File name:

Updater_31718.js

Full analysis: https://app.any.run/tasks/f337b9b0-5da5-4e6e-9df0-a1f6f2843276
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 03, 2025, 17:55:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
auto-download
exploit
auto-startup
evasion
telegram
arch-doc
arch-scr
Indicators:
MIME: application/javascript
File info: JavaScript source, ASCII text, with very long lines (49255)
MD5:

660F6D7B790C2188DD7BD6C0C80E5293

SHA1:

FD9483B5938F8431807BC170938475776457DB55

SHA256:

FE3C13F85B4D4E938BE59B6444FB0346750A31FB5829880B5349174033FC4AA4

SSDEEP:

1536:hD3C6g4FgfKNeu7vC6zUadXL11G1YObBuG:hD3rg4KKeCPzUadXL/G15/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 3148)
      • wscript.exe (PID: 7180)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • wscript.exe (PID: 3148)

    • Detects the decoding of a binary file from Base64 (SCRIPT)

      • wscript.exe (PID: 3148)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 3148)

    • Gets %appdata% folder path (SCRIPT)

      • wscript.exe (PID: 3148)
      • wscript.exe (PID: 7180)

    • Uses base64 encoding (SCRIPT)

      • wscript.exe (PID: 3148)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 3148)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 3148)

    • Starts CMD.EXE for self-deleting

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 1472)
      • wscript.exe (PID: 7180)

    • Executing a file with an untrusted certificate

      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 7004)
      • nasa.exe (PID: 6812)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2356)

    • Create files in the Startup directory

      • wscript.exe (PID: 7180)

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 7180)

    • Gets startup folder path (SCRIPT)

      • wscript.exe (PID: 7180)

  • SUSPICIOUS

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 3148)
      • wscript.exe (PID: 7180)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 3148)
      • wscript.exe (PID: 7180)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 3148)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 3148)

    • Creates XML DOM element (SCRIPT)

      • wscript.exe (PID: 3148)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 3148)

    • Script creates XML DOM node (SCRIPT)

      • wscript.exe (PID: 3148)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 3148)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 3148)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 3148)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 3148)

    • Uses ATTRIB.EXE to modify file attributes

      • wscript.exe (PID: 3148)
      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 1472)
      • cmd.exe (PID: 6820)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3148)
      • wscript.exe (PID: 7180)

    • Decoding a file from Base64 using CertUtil

      • cmd.exe (PID: 4540)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 3148)
      • cmd.exe (PID: 4540)
      • powershell.exe (PID: 2356)
      • cmd.exe (PID: 1472)
      • cmd.exe (PID: 6820)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3148)
      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 1472)
      • powershell.exe (PID: 2356)
      • wscript.exe (PID: 7180)
      • cmd.exe (PID: 6820)

    • Application launched itself

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 1472)
      • cmd.exe (PID: 6820)

    • Hides command output

      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 592)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 6820)

    • Process copies executable file

      • cmd.exe (PID: 1472)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 3788)
      • nasa.exe (PID: 3940)
      • wscript.exe (PID: 3148)
      • 7za.exe (PID: 8012)
      • javaw.exe (PID: 8152)
      • javaw.exe (PID: 8160)

    • The executable file from the user directory is run by the CMD process

      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 7004)
      • 7za.exe (PID: 4884)
      • nasa.exe (PID: 6812)
      • 7za.exe (PID: 8012)
      • javaw.exe (PID: 8144)
      • javaw.exe (PID: 8152)
      • javaw.exe (PID: 8160)

    • Drops 7-zip archiver for unpacking

      • nasa.exe (PID: 3940)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1472)

    • Starts process via Powershell

      • powershell.exe (PID: 2356)

    • The process drops C-runtime libraries

      • 7za.exe (PID: 8012)

    • Process drops legitimate windows executable

      • 7za.exe (PID: 8012)

    • The process executes JS scripts

      • cmd.exe (PID: 6820)

    • Get information on the list of running processes

      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 592)

    • Connects to unusual port

      • javaw.exe (PID: 8144)

    • Starts NET.EXE to display or manage information about active sessions

      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)
      • net.exe (PID: 7668)
      • net.exe (PID: 7768)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)

    • There is functionality for taking screenshot (YARA)

      • AcroCEF.exe (PID: 3844)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)

    • Identifying current user with WHOAMI command

      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)

  • INFO

    • Creates files or folders in the user directory

      • certutil.exe (PID: 320)
      • xcopy.exe (PID: 3788)
      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 7004)
      • 7za.exe (PID: 4884)
      • nasa.exe (PID: 6812)
      • 7za.exe (PID: 8012)
      • javaw.exe (PID: 8160)

    • Create files in a temporary directory

      • certutil.exe (PID: 3840)
      • javaw.exe (PID: 8160)
      • javaw.exe (PID: 8152)
      • javaw.exe (PID: 8144)

    • Reads the machine GUID from the registry

      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 7004)
      • nasa.exe (PID: 6812)
      • javaw.exe (PID: 8152)
      • javaw.exe (PID: 8160)

    • Reads the computer name

      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 7004)
      • nasa.exe (PID: 6812)
      • 7za.exe (PID: 8012)
      • javaw.exe (PID: 8144)
      • javaw.exe (PID: 8152)
      • javaw.exe (PID: 8160)
      • 7za.exe (PID: 4884)

    • Checks supported languages

      • nasa.exe (PID: 3940)
      • nasa.exe (PID: 4084)
      • nasa.exe (PID: 7004)
      • 7za.exe (PID: 4884)
      • nasa.exe (PID: 6812)
      • 7za.exe (PID: 8012)
      • javaw.exe (PID: 8152)
      • javaw.exe (PID: 8144)
      • javaw.exe (PID: 8160)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7064)

    • The sample compiled with english language support

      • nasa.exe (PID: 3940)
      • 7za.exe (PID: 8012)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 7064)
      • notepad.exe (PID: 7900)

    • Application launched itself

      • Acrobat.exe (PID: 4400)
      • AcroCEF.exe (PID: 1392)

    • Creates files in the program directory

      • javaw.exe (PID: 8144)
      • javaw.exe (PID: 8152)

    • Launching a file from the Startup directory

      • wscript.exe (PID: 7180)

    • Manual execution by a user

      • notepad.exe (PID: 7900)
      • wscript.exe (PID: 8104)

    • Reads the software policy settings

      • slui.exe (PID: 8060)

    • Checks proxy server information

      • slui.exe (PID: 8060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
293
Monitored processes
160
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start wscript.exe attrib.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs timeout.exe no specs attrib.exe no specs find.exe no specs cmd.exe no specs xcopy.exe nasa.exe openwith.exe no specs nasa.exe nasa.exe acrobat.exe acrobat.exe no specs 7za.exe no specs attrib.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs timeout.exe no specs attrib.exe no specs find.exe no specs nasa.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs 7za.exe slui.exe attrib.exe no specs javaw.exe javaw.exe javaw.exe wscript.exe icacls.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs ping.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs svchost.exe net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs whoami.exe no specs conhost.exe no specs whoami.exe no specs conhost.exe no specs notepad.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
320certutil -f -decode "C:\Users\admin\AppData\Local\Temp\encoded.txt" "C:\Users\admin\AppData\Roaming\dup9291.bat" C:\Windows\System32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
512C:\WINDOWS\system32\cmd.exe /S /D /c" echo f "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
592"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 > nul && del "C:\Users\admin\AppData\Roaming\jre\jre-1.8\lib\shortcut.js"C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeattrib.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1068tasklist.exeC:\Windows\SysWOW64\tasklist.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewhoami.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
61 228
Read events
61 093
Write events
130
Delete events
5

Modification events

(PID) Process:(3148) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
CBF4180000000000
(PID) Process:(7064) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:writeName:Acrobat.Document.DC
Value:
(PID) Process:(1472) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:writeName:Acrobat.Document.DC
Value:
(PID) Process:(4400) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(6648) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(2356) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6648) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection
Operation:writeName:bBlockDLLInjection
Value:
0
(PID) Process:(6648) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:sProductGUID
Value:
4143524F5F5245534944554500
(PID) Process:(4400) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AdobeViewer
Operation:delete valueName:ProductInfoCache
Value:
(PID) Process:(6648) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:bSynchronizeOPL
Value:
0
Executable files
169
Suspicious files
205
Text files
121
Unknown types
0

Dropped files

PID
Process
Filename
Type
3840certutil.exeC:\Users\admin\AppData\Local\Temp\encoded.txttext
MD5:F0245DA07F6FB3CD55067A94C65DEC7F
SHA256:8DC21E88B2B2352A016045FC5C7F2297346367CE57FB50A098D084E8736B8B26
3148wscript.exeC:\Users\admin\AppData\Roaming\nasaexecutable
MD5:E314B40A188DE73B6A16A8197F80EE68
SHA256:D6E2656521CA76AD47AD2C503C9F71B3D00820E8B05275D048F7DEA0C9C30BEB
7004nasa.exeC:\Users\admin\AppData\Roaming\7z.zipcompressed
MD5:135F25604EA7BF6E25D90467442FF154
SHA256:7B6B828369E8882A0CEA6F7677370733F8CB2FF1556952E6C73F460D42910B04
1472cmd.exeC:\Users\admin\Downloads\Updater_31718.pdfpdf
MD5:8B9292E5321BD0F650E5D443BFC0AC82
SHA256:1ACF9D910E88258E955D0D7915D411FFE47CD7AE6D949930C0C4EB1F12C607ED
6648Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json
MD5:837C1211E392A24D64C670DC10E8DA1B
SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031
6648Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6648binary
MD5:366B140BAFC863B7E366AA1E51604759
SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
2356powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5C2E3A6F81F883081B9EF5920D325737
SHA256:2AF5B48F034FB942303DA9FF8BB41A0E4666FB1BDEB948E409DA6FDF98834DB8
6648Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTINGbinary
MD5:DC84B0D741E5BEAE8070013ADDCC8C28
SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
1392AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF190cf6.TMPtext
MD5:D012E5B4EB91B61F6E8AE2F8EC3C623E
SHA256:1BDA750084F20306722008016420E1912BA608CA8EFB9C661F7E7EFCF5E89673
1392AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.oldtext
MD5:2EF1F7C0782D1A46974286420D24F629
SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
60
TCP/UDP connections
76
DNS requests
30
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
3.5.8.224:443
https://apocolypser.s3.us-east-1.amazonaws.com/base644.txt
US
text
4.45 Mb
unknown
5944
MoUsoCoreWorker.exe
GET
200
2.18.244.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
FR
binary
825 b
whitelisted
1268
svchost.exe
GET
200
2.18.244.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
FR
binary
825 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
POST
400
40.126.31.69:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
GET
200
52.216.61.114:443
https://publiclfolderfor-essetialcompanymatters.s3.us-east-1.amazonaws.com/base64.txt
US
text
28.9 Kb
unknown
7008
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
7008
RUXIMICS.exe
GET
200
2.18.244.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
FR
binary
825 b
whitelisted
POST
200
40.126.31.69:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
unknown
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7008
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3148
wscript.exe
54.231.161.210:443
apocolypser.s3.us-east-1.amazonaws.com
AMAZON-02
US
shared
1268
svchost.exe
2.18.244.211:80
crl.microsoft.com
Akamai International B.V.
FR
whitelisted
5944
MoUsoCoreWorker.exe
2.18.244.211:80
crl.microsoft.com
Akamai International B.V.
FR
whitelisted
7008
RUXIMICS.exe
2.18.244.211:80
crl.microsoft.com
Akamai International B.V.
FR
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
apocolypser.s3.us-east-1.amazonaws.com
  • 54.231.161.210
  • 52.217.200.50
  • 52.217.137.58
  • 52.216.210.74
  • 52.216.106.202
  • 52.217.97.240
  • 52.217.235.226
  • 54.231.194.226
shared
crl.microsoft.com
  • 2.18.244.211
  • 2.18.244.223
  • 23.216.77.20
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.3.109.244
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.71
  • 40.126.31.129
  • 40.126.31.2
  • 20.190.159.128
  • 20.190.159.130
  • 40.126.31.130
  • 40.126.31.71
whitelisted
publiclfolderfor-essetialcompanymatters.s3.us-east-1.amazonaws.com
  • 52.217.163.226
  • 54.231.138.74
  • 52.216.63.50
  • 16.15.194.117
  • 3.5.23.114
  • 52.216.153.152
  • 16.15.188.115
  • 52.217.100.168
shared
dy7h8izgcodp3.cloudfront.net
  • 54.192.196.220
  • 54.192.196.131
  • 54.192.196.200
  • 54.192.196.193
whitelisted
olyguard.s3.us-east-1.amazonaws.com
  • 52.217.134.50
  • 3.5.3.182
  • 52.216.56.26
  • 16.15.218.235
  • 16.15.196.241
  • 52.216.212.122
  • 52.217.194.210
  • 52.217.75.136
shared
geo2.adobe.com
  • 2.22.76.159
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET HUNTING Base64 Encoded Executable over Raw TCP
Misc activity
ET HUNTING EXE Base64 Encoded potential malware
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Attempted Administrator Privilege Gain
AV EXPLOIT Potential ZIP file exploiting CVE-2023-36413
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)
8152
javaw.exe
Potentially Bad Traffic
ET INFO Vulnerable Java Version 1.8.x Detected
8152
javaw.exe
Potentially Bad Traffic
ET INFO Vulnerable Java Version 1.8.x Detected
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ipapi .co in DNS lookup)
8160
javaw.exe
Device Retrieving External IP Address Detected
ET INFO External IP Check (checkip .amazonaws .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Updater_31718.js