File name:

AdobeAC.dll

Full analysis: https://app.any.run/tasks/1e346c2d-b28b-4e4e-8896-0374b773a767
Verdict: Malicious activity
Analysis date: December 21, 2023, 17:25:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5:

88BBF2A743BAAF81F7A312BE61F90D76

SHA1:

3719AABC29D5EB58D5D2D2A37066047C67BFC2C6

SHA256:

12094A47A9659B1C2F7C5B36E21D2B0145C9E7B2E79845A437508EFA96E5F305

SSDEEP:

24576:etNf3x/XjaTxs6rWTng/wnYJeS6x9XYE7y8IsBVYGgnnncnfnnnJ+3jxObmZXbGi:etNf3x/XjaTprWTUwnYJeS6x9XYE7y8m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • wermgr.exe (PID: 6048)

    • Connects to the CnC server

      • wermgr.exe (PID: 6048)

  • SUSPICIOUS

    • Connects to the server without a host name

      • wermgr.exe (PID: 6048)

  • INFO

    • Drops the executable file immediately after the start

      • rundll32.exe (PID: 756)

    • Checks proxy server information

      • wermgr.exe (PID: 6048)

    • Creates files or folders in the user directory

      • wermgr.exe (PID: 6048)

    • Reads security settings of Internet Explorer

      • wermgr.exe (PID: 6048)

    • Reads the software policy settings

      • wermgr.exe (PID: 6048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:07:31 20:52:15+02:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, DLL
PEType: PE32+
LinkerVersion: 9
CodeSize: 544256
InitializedDataSize: 374272
UninitializedDataSize: -
EntryPoint: 0x5c798
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 6.38.2.1
ProductVersionNumber: 6.38.2.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Internet Download Manager click catcher for browsers
CompanyName: Tonec Inc.
FileDescription: Internet Download Manager click catcher for browsers
FileVersion: 6, 38, 2, 1
InternalName: idmcchandler
LegalCopyright: Tonec Inc., Copyright © 1999 - 2020
LegalTrademarks: Internet Download Manager
OriginalFileName: idmcchandler.dll
ProductName: Internet Download Manager module
ProductVersion: 6, 38, 2, 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs wermgr.exe filecoauth.exe no specs filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
756"C:\Windows\System32\rundll32.exe" C:\Users\admin\Desktop\AdobeAC.dll.exe,EditOwnerInfoC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3940C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5068C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6048C:\WINDOWS\System32\wermgr.exeC:\Windows\System32\wermgr.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1081 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wermgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
Total events
30 634
Read events
30 545
Write events
89
Delete events
0

Modification events

(PID) Process:(6048) wermgr.exeKey:HKEY_CLASSES_ROOT\ejkjtonktzy
Operation:writeName:12ff8d0f
Value:
879AC658880DD65BE3FFC5766FD5155266CC9FC4CD703C8750B172798A705B3CE6F36D0E11127F5CC2F8B3471975155E290C67B00E14014B8E17A1BEE132BAF5A1FC1B604E21B513215744C61CC6C852DB2B4CE1C04538B65EA3F159754FD93C029A7D369823EFBEBEE0A3C0880945A10C
(PID) Process:(6048) wermgr.exeKey:HKEY_CLASSES_ROOT\ejkjtonktzy
Operation:writeName:12ff8d0f
Value:
66DEE6040E383D8C42D1EEB14649BAF298112A5165CC228F72D32D2613E44F651701677B7A6D81FD5AF2B7D64BF2B70FEB20C6A7836ADED46D2A85F24FBC6B55F1A607F766F4FEF73BFAA5883E9CB6D140B9DCB47888AD7F653A5DDEB2C7B5D1A34F65BD13E33A1957FE8B85F21D441BE80990C1EA71E081435D4A1C7DAD6E09A0
(PID) Process:(6048) wermgr.exeKey:HKEY_CLASSES_ROOT\ejkjtonktzy
Operation:writeName:12ff8d0f
Value:
C6B7EE276F99C5BF712E366736377C05F25A7DD5909F25F37A677AC3B3A598A47FECACF6015A7691F462FD875106393D54DBD4C89895EBDA7A67D0D1B0CFC03FE6F6C35D9CB9BCCD9EE4AB8BDD4CDC8D2D465D5EA21B9758EE75B010EAA3349D4F99363E0362C09571179B6CD7E8793D2A1273D1E8E04B00F875ADA8361E9EE45A
(PID) Process:(6048) wermgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6048) wermgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6048) wermgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6048) wermgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6048) wermgr.exeKey:HKEY_CLASSES_ROOT\ejkjtonktzy
Operation:writeName:12ff8d0f
Value:
E431424FAD98FE82B695D0E63D34F60D048E5E153E955919FE1503ECCDCBFC432D7004ADA76BC0994C30D0B4387D3960731201D16EC8E16D225B330F3F73B8987822137A243B9B044972148A8814962953E9C430700BEA1726D49F9813FBCE284A022A531E7FF9F5933C26937273026E002AD8C124A623AA76B64E42CA8A9FC4BD3908BFFD9F8C2F6D5A5FA21AE8B2FA3A
(PID) Process:(6048) wermgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6048) wermgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
12
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6048wermgr.exeC:\Users\admin\AppData\Roaming\Adobe\1.txttext
MD5:364C2168F233F1F19B0F59EAC075588F
SHA256:8F87EDA621AC54F26C345643F9FF8DC742F4AAB9191B01C6C2BEC481B1BF3810
6048wermgr.exeC:\Users\admin\AppData\Roaming\FileZilla\1.txtbinary
MD5:7BA4EF42E50638DB678A1D816C610611
SHA256:B45EEA334576B3909490A111EFD16C9E84846516AF70B94900C420777DE1A63C
6048wermgr.exeC:\Users\admin\AppData\Roaming\Mozilla\1.txtbinary
MD5:0235B3358C30C7627449F248010AC1B9
SHA256:8E5B619A8F5C9BBA539A504EBB70028E1A7A6B2F10B8A1D76FB3C5926DFF04B8
6048wermgr.exeC:\Users\admin\AppData\Roaming\Macromedia\1.txttext
MD5:F9E2078CB2A86CDEAF9D37BF9FAAFF2F
SHA256:60795D2C537EC408372C77F93D9E309DD16877CA6598849522487DE05467AC4F
6048wermgr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\31JC6JP2.htmhtml
MD5:F322DC5ED58032DC0F11A1219A0AE2CE
SHA256:87EFEE6E6F499F9CFFA39CCAC1C37EE07DB4A41427C6E9A1C4F882061702690C
3940FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-12-21.1729.3940.1.odlbinary
MD5:C19B37023C685ED7824F668F3F467BEF
SHA256:97CCAEA565B27702EBFDEFE7CDBA191C1E479AA2D3BDBA5E59670EA5081FCFD2
5068FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-12-21.1739.5068.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
6048wermgr.exeC:\Users\admin\AppData\Roaming\NuGet\1.txttext
MD5:D7CC1CC31B6A5F0E63B8B88AB8FE4B3D
SHA256:C83EF6A3661A6487E2474BBA986D6BBF6F2B24BB92B0FE185E0887D568711606
6048wermgr.exeC:\Users\admin\AppData\Roaming\Opera\1.txtbinary
MD5:FE69EA3688DDB8734096D2A548E0C15A
SHA256:1D82F630A8F85373AE4338F0F3A3FF721BCEA9D112E3CCB2A86B8FBFF66A5D39
6048wermgr.exeC:\Users\admin\AppData\Roaming\Skype\1.txtbinary
MD5:18C6E13CA0940CE58508D059A4AA6460
SHA256:2C597EBA4DE97704C840B83ACACD0E86E603E3961470CC46E8F06A35F33D3B24
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
76
DNS requests
31
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
unknown
2724
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.11 Kb
unknown
2724
SIHClient.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
binary
813 b
unknown
2724
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
binary
824 b
unknown
2724
SIHClient.exe
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
2724
SIHClient.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
2724
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
binary
555 b
unknown
2724
SIHClient.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
binary
401 b
unknown
2724
SIHClient.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
binary
813 b
unknown
2724
SIHClient.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
binary
400 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3720
svchost.exe
239.255.255.250:1900
whitelisted
896
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5612
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
896
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5612
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4188
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2644
OfficeClickToRun.exe
13.89.179.8:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2724
SIHClient.exe
52.165.165.26:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2724
SIHClient.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
2724
SIHClient.exe
72.246.169.155:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 13.89.179.8
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 72.246.169.155
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.69
  • 40.126.31.71
  • 40.126.31.73
  • 20.190.159.73
  • 20.190.159.23
  • 20.190.159.68
  • 20.190.159.64
whitelisted
go.microsoft.com
  • 23.211.9.234
whitelisted
dmd.metaservices.microsoft.com
  • 138.91.171.81
  • 20.231.121.79
  • 52.142.223.178
whitelisted
kernel.org
  • 139.178.84.217
whitelisted

Threats

PID
Process
Class
Message
6048
wermgr.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 1
6048
wermgr.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AdobeAC.dll