 3908)
- iexplore.exe (PID: 3248)
Application was dropped or rewritten from another process
- PDFCreator-3_5_1-Setup[1].tmp (PID: 3000)
- DownloadUpdateInfo.exe (PID: 3320)
- PDFCreator-3_5_1-Setup[1].tmp (PID: 3080)
- DownloadUpdateInfo.tmp (PID: 3788)
- architect-setup.exe (PID: 756)
- lsop.exe (PID: 3096)
- InstallCheck.tmp (PID: 2252)
- InstallCheck.exe (PID: 2328)
Reads Internet Cache Settings
- iexplore.exe (PID: 3908)
- iexplore.exe (PID: 3248)
Loads dropped or rewritten executable
- DownloadUpdateInfo.tmp (PID: 3788)
- PDFCreator-3_5_1-Setup[1].tmp (PID: 3080)
- architect-setup.exe (PID: 756)
- InstallCheck.tmp (PID: 2252)
- msiexec.exe (PID: 3688)
Reads settings of System Certificates
- iexplore.exe (PID: 3908)
Dropped object may contain Bitcoin addresses
- architect-setup.exe (PID: 756)
- PDFCreator-3_5_1-Setup[1].tmp (PID: 3080)
- msiexec.exe (PID: 3688)
- WebCompanionInstaller.exe (PID: 3704)
- WebCompanion.exe (PID: 3228)
Creates a software uninstall entry
- PDFCreator-3_5_1-Setup[1].tmp (PID: 3080)
- msiexec.exe (PID: 3688)
- architect-setup.exe (PID: 756)
Creates files in the program directory
- architect-setup.exe (PID: 756)
- PDFCreator-3_5_1-Setup[1].tmp (PID: 3080)
- msiexec.exe (PID: 3688)
Searches for installed software
- msiexec.exe (PID: 3688)
Low-level read access rights to disk partition
- vssvc.exe (PID: 2620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
113
Monitored processes
62
Malicious processes
31
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 704 | "C:\Program Files\PDFCreator\SetupHelper.exe" /ComInterface=Register | C:\Program Files\PDFCreator\SetupHelper.exe | — | PDFCreator-3_5_1-Setup[1].tmp | |||||||||||
User: admin Company: pdfforge Integrity Level: HIGH Description: SetupHelper Exit code: 0 Version: 1.2.0.0 Modules
| |||||||||||||||
| 756 | "C:\Users\admin\AppData\Local\Temp\is-I5K74.tmp\architect-setup.exe" /quiet /run_application=0 /default_application=0 /application_language=en /desktop_shortcut=1 /firefox_integration /ie_integration /enable_automatic_updates=yes /win_explorer_integration /install_messenger | C:\Users\admin\AppData\Local\Temp\is-I5K74.tmp\architect-setup.exe | PDFCreator-3_5_1-Setup[1].tmp | ||||||||||||
User: admin Company: © pdfforge GmbH. Integrity Level: HIGH Description: PDF Architect 7 Installer Exit code: 0 Version: 7.0.24.1546 Modules
| |||||||||||||||
| 1184 | C:\Windows\System32\spoolsv.exe | C:\Windows\System32\spoolsv.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Spooler SubSystem App Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1336 | "C:\Program Files\PDF Architect 7\creator\common\creator-ws.exe" | C:\Program Files\PDF Architect 7\creator\common\creator-ws.exe | — | services.exe | |||||||||||
User: SYSTEM Company: pdfforge GmbH Integrity Level: SYSTEM Description: PDF Architect 7 Exit code: 0 Version: 7.0.30.3196 Modules
| |||||||||||||||
| 1580 | netsh http add urlacl url=http://+:9007/ user=Everyone | C:\Windows\system32\netsh.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2016 | "C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\PDF Architect 7\creator\plugins\IEAddin\creator-ie-helper.dll" | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2128 | "C:\Program Files\PDF Architect 7\creator\common\creator-ws.exe" -service | C:\Program Files\PDF Architect 7\creator\common\creator-ws.exe | — | msiexec.exe | |||||||||||
User: admin Company: pdfforge GmbH Integrity Level: HIGH Description: PDF Architect 7 Exit code: 0 Version: 7.0.30.3196 Modules
| |||||||||||||||
| 2164 | "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone | C:\Windows\System32\cmd.exe | — | WebCompanionInstaller.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2208 | C:\Users\admin\AppData\Local\Temp\7zS81CB8513\GenericSetup.exe HHWND=393824 HLANG=en HASYNC HSHOWCARRIER | C:\Users\admin\AppData\Local\Temp\7zS81CB8513\GenericSetup.exe | — | installer.exe | |||||||||||
User: admin Company: adaware Integrity Level: HIGH Description: PDFCreator is the easy way of creating PDFs. Exit code: 0 Version: 2.7.2.1576 Modules
| |||||||||||||||
| 2228 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005E4" "000005F0" | C:\Windows\system32\DrvInst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
11 382
Read events
6 082
Write events
5 202
Delete events
98
Modification events
| (PID) Process: | (3408) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (3408) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3408) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (3408) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (3408) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (3408) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3408) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {AEBB107F-AD2A-11E9-B506-5254004A04AF} |
Value: 0 | |||
| (PID) Process: | (3408) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Type |
Value: 4 | |||
| (PID) Process: | (3408) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Count |
Value: 1 | |||
| (PID) Process: | (3408) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Time |
Value: E3070700020017000900110019005D02 | |||
Executable files
312
Suspicious files
107
Text files
906
Unknown types
86
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3408 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 3408 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 3908 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:— | SHA256:— | |||
| 3908 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PK5Z1Z6E\css[1].txt | text | |
MD5:— | SHA256:— | |||
| 3908 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JA446C05\pdfcreator[1].htm | html | |
MD5:— | SHA256:— | |||
| 3908 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PK5Z1Z6E\overwrite[1].css | text | |
MD5:— | SHA256:— | |||
| 3908 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PK5Z1Z6E\css[2].txt | text | |
MD5:— | SHA256:— | |||
| 3908 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PK5Z1Z6E\modernizr[1].js | html | |
MD5:— | SHA256:— | |||
| 3908 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PK5Z1Z6E\screen[1].css | text | |
MD5:— | SHA256:— | |||
| 3908 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
103
TCP/UDP connections
97
DNS requests
34
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3908 | iexplore.exe | GET | — | 216.239.38.21:80 | http://download.pdfforge.org/styles/screen.css | US | — | — | malicious |
3908 | iexplore.exe | GET | 200 | 216.239.38.21:80 | http://download.pdfforge.org/download/pdfcreator | US | html | 21.0 Kb | malicious |
3908 | iexplore.exe | GET | 200 | 172.217.18.170:80 | http://fonts.googleapis.com/css?family=Roboto+Slab | US | text | 173 b | whitelisted |
3908 | iexplore.exe | GET | 404 | 216.239.38.21:80 | http://download.pdfforge.org/stylesheets/fonts/bootstrap/glyphicons-halflings-regular.eot? | US | html | 338 b | malicious |
3908 | iexplore.exe | GET | 200 | 216.239.38.21:80 | http://download.pdfforge.org/images/base/en_logo.png | US | image | 11.3 Kb | malicious |
3908 | iexplore.exe | GET | 200 | 216.239.38.21:80 | http://download.pdfforge.org/styles/ie.css | US | text | 210 b | malicious |
3908 | iexplore.exe | GET | 200 | 216.58.210.2:80 | http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | US | text | 33.5 Kb | whitelisted |
3908 | iexplore.exe | GET | 200 | 216.239.38.21:80 | http://download.pdfforge.org/scripts/vendor/modernizr.js | US | html | 4.95 Kb | malicious |
3908 | iexplore.exe | GET | 200 | 172.217.18.170:80 | http://fonts.googleapis.com/css?family=Open+Sans | US | text | 167 b | whitelisted |
3908 | iexplore.exe | GET | 200 | 216.239.38.21:80 | http://download.pdfforge.org/styles/screen.css | US | text | 42.4 Kb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3908 | iexplore.exe | 216.58.207.78:443 | cse.google.com | Google Inc. | US | whitelisted |
3408 | iexplore.exe | 216.239.38.21:80 | download.pdfforge.org | Google Inc. | US | whitelisted |
3908 | iexplore.exe | 176.9.41.251:443 | silver.download.pdfforge.org | Hetzner Online GmbH | DE | unknown |
3248 | iexplore.exe | 216.239.38.21:80 | download.pdfforge.org | Google Inc. | US | whitelisted |
3908 | iexplore.exe | 216.239.38.21:80 | download.pdfforge.org | Google Inc. | US | whitelisted |
3908 | iexplore.exe | 172.217.18.170:80 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3908 | iexplore.exe | 209.197.3.15:80 | netdna.bootstrapcdn.com | Highwinds Network Group, Inc. | US | whitelisted |
3908 | iexplore.exe | 172.217.23.131:80 | fonts.gstatic.com | Google Inc. | US | whitelisted |
3408 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3248 | iexplore.exe | 216.58.207.78:443 | cse.google.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
download.pdfforge.org |
| malicious |
fonts.googleapis.com |
| whitelisted |
netdna.bootstrapcdn.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
www.bing.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
www.google.com |
| malicious |
djtflbt20bdde.cloudfront.net |
| whitelisted |
cse.google.com |
| whitelisted |
silver.download.pdfforge.org |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2768 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |
2368 | OfferInstaller.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2368 | OfferInstaller.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2368 | OfferInstaller.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
Process | Message |
|---|---|
GenericSetup.exe |
*** Status originated: -1072365543
*** Source File: d:\iso_whid\x86fre\base\isolation\id_parser.cpp, line 352
|
GenericSetup.exe |
*** Status propagated: -1072365543
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
|
WebCompanionInstaller.exe | Detecting windows culture
|
WebCompanionInstaller.exe | 7/23/2019 10:20:27 AM :-> Starting installer 4.7.1993.3887 with: .\WebCompanionInstaller.exe --partner=PF170501 --version=4.7.1993.3887 --prod --silent --homepage=1 --search=1 --partner=PF170501, Run as admin: True
|
WebCompanionInstaller.exe | Preparing for installing Web Companion
|
WebCompanionInstaller.exe | 7/23/2019 10:20:28 AM :-> Generating Machine and Install Id ...
|
WebCompanionInstaller.exe | 7/23/2019 10:20:28 AM :-> Machine Id and Install Id has been generated
|
WebCompanionInstaller.exe | 7/23/2019 10:20:28 AM :-> Checking prerequisites ...
|
WebCompanionInstaller.exe | 7/23/2019 10:20:28 AM :-> Antivirus not detected
|
WebCompanionInstaller.exe | 7/23/2019 10:20:28 AM :-> vm_check False
|