File name:	PDFTools_12345678.msi
Full analysis:	https://app.any.run/tasks/3b06a025-3297-4c1c-a953-4f6e9b5b74dd
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	August 25, 2025, 11:26:00
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc adware bbwc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {C6AE5805-E627-49D1-8A4F-F90224F5B64D}, Number of Words: 10, Subject: PDF Tools, Author: Astra Media Inc, Name of Creating Application: PDF Tools, Template: ;1033, Comments: This installer database contains the logic and data required to install PDF Tools., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Jun 27 09:53:11 2024, Last Saved Time/Date: Thu Jun 27 09:53:11 2024, Last Printed: Thu Jun 27 09:53:11 2024, Number of Pages: 450
MD5:	47259EB05F1099F5B829FEE96884EE0A
SHA1:	DD3A46E7D491440ABC5FB1B7E383C158700F7AEF
SHA256:	E505E4BC6C76F8CCD1D626832D1D5D5D2852A5C78016C43BDC2F502AF6E40396
SSDEEP:	196608:ibhzalATfCthlONgEtSqtlgymzm5vD8uINAnfL2bfndz6lNF6qkGJqZqz:ihy/ldEVtlnm48unabfdEVd

.msi	\|	Microsoft Windows Installer (81.9)
.mst	\|	Windows SDK Setup Transform Script (9.2)
.msp	\|	Windows Installer Patch (7.6)
.msi	\|	Microsoft Installer (100)

Security:	None
CodePage:	Windows Latin 1 (Western European)
RevisionNumber:	{C6AE5805-E627-49D1-8A4F-F90224F5B64D}
Words:	10
Subject:	PDF Tools
Author:	Astra Media Inc
LastModifiedBy:	-
Software:	PDF Tools
Template:	;1033
Comments:	This installer database contains the logic and data required to install PDF Tools.
Title:	Installation Database
Keywords:	Installer, MSI, Database
CreateDate:	2024:06:27 09:53:11
ModifyDate:	2024:06:27 09:53:11
LastPrinted:	2024:06:27 09:53:11
Pages:	450


(PID) Process:	(2032) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000FBA58214B315DC01F0070000BC050000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2032) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000C86C8714B315DC01F0070000BC050000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6176) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 48000000000000001C8FCC14B315DC01201800006C020000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6176) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 480000000000000068F2CE14B315DC01201800000C040000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6176) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6176) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:	(6176) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6176) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	write	Name:	Element
Value: \EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:	(6176) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6176) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000

PID	Process	Filename		Type
2032	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
2032	msiexec.exe	C:\Windows\Installer\191246.msi		—
		MD5:—	SHA256:—
4692	msiexec.exe	C:\Users\admin\AppData\Local\Temp\msi1449.txt		—
		MD5:—	SHA256:—
4692	msiexec.exe	C:\Users\admin\AppData\Local\Temp\scr144A.ps1		—
		MD5:—	SHA256:—
4692	msiexec.exe	C:\Users\admin\AppData\Local\Temp\scr144B.txt		—
		MD5:—	SHA256:—
4692	msiexec.exe	C:\Users\admin\AppData\Local\Temp\pss145C.ps1		—
		MD5:—	SHA256:—
2804	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF		binary
		MD5:92E65256C6C48EACDCE1724D41732824	SHA256:29505E7C3AFE892E8E75AB48C95B4D1A3AFAF7C4483A5260D7AF112233E4CA68
2804	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D		binary
		MD5:4A4135C659F26ECFC7C82D8B41F0A36D	SHA256:473FC565A24D49055B8CEE41C4AFAF9F62AC1343076E511AC21E736028891D69
2804	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSID7F2.tmp		executable
		MD5:D0C9613582605F3793FDAD7279DE428B	SHA256:8BD84F1156EBDFA44AFAAC8A4579BA56A8C7513E3D51E00822167EA144923726
2804	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D		binary
		MD5:61F113BAF49E6D5F4C96222C80BC2E75	SHA256:63C4212339020800344D2FEDA117D3842494BD460526F17D5449A798A9B4EB7B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2804	msiexec.exe	GET	200	69.192.162.201:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCEE5A5DdU7eaMAAAAAFHTlH8%3D	unknown	—	—	whitelisted
2804	msiexec.exe	GET	200	69.192.162.201:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CEDWvt3udNB9q%2FI%2BERqsxNSs%3D	unknown	—	—	whitelisted
2804	msiexec.exe	GET	200	69.192.162.201:80	http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRp%2BmQDKauE4nIg%2FgknZHuBlLkfKgQUzolPglGqFaKEYsoxI2HSYfv4%2FngCEBsfGTCxoif8xXz%2BvQMkYvc%3D	unknown	—	—	whitelisted
6756	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1148	powershell.exe	POST	200	13.32.118.75:80	http://d1ph3c47yby10w.cloudfront.net/	unknown	—	—	whitelisted
4412	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4412	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5564	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2804	msiexec.exe	69.192.162.201:80	ocsp.entrust.net	AKAMAI-AS	DE	whitelisted
6756	svchost.exe	40.126.31.1:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6756	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
google.com	142.250.186.46	whitelisted
ocsp.entrust.net	69.192.162.201	whitelisted
login.live.com	40.126.31.1 40.126.31.128 20.190.159.23 40.126.31.3 40.126.31.2 20.190.159.130 40.126.31.73 20.190.159.0	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	69.192.161.161	whitelisted
go.microsoft.com	69.192.162.125	whitelisted
d1ph3c47yby10w.cloudfront.net	13.32.118.75 13.32.118.131 13.32.118.166 13.32.118.218	whitelisted
slscr.update.microsoft.com	135.233.95.144	whitelisted

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
1148	powershell.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] BBWC a browser hijacker app (PUP)

General Info

PDFTools_12345678.msi

47259EB05F1099F5B829FEE96884EE0A

DD3A46E7D491440ABC5FB1B7E383C158700F7AEF

E505E4BC6C76F8CCD1D626832D1D5D5D2852A5C78016C43BDC2F502AF6E40396

196608:ibhzalATfCthlONgEtSqtlgymzm5vD8uINAnfL2bfndz6lNF6qkGJqZqz:ihy/ldEVtlnm48unabfdEVd

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

BBWC has been detected (SURICATA)

SUSPICIOUS

Executes as Windows Service

Reads the Windows owner or organization settings

The process hide an interactive prompt from the user

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

Retrieves command line args for running process (POWERSHELL)

The process executes Powershell scripts

Gets content of a file (POWERSHELL)

Access to an unwanted program domain was detected

Drops 7-zip archiver for unpacking

Process drops legitimate windows executable

The process drops C-runtime libraries

INFO

An automatically generated document

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Reads the software policy settings

Checks proxy server information

Checks supported languages

Reads the computer name

Reads Environment values

The sample compiled with english language support

Executable content was dropped or overwritten

Manages system restore points

Reads the machine GUID from the registry

Create files in a temporary directory

Uses string replace method (POWERSHELL)

Script raised an exception (POWERSHELL)

Disables trace logs

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity