File name:

harbinger_of_death.bat

Full analysis: https://app.any.run/tasks/d6e6c547-36b3-4b7e-9c52-ba137f548b07
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 26, 2025, 09:41:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
auto-reg
loader
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

1A046284B733806E760488181E1F7CBA

SHA1:

0408D680E094680BF28E69139C463A0A2F4F45D4

SHA256:

AC3DC6BF8D696E43B1E48D051E62E57744EE83B0E137A1CC383FF03436E080F6

SSDEEP:

12:kBiAtiAtiAtiAtiAtiAtiAiJVj8P9BuCcFKUideJlIh+YVJ6rfxsjTYkhNlj2a8:KDDDDDDiJVoSKUIeJlu6b6Y2h98

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 7744)

    • Executing a file with an untrusted certificate

      • update.exe (PID: 8804)
      • update.exe (PID: 8540)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 7416)
      • AdobeCollabSync.exe (PID: 2088)
      • Acrobat.exe (PID: 1040)
      • CCleaner64.exe (PID: 7704)
      • CCleaner64.exe (PID: 8072)
      • CCleaner64.exe (PID: 8688)
      • CCleaner64.exe (PID: 8644)
      • msiexec.exe (PID: 9184)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7416)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7416)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7416)

    • Reads Microsoft Outlook installation path

      • Eula.exe (PID: 300)

    • Reads Internet Explorer settings

      • Eula.exe (PID: 300)
      • CCleaner64.exe (PID: 8688)
      • CCleaner64.exe (PID: 8644)

    • Reads security settings of Internet Explorer

      • Eula.exe (PID: 300)
      • AdobeCollabSync.exe (PID: 7996)
      • AdobeCollabSync.exe (PID: 2088)
      • CCleaner64.exe (PID: 8072)
      • CCleaner64.exe (PID: 7704)

    • Executes application which crashes

      • adobe_licensing_wf_helper_acro.exe (PID: 8072)

    • Reads the date of Windows installation

      • CCleaner64.exe (PID: 8072)
      • CCleaner64.exe (PID: 7704)

    • Executable content was dropped or overwritten

      • CCleaner64.exe (PID: 8688)
      • CCleaner64.exe (PID: 8644)
      • uninst.exe (PID: 9124)
      • Un_A.exe (PID: 8364)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8472)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 5428)
      • CCleaner64.exe (PID: 7264)

    • Starts itself from another location

      • uninst.exe (PID: 9124)

    • Checks for external IP

      • CCUpdate.exe (PID: 8616)
      • CCleaner64.exe (PID: 8688)
      • CCleaner64.exe (PID: 8644)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Un_A.exe (PID: 8364)

    • Process drops legitimate windows executable

      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8472)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 5428)

    • Executes as Windows Service

      • armsvc.exe (PID: 9988)

    • Query current time using 'w32tm.exe'

      • CCleaner64.exe (PID: 8688)

  • INFO

    • Checks supported languages

      • AcrobatInfo.exe (PID: 7884)
      • AcroBroker.exe (PID: 8020)
      • AcroTextExtractor.exe (PID: 8136)
      • ADelRCP.exe (PID: 6240)
      • acrobat_sl.exe (PID: 7972)
      • AdobeCollabSync.exe (PID: 2088)
      • CRWindowsClientService.exe (PID: 2504)
      • Eula.exe (PID: 300)
      • ADNotificationManager.exe (PID: 4408)
      • CRLogTransport.exe (PID: 5640)
      • adobe_licensing_wf_acro.exe (PID: 736)
      • AdobeCollabSync.exe (PID: 7996)
      • SingleClientServicesUpdater.exe (PID: 7744)
      • SingleClientServicesUpdater.exe (PID: 1096)
      • WCChromeNativeMessagingHost.exe (PID: 6592)
      • adobe_licensing_wf_helper_acro.exe (PID: 8072)
      • 32BitMAPIBroker.exe (PID: 4988)
      • 64BitMAPIBroker.exe (PID: 4452)
      • AcroCEF.exe (PID: 900)
      • FullTrustNotifier.exe (PID: 6476)
      • Acrobat.exe (PID: 1040)
      • Acrobat.exe (PID: 7612)
      • CCleaner.exe (PID: 4892)
      • CCleaner64.exe (PID: 8072)
      • MSRMSPIBroker.exe (PID: 1056)
      • CCleaner64.exe (PID: 7704)
      • CCleanerReactivator.exe (PID: 8308)
      • CCleanerBugReport.exe (PID: 1020)
      • CCleanerPerformanceOptimizerService.exe (PID: 8276)
      • CCUpdate.exe (PID: 8616)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8688)
      • uninst.exe (PID: 9124)
      • wa_3rd_party_host_64.exe (PID: 9160)

    • Launch of the file from Registry key

      • reg.exe (PID: 7744)

    • Reads the computer name

      • AcroBroker.exe (PID: 8020)
      • Eula.exe (PID: 300)
      • AdobeCollabSync.exe (PID: 2088)
      • AdobeCollabSync.exe (PID: 7996)
      • FullTrustNotifier.exe (PID: 6476)
      • Acrobat.exe (PID: 1040)
      • Acrobat.exe (PID: 7612)
      • CCleaner.exe (PID: 4892)
      • CCleaner64.exe (PID: 8072)
      • CCleaner64.exe (PID: 7704)
      • CCleanerPerformanceOptimizerService.exe (PID: 8276)
      • CCleanerBugReport.exe (PID: 1020)
      • CCUpdate.exe (PID: 8616)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8688)

    • Application launched itself

      • Acrobat.exe (PID: 7876)
      • Acrobat.exe (PID: 7992)
      • AcroCEF.exe (PID: 8036)

    • Checks proxy server information

      • AdobeCollabSync.exe (PID: 2088)
      • Eula.exe (PID: 300)
      • AdobeCollabSync.exe (PID: 7996)

    • Creates files or folders in the user directory

      • AdobeCollabSync.exe (PID: 7996)
      • WerFault.exe (PID: 7268)

    • Reads the machine GUID from the registry

      • AdobeCollabSync.exe (PID: 7996)
      • CCleanerBugReport.exe (PID: 1020)
      • CCUpdate.exe (PID: 8616)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8688)

    • Reads Environment values

      • CCleaner.exe (PID: 4892)
      • CCleaner64.exe (PID: 8072)
      • CCleaner64.exe (PID: 7704)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8688)

    • Process checks computer location settings

      • CCleaner64.exe (PID: 7704)
      • CCleaner64.exe (PID: 8072)

    • Reads CPU info

      • CCleanerBugReport.exe (PID: 1020)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8688)

    • Reads the software policy settings

      • CCUpdate.exe (PID: 8616)

    • Creates files in the program directory

      • CCleaner64.exe (PID: 8688)
      • CCleaner64.exe (PID: 8644)

    • Reads product name

      • CCleaner64.exe (PID: 8688)
      • CCleaner64.exe (PID: 8644)

    • The sample compiled with english language support

      • CCleaner64.exe (PID: 8688)
      • uninst.exe (PID: 9124)
      • CCleaner64.exe (PID: 8644)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8472)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 5428)
      • CCleaner64.exe (PID: 7264)
      • msiexec.exe (PID: 8532)
      • msiexec.exe (PID: 9184)
      • msiexec.exe (PID: 5036)

    • Create files in a temporary directory

      • uninst.exe (PID: 9124)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 8532)
      • msiexec.exe (PID: 9184)
      • msiexec.exe (PID: 5036)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 9184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
282
Monitored processes
146
Malicious processes
3
Suspicious processes
8

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe timeout.exe no specs acrobat.exe no specs acrobatinfo.exe no specs acrobat_sl.exe no specs acrobat.exe no specs acrobroker.exe no specs acrocef.exe no specs acrotextextractor.exe no specs acrobat.exe no specs acrobat.exe no specs adelrcp.exe no specs adelrcp.exe no specs adelrcp.exe adnotificationmanager.exe no specs adobecollabsync.exe no specs crlogtransport.exe no specs conhost.exe no specs crwindowsclientservice.exe no specs eula.exe no specs logtransport2.exe no specs conhost.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs singleclientservicesupdater.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs singleclientservicesupdater.exe no specs wcchromenativemessaginghost.exe no specs conhost.exe no specs adobe_licensing_wf_acro.exe no specs adobecollabsync.exe no specs adobe_licensing_wf_helper_acro.exe 32bitmapibroker.exe no specs 64bitmapibroker.exe no specs msrmspibroker.exe no specs fulltrustnotifier.exe no specs werfault.exe no specs acrobat.exe no specs ccleaner.exe no specs acrobat.exe no specs acrocef.exe no specs ccleaner64.exe no specs ccleaner64.exe no specs ccleanerbugreport.exe no specs conhost.exe no specs ccleanerperformanceoptimizerservice.exe no specs conhost.exe no specs ccleanerreactivator.exe no specs ccupdate.exe no specs ccupdate.exe no specs ccupdate.exe ccleaner64.exe uninst.exe no specs ccleaner64.exe uninst.exe no specs uninst.exe wa_3rd_party_host_64.exe no specs conhost.exe no specs setup.exe no specs un_a.exe setup.exe no specs setup.exe windowsinstaller-kb893803-v2-x86.exe no specs windowsinstaller-kb893803-v2-x86.exe no specs msiexec.exe windowsinstaller-kb893803-v2-x86.exe setup.exe no specs setup.exe no specs setup.exe ccleaner64.exe ccleaner64.exe windowsinstaller-kb893803-v2-x86.exe no specs windowsinstaller-kb893803-v2-x86.exe no specs update.exe no specs msiexec.exe no specs windowsinstaller-kb893803-v2-x86.exe appvcleaner.exe no specs appvshnotify.exe no specs msiexec.exe inspectorofficegadget.exe no specs conhost.exe no specs integratedoffice.exe mavinject32.exe no specs officec2rclient.exe officeclicktorun.exe officesvcmgr.exe conhost.exe no specs appvcleaner.exe no specs appvshnotify.exe no specs inspectorofficegadget.exe no specs conhost.exe no specs update.exe no specs integratedoffice.exe mavinject32.exe no specs officec2rclient.exe officec2rclient.exe officeclicktorun.exe officesvcmgr.exe no specs imesharepointdictionary.exe no specs conhost.exe no specs inputpersonalization.exe no specs mip.exe no specs shapecollector.exe no specs tabtip.exe no specs tabtip.exe no specs shapecollector.exe no specs tabtip.exe officec2rclient.exe msinfo32.exe no specs liclua.exe no specs vstoinstaller.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs slui.exe msiexec.exe msi23b8.tmp no specs w32tm.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs ccleaner64.exe singleclientservicesupdater.exe no specs msiexec.exe no specs armsvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe" C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.execmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Eula display
Version:
23.1.20064.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\eula.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
496"C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe" C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Touch Keyboard and Handwriting Panel
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\common files\microsoft shared\ink\tabtip.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
684"C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe" C:\Program Files\Common Files\microsoft shared\ink\TabTip.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Touch Keyboard and Handwriting Panel
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\common files\microsoft shared\ink\tabtip.exe
c:\windows\system32\ntdll.dll
736"C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe" C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.execmd.exe
User:
admin
Company:
Adobe Inc.
Integrity Level:
MEDIUM
Description:
Adobe Licensing WF
Version:
1.6.0.4
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\adobe_licensing_wf_acro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
900"C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe" C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.execmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1020"C:\Program Files\CCleaner\CCleanerBugReport.exe" C:\Program Files\CCleaner\CCleanerBugReport.execmd.exe
User:
admin
Company:
Piriform Software
Integrity Level:
MEDIUM
Description:
CCleaner Bug Report
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files\ccleaner\ccleanerbugreport.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1040"C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe" C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.execmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat
Exit code:
255
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\x86\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1052C:\Windows\syswow64\MsiExec.exe -Embedding 90C32D2B21B37C5B1793521723072BB3 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1056"C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe" C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\plug_ins\pi_brokers\msrmspibroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1088"C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-FF00-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe" C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-FF00-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Update Package
Exit code:
3221226540
Version:
3.1
Modules
Images
c:\program files\common files\adobe\acrobat\setup\{ac76ba86-1033-ff00-7760-bc15014ea700}\windowsinstaller-kb893803-v2-x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
103 570
Read events
100 954
Write events
2 400
Delete events
216

Modification events

(PID) Process:(7744) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:harbinger_of_death
Value:
C:\Users\admin\Desktop\harbinger_of_death.bat
(PID) Process:(7876) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(7992) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(5024) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(7992) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\Privileged
Operation:writeName:bProtectedMode
Value:
1
(PID) Process:(5024) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:delete valueName:iIPMDiffClientIdThreshold
Value:

(PID) Process:(5024) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:delete valueName:iIPMNGLWinHttpAsyncThreshold
Value:
(PID) Process:(5024) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:bSynchronizeOPL
Value:
0
(PID) Process:(2568) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:iSLExitTimeHighPart
Value:
31182370
(PID) Process:(2568) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:iSLExitTimeLowPart
Value:
Executable files
140
Suspicious files
470
Text files
38
Unknown types
0

Dropped files

PID
Process
Filename
Type
5024Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2025-05-26 09-41-42-795.logtext
MD5:460C6041966002D8384A18C895A65EB0
SHA256:C83EC6E8FB3EC62481289C033238C1D9B08DB8076EAAD304099FD7A7F594F1B9
8036AcroCEF.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\indexbinary
MD5:54CB446F628B2EA4A5BCE5769910512E
SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
5024Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.jsonbinary
MD5:837C1211E392A24D64C670DC10E8DA1B
SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031
8036AcroCEF.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\indexbinary
MD5:54CB446F628B2EA4A5BCE5769910512E
SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
8036AcroCEF.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\temp-indexbinary
MD5:60197830AE2594C5831B209CCA551634
SHA256:3665C95CD87CCD527EA01FDAE9F49CC660BF09F6F414DC19077E04EFB6D74652
5024Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txttext
MD5:1D9C279AFAE9ED28EC3DF165C80D5BE1
SHA256:614DFB0E2F78AB837AD09BBC974FE0730AAF3DB8C32AC8B120E68E87CC275E02
8036AcroCEF.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000001.dbtmptext
MD5:46295CAC801E5D4857D09837238A6394
SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
3156AcroCEF.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\000001.dbtmptext
MD5:46295CAC801E5D4857D09837238A6394
SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
5024Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTINGbinary
MD5:DC84B0D741E5BEAE8070013ADDCC8C28
SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
3156AcroCEF.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\MANIFEST-000001binary
MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
124
TCP/UDP connections
82
DNS requests
35
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.35.236.137:443
https://geo2.adobe.com/
unknown
text
48 b
whitelisted
OPTIONS
204
52.5.13.197:443
https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=IL&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64
unknown
GET
200
23.22.254.206:443
https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=IL&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64
unknown
binary
187 b
whitelisted
GET
200
2.23.244.205:443
https://armmf.adobe.com/onboarding/smskillreader.txt
unknown
text
120 b
whitelisted
GET
200
34.111.175.102:443
https://ip-info.ff.avast.com/v2/info
unknown
binary
344 b
whitelisted
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
8688
CCleaner64.exe
GET
200
23.48.23.10:80
http://ncc.avast.com/ncc.txt
unknown
whitelisted
8644
CCleaner64.exe
GET
200
23.48.23.10:80
http://ncc.avast.com/ncc.txt
unknown
whitelisted
8616
CCUpdate.exe
HEAD
200
23.48.23.40:80
http://emupdate.avcdn.net/files/emupdate/pong.txt
unknown
whitelisted
8616
CCUpdate.exe
GET
200
23.48.23.7:80
http://ccleaner.tools.avcdn.net/tools/ccleaner/update/patches.ini
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5244
AcroCEF.exe
23.35.236.137:443
geo2.adobe.com
AKAMAI-AS
DE
whitelisted
5244
AcroCEF.exe
23.22.254.206:443
p13n.adobe.io
AMAZON-AES
US
whitelisted
5244
AcroCEF.exe
2.23.244.205:443
armmf.adobe.com
Ooredoo Q.S.C.
QA
whitelisted
8616
CCUpdate.exe
34.111.175.102:443
ip-info.ff.avast.com
GOOGLE
US
whitelisted
8556
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.174
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
geo2.adobe.com
  • 23.35.236.137
whitelisted
p13n.adobe.io
  • 23.22.254.206
  • 54.227.187.23
  • 52.202.204.11
  • 52.5.13.197
whitelisted
armmf.adobe.com
  • 2.23.244.205
whitelisted
ip-info.ff.avast.com
  • 34.111.175.102
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
ncc.avast.com
  • 23.48.23.10
  • 23.48.23.31
  • 23.48.23.28
  • 23.48.23.11
whitelisted
emupdate.avcdn.net
  • 23.48.23.40
  • 23.48.23.4
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
8616
CCUpdate.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Potential Corporate Privacy Violation
ET INFO External IP Lookup (avast .com)
8688
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
8644
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Potential Corporate Privacy Violation
ET INFO External IP Lookup (avast .com)
Potential Corporate Privacy Violation
ET INFO External IP Lookup (avast .com)
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
harbinger_of_death.bat