File name:

Adobe_Activator.exe

Full analysis: https://app.any.run/tasks/b65b27e2-58ab-4c52-9a51-4c8072b7b647
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: March 31, 2024, 21:44:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
hijackloader
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

ECAA6F88C3B6594914A8FFDE04FD5D84

SHA1:

885E4370299D369F7285BA5F2C544CBCD70A5FD0

SHA256:

11571917015ADBF3B5196509E1082C8D415F011CCE88BD8B16E9D9C5A39AC432

SSDEEP:

98304:CfG4fhN/jIpy1cLCBL1/nsrmqp1nZvTUaMqIPDLEioOCimaCZNN1iz1GyvyKQJG9:swHmHe/Gdx7DSA1Tg/54kOx1GHWPjZJb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Adobe_Activator.exe (PID: 3500)

    • HIJACKLOADER has been detected (YARA)

      • GUBootService.exe (PID: 1692)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Adobe_Activator.exe (PID: 3500)

    • Reads security settings of Internet Explorer

      • Adobe_Activator.exe (PID: 3500)

    • Reads the Internet Settings

      • Adobe_Activator.exe (PID: 3500)

    • Creates file in the systems drive root

      • GUBootService.exe (PID: 1692)

  • INFO

    • Checks supported languages

      • Adobe_Activator.exe (PID: 3500)
      • GUBootService.exe (PID: 1692)

    • Create files in a temporary directory

      • Adobe_Activator.exe (PID: 3500)
      • GUBootService.exe (PID: 1692)

    • Reads the computer name

      • Adobe_Activator.exe (PID: 3500)
      • GUBootService.exe (PID: 1692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:06:27 07:06:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 70656
InitializedDataSize: 116736
UninitializedDataSize: -
EntryPoint: 0x11def
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.4.0.1795
ProductVersionNumber: 1.4.0.1795
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Oleg N. Scherbakov
FileDescription: 7z Setup SFX (x86)
FileVersion: 1.4.0.1795
InternalName: 7ZSfxMod
LegalCopyright: Copyright © 2005-2010 Oleg N. Scherbakov
OriginalFileName: 7ZSfxMod_x86.exe
PrivateBuild: June 27, 2010
ProductName: 7-Zip SFX
ProductVersion: 1.4.0.1795
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start adobe_activator.exe no specs #HIJACKLOADER gubootservice.exe

Process information

PID
CMD
Path
Indicators
Parent process
1692"C:\Users\admin\AppData\Local\Temp\GUBootService.exe" C:\Users\admin\AppData\Local\Temp\GUBootService.exe
Adobe_Activator.exe
User:
admin
Company:
NeoNapster.com
Integrity Level:
MEDIUM
Description:
NeoAudio CD-Ripper
Exit code:
3221225477
Version:
9.9.9
Modules
Images
c:\users\admin\appdata\local\temp\gubootservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3500"C:\Users\admin\AppData\Local\Temp\Adobe_Activator.exe" C:\Users\admin\AppData\Local\Temp\Adobe_Activator.exeexplorer.exe
User:
admin
Company:
Oleg N. Scherbakov
Integrity Level:
MEDIUM
Description:
7z Setup SFX (x86)
Exit code:
0
Version:
1.4.0.1795
Modules
Images
c:\users\admin\appdata\local\temp\adobe_activator.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 445
Read events
2 437
Write events
8
Delete events
0

Modification events

(PID) Process:(3500) Adobe_Activator.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3500) Adobe_Activator.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3500) Adobe_Activator.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3500) Adobe_Activator.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
48
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3500Adobe_Activator.exeC:\Users\admin\AppData\Local\Temp\data_1.datexecutable
MD5:
SHA256:
3500Adobe_Activator.exeC:\Users\admin\AppData\Local\Temp\data_2.datexecutable
MD5:
SHA256:
3500Adobe_Activator.exeC:\Users\admin\AppData\Local\Temp\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:
SHA256:
3500Adobe_Activator.exeC:\Users\admin\AppData\Local\Temp\api-ms-win-core-console-l1-2-0.dllexecutable
MD5:
SHA256:
3500Adobe_Activator.exeC:\Users\admin\AppData\Local\Temp\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:
SHA256:
3500Adobe_Activator.exeC:\Users\admin\AppData\Local\Temp\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:
SHA256:
3500Adobe_Activator.exeC:\Users\admin\AppData\Local\Temp\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:
SHA256:
3500Adobe_Activator.exeC:\Users\admin\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-0.dllexecutable
MD5:
SHA256:
3500Adobe_Activator.exeC:\Users\admin\AppData\Local\Temp\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:
SHA256:
3500Adobe_Activator.exeC:\Users\admin\AppData\Local\Temp\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Adobe_Activator.exe