File name:

OneClickFirewall.zip

Full analysis: https://app.any.run/tasks/42d3ac4a-3fd5-4f9a-ab02-c3eeaf04940a
Verdict: Malicious activity
Analysis date: June 04, 2025, 05:20:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

D74B43F0FF61278C525C87422F07BE84

SHA1:

6EFAB7449AD8C3CF9E416BA51A570C9D52DC0E0F

SHA256:

19EBF497B00582E8314A3036FFCD35A8F4447D21251077EE4550607FA176E3F8

SSDEEP:

12288:UYw+F0rJdD5r2FR5hM4JsQKXzUxo01M5HVDZE/fyHF:UV+F09RsFRzpSQKXQxo01AHVDgyl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 3180)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3180)

    • Creates file in the systems drive root

      • WinRAR.exe (PID: 3180)

    • Executable content was dropped or overwritten

      • OneClickFirewall-1.0.0.2.exe (PID: 3008)

    • The process creates files with name similar to system file names

      • OneClickFirewall-1.0.0.2.exe (PID: 3008)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • OneClickFirewall-1.0.0.2.exe (PID: 3008)

    • There is functionality for taking screenshot (YARA)

      • OneClickFirewall-1.0.0.2.exe (PID: 3008)

  • INFO

    • Manual execution by a user

      • notepad.exe (PID: 6040)
      • OneClickFirewall-1.0.0.2.exe (PID: 3036)
      • OneClickFirewall-1.0.0.2.exe (PID: 3008)
      • rundll32.exe (PID: 7488)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6040)
      • rundll32.exe (PID: 7488)

    • Checks supported languages

      • OneClickFirewall-1.0.0.2.exe (PID: 3008)

    • Create files in a temporary directory

      • OneClickFirewall-1.0.0.2.exe (PID: 3008)

    • Reads the computer name

      • OneClickFirewall-1.0.0.2.exe (PID: 3008)

    • Checks proxy server information

      • slui.exe (PID: 4736)

    • Reads the software policy settings

      • slui.exe (PID: 4736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2013:05:28 22:27:36
ZipCRC: 0x1d0ed40c
ZipCompressedSize: 428
ZipUncompressedSize: 824
ZipFileName: Winaero EULA.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs notepad.exe no specs oneclickfirewall-1.0.0.2.exe no specs oneclickfirewall-1.0.0.2.exe rundll32.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3008"C:\Users\admin\Desktop\OneClickFirewall-1.0.0.2.exe" C:\Users\admin\Desktop\OneClickFirewall-1.0.0.2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\oneclickfirewall-1.0.0.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
3036"C:\Users\admin\Desktop\OneClickFirewall-1.0.0.2.exe" C:\Users\admin\Desktop\OneClickFirewall-1.0.0.2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\oneclickfirewall-1.0.0.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3180"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\OneClickFirewall.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4736C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6040"C:\WINDOWS\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\Winaero EULA.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7488"C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %lC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
Total events
5 156
Read events
5 146
Write events
10
Delete events
0

Modification events

(PID) Process:(3180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\OneClickFirewall.zip
(PID) Process:(3180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
32
(PID) Process:(3180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
0
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3008OneClickFirewall-1.0.0.2.exeC:\Users\admin\AppData\Local\Temp\nsg1D94.tmp\BrandingURL.dllexecutable
MD5:71C46B663BAA92AD941388D082AF97E7
SHA256:BB2B9C272B8B66BC1B414675C2ACBA7AFAD03FFF66A63BABEE3EE57ED163D19E
3008OneClickFirewall-1.0.0.2.exeC:\Users\admin\AppData\Local\Temp\nsg1D94.tmp\nsDialogs.dllexecutable
MD5:C10E04DD4AD4277D5ADC951BB331C777
SHA256:E31AD6C6E82E603378CB6B80E67D0E0DCD9CF384E1199AC5A65CB4935680021A
3008OneClickFirewall-1.0.0.2.exeC:\Users\admin\AppData\Local\Temp\nsg1D94.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
3008OneClickFirewall-1.0.0.2.exeC:\Users\admin\AppData\Local\Temp\nsg1D94.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
3180WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3180.32606\Winaero EULA.txttext
MD5:C11892A5C17F87CBE8FF04C941DDF219
SHA256:315148CF0B3BC8A60E8BB826A5CFC9A83E5B9829CC094FAAE525E727EB0B74F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
41
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
472
svchost.exe
GET
200
184.25.51.59:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7572
RUXIMICS.exe
GET
200
184.25.51.59:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
472
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7572
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.32.134:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.67:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
5344
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5344
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
7572
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
472
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
472
svchost.exe
184.25.51.59:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7572
RUXIMICS.exe
184.25.51.59:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
472
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7572
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
6544
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 184.25.51.59
  • 184.25.51.10
  • 23.216.77.6
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.140
  • 20.190.160.128
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.68
  • 20.190.160.64
  • 40.126.32.136
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
self.events.data.microsoft.com
  • 104.208.16.92
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OneClickFirewall.zip