File name:

Updater_31718.js

Full analysis: https://app.any.run/tasks/f337b9b0-5da5-4e6e-9df0-a1f6f2843276
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 03, 2025, 17:55:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
auto-download
exploit
auto-startup
evasion
telegram
arch-doc
arch-scr
Indicators:
MIME: application/javascript
File info: JavaScript source, ASCII text, with very long lines (49255)
MD5:

660F6D7B790C2188DD7BD6C0C80E5293

SHA1:

FD9483B5938F8431807BC170938475776457DB55

SHA256:

FE3C13F85B4D4E938BE59B6444FB0346750A31FB5829880B5349174033FC4AA4

SSDEEP:

1536:hD3C6g4FgfKNeu7vC6zUadXL11G1YObBuG:hD3rg4KKeCPzUadXL/G15/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 3148)
      • wscript.exe (PID: 7180)

    • Gets %appdata% folder path (SCRIPT)

      • wscript.exe (PID: 3148)
      • wscript.exe (PID: 7180)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • wscript.exe (PID: 3148)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 3148)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 3148)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 3148)

    • Detects the decoding of a binary file from Base64 (SCRIPT)

      • wscript.exe (PID: 3148)

    • Uses base64 encoding (SCRIPT)

      • wscript.exe (PID: 3148)

    • Starts CMD.EXE for self-deleting

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 1472)
      • wscript.exe (PID: 7180)

    • Executing a file with an untrusted certificate

      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 7004)
      • nasa.exe (PID: 6812)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2356)

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 7180)

    • Gets startup folder path (SCRIPT)

      • wscript.exe (PID: 7180)

    • Create files in the Startup directory

      • wscript.exe (PID: 7180)

  • SUSPICIOUS

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 3148)
      • wscript.exe (PID: 7180)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 3148)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 3148)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 3148)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 3148)
      • wscript.exe (PID: 7180)

    • Creates XML DOM element (SCRIPT)

      • wscript.exe (PID: 3148)

    • Script creates XML DOM node (SCRIPT)

      • wscript.exe (PID: 3148)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 3148)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 3148)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 3148)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 3148)

    • Executable content was dropped or overwritten

      • wscript.exe (PID: 3148)
      • xcopy.exe (PID: 3788)
      • nasa.exe (PID: 3940)
      • 7za.exe (PID: 8012)
      • javaw.exe (PID: 8152)
      • javaw.exe (PID: 8160)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3148)
      • wscript.exe (PID: 7180)

    • Uses ATTRIB.EXE to modify file attributes

      • wscript.exe (PID: 3148)
      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 1472)
      • cmd.exe (PID: 6820)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 3148)
      • cmd.exe (PID: 4540)
      • powershell.exe (PID: 2356)
      • cmd.exe (PID: 1472)
      • cmd.exe (PID: 6820)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3148)
      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 1472)
      • powershell.exe (PID: 2356)
      • wscript.exe (PID: 7180)
      • cmd.exe (PID: 6820)

    • Decoding a file from Base64 using CertUtil

      • cmd.exe (PID: 4540)

    • Application launched itself

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 1472)
      • cmd.exe (PID: 6820)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 6820)

    • Hides command output

      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 592)

    • Process copies executable file

      • cmd.exe (PID: 1472)

    • The executable file from the user directory is run by the CMD process

      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 7004)
      • 7za.exe (PID: 4884)
      • nasa.exe (PID: 6812)
      • 7za.exe (PID: 8012)
      • javaw.exe (PID: 8144)
      • javaw.exe (PID: 8152)
      • javaw.exe (PID: 8160)

    • Drops 7-zip archiver for unpacking

      • nasa.exe (PID: 3940)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1472)

    • Starts process via Powershell

      • powershell.exe (PID: 2356)

    • Process drops legitimate windows executable

      • 7za.exe (PID: 8012)

    • The process drops C-runtime libraries

      • 7za.exe (PID: 8012)

    • The process executes JS scripts

      • cmd.exe (PID: 6820)

    • Get information on the list of running processes

      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 592)

    • Starts NET.EXE to display or manage information about active sessions

      • net.exe (PID: 7668)
      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)
      • net.exe (PID: 7768)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)

    • Identifying current user with WHOAMI command

      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • javaw.exe (PID: 8152)
      • javaw.exe (PID: 8160)

    • Connects to unusual port

      • javaw.exe (PID: 8144)

    • There is functionality for taking screenshot (YARA)

      • AcroCEF.exe (PID: 3844)

  • INFO

    • Create files in a temporary directory

      • certutil.exe (PID: 3840)
      • javaw.exe (PID: 8144)
      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)

    • Creates files or folders in the user directory

      • certutil.exe (PID: 320)
      • xcopy.exe (PID: 3788)
      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 7004)
      • 7za.exe (PID: 4884)
      • nasa.exe (PID: 6812)
      • 7za.exe (PID: 8012)
      • javaw.exe (PID: 8160)

    • Checks supported languages

      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 7004)
      • 7za.exe (PID: 4884)
      • nasa.exe (PID: 6812)
      • 7za.exe (PID: 8012)
      • javaw.exe (PID: 8152)
      • javaw.exe (PID: 8144)
      • javaw.exe (PID: 8160)

    • Reads the machine GUID from the registry

      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 7004)
      • nasa.exe (PID: 6812)
      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)

    • Reads the computer name

      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 7004)
      • 7za.exe (PID: 4884)
      • nasa.exe (PID: 6812)
      • 7za.exe (PID: 8012)
      • javaw.exe (PID: 8144)
      • javaw.exe (PID: 8152)
      • javaw.exe (PID: 8160)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7064)

    • The sample compiled with english language support

      • nasa.exe (PID: 3940)
      • 7za.exe (PID: 8012)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 7064)
      • notepad.exe (PID: 7900)

    • Application launched itself

      • Acrobat.exe (PID: 4400)
      • AcroCEF.exe (PID: 1392)

    • Creates files in the program directory

      • javaw.exe (PID: 8144)
      • javaw.exe (PID: 8152)

    • Launching a file from the Startup directory

      • wscript.exe (PID: 7180)

    • Manual execution by a user

      • notepad.exe (PID: 7900)
      • wscript.exe (PID: 8104)

    • Reads the software policy settings

      • slui.exe (PID: 8060)

    • Checks proxy server information

      • slui.exe (PID: 8060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
293
Monitored processes
160
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start wscript.exe attrib.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs timeout.exe no specs attrib.exe no specs find.exe no specs cmd.exe no specs xcopy.exe nasa.exe openwith.exe no specs nasa.exe nasa.exe acrobat.exe acrobat.exe no specs 7za.exe no specs attrib.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs timeout.exe no specs attrib.exe no specs find.exe no specs nasa.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs 7za.exe slui.exe attrib.exe no specs javaw.exe javaw.exe javaw.exe wscript.exe icacls.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs ping.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs svchost.exe net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs whoami.exe no specs conhost.exe no specs whoami.exe no specs conhost.exe no specs notepad.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
320certutil -f -decode "C:\Users\admin\AppData\Local\Temp\encoded.txt" "C:\Users\admin\AppData\Roaming\dup9291.bat" C:\Windows\System32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
512C:\WINDOWS\system32\cmd.exe /S /D /c" echo f "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
592"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 > nul && del "C:\Users\admin\AppData\Roaming\jre\jre-1.8\lib\shortcut.js"C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeattrib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1068tasklist.exeC:\Windows\SysWOW64\tasklist.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewhoami.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
61 228
Read events
61 093
Write events
130
Delete events
5

Modification events

(PID) Process:(3148) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
CBF4180000000000
(PID) Process:(7064) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:writeName:Acrobat.Document.DC
Value:
(PID) Process:(1472) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:writeName:Acrobat.Document.DC
Value:
(PID) Process:(4400) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(6648) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(2356) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6648) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection
Operation:writeName:bBlockDLLInjection
Value:
0
(PID) Process:(6648) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:sProductGUID
Value:
4143524F5F5245534944554500
(PID) Process:(4400) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AdobeViewer
Operation:delete valueName:ProductInfoCache
Value:
(PID) Process:(6648) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:bSynchronizeOPL
Value:
0
Executable files
169
Suspicious files
205
Text files
121
Unknown types
0

Dropped files

PID
Process
Filename
Type
3940nasa.exeC:\Users\admin\AppData\Roaming\7za.exeexecutable
MD5:86D2E800B12CE5DA07F9BD2832870577
SHA256:223B873C50380FE9A39F1A22B6ABF8D46DB506E1C08D08312902F6F3CD1F7AC3
3148wscript.exeC:\Users\admin\vlkthiz6.battext
MD5:515888353F816FA5A685D66549B1CCC7
SHA256:5FEFDAA9A402B1EA885625FEBED60447D2491CD21DFDDF71D5FADF4F170F5945
320certutil.exeC:\Users\admin\AppData\Roaming\dup9291.battext
MD5:515888353F816FA5A685D66549B1CCC7
SHA256:5FEFDAA9A402B1EA885625FEBED60447D2491CD21DFDDF71D5FADF4F170F5945
3788xcopy.exeC:\Users\admin\AppData\Roaming\nasa.exeexecutable
MD5:E314B40A188DE73B6A16A8197F80EE68
SHA256:D6E2656521CA76AD47AD2C503C9F71B3D00820E8B05275D048F7DEA0C9C30BEB
1472cmd.exeC:\Users\admin\Downloads\Updater_31718.pdfpdf
MD5:1E6023079CD33A046CDC67AC0843DC06
SHA256:CC02566A3C1266AF489FAF001413BC7DA01C2DC016B5BB4569C5F6B5FF1ED8C8
2356powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5C2E3A6F81F883081B9EF5920D325737
SHA256:2AF5B48F034FB942303DA9FF8BB41A0E4666FB1BDEB948E409DA6FDF98834DB8
6648Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTINGbinary
MD5:DC84B0D741E5BEAE8070013ADDCC8C28
SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
3840certutil.exeC:\Users\admin\AppData\Local\Temp\encoded.txttext
MD5:F0245DA07F6FB3CD55067A94C65DEC7F
SHA256:8DC21E88B2B2352A016045FC5C7F2297346367CE57FB50A098D084E8736B8B26
3148wscript.exeC:\Users\admin\AppData\Roaming\nasaexecutable
MD5:E314B40A188DE73B6A16A8197F80EE68
SHA256:D6E2656521CA76AD47AD2C503C9F71B3D00820E8B05275D048F7DEA0C9C30BEB
4084nasa.exeC:\Users\admin\AppData\Roaming\neft.pdfpdf
MD5:1E6023079CD33A046CDC67AC0843DC06
SHA256:CC02566A3C1266AF489FAF001413BC7DA01C2DC016B5BB4569C5F6B5FF1ED8C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
60
TCP/UDP connections
76
DNS requests
30
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.18.244.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
FR
binary
825 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
POST
200
40.126.31.69:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
unknown
POST
400
40.126.31.69:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.31.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
1268
svchost.exe
GET
200
2.18.244.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
FR
binary
825 b
whitelisted
7008
RUXIMICS.exe
GET
200
2.18.244.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
FR
binary
825 b
whitelisted
GET
200
3.5.8.224:443
https://apocolypser.s3.us-east-1.amazonaws.com/base644.txt
US
text
4.45 Mb
unknown
POST
400
40.126.31.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7008
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3148
wscript.exe
54.231.161.210:443
apocolypser.s3.us-east-1.amazonaws.com
AMAZON-02
US
shared
1268
svchost.exe
2.18.244.211:80
crl.microsoft.com
Akamai International B.V.
FR
whitelisted
5944
MoUsoCoreWorker.exe
2.18.244.211:80
crl.microsoft.com
Akamai International B.V.
FR
whitelisted
7008
RUXIMICS.exe
2.18.244.211:80
crl.microsoft.com
Akamai International B.V.
FR
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
apocolypser.s3.us-east-1.amazonaws.com
  • 54.231.161.210
  • 52.217.200.50
  • 52.217.137.58
  • 52.216.210.74
  • 52.216.106.202
  • 52.217.97.240
  • 52.217.235.226
  • 54.231.194.226
shared
crl.microsoft.com
  • 2.18.244.211
  • 2.18.244.223
  • 23.216.77.20
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.3.109.244
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.71
  • 40.126.31.129
  • 40.126.31.2
  • 20.190.159.128
  • 20.190.159.130
  • 40.126.31.130
  • 40.126.31.71
whitelisted
publiclfolderfor-essetialcompanymatters.s3.us-east-1.amazonaws.com
  • 52.217.163.226
  • 54.231.138.74
  • 52.216.63.50
  • 16.15.194.117
  • 3.5.23.114
  • 52.216.153.152
  • 16.15.188.115
  • 52.217.100.168
shared
dy7h8izgcodp3.cloudfront.net
  • 54.192.196.220
  • 54.192.196.131
  • 54.192.196.200
  • 54.192.196.193
whitelisted
olyguard.s3.us-east-1.amazonaws.com
  • 52.217.134.50
  • 3.5.3.182
  • 52.216.56.26
  • 16.15.218.235
  • 16.15.196.241
  • 52.216.212.122
  • 52.217.194.210
  • 52.217.75.136
shared
geo2.adobe.com
  • 2.22.76.159
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET HUNTING Base64 Encoded Executable over Raw TCP
Misc activity
ET HUNTING EXE Base64 Encoded potential malware
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Attempted Administrator Privilege Gain
AV EXPLOIT Potential ZIP file exploiting CVE-2023-36413
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)
8152
javaw.exe
Potentially Bad Traffic
ET INFO Vulnerable Java Version 1.8.x Detected
8152
javaw.exe
Potentially Bad Traffic
ET INFO Vulnerable Java Version 1.8.x Detected
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
8160
javaw.exe
Device Retrieving External IP Address Detected
ET INFO External IP Check (checkip .amazonaws .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Updater_31718.js