File name:	AdobeUnlicensedPopupBlocker.zip
Full analysis:	https://app.any.run/tasks/c0cfe6ea-2b90-4bb5-a6ca-60a0be8ee206
Verdict:	Malicious activity
Analysis date:	April 08, 2025, 17:57:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-doc
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=store
MD5:	65C82183C3E22469C475D787176547B8
SHA1:	E5F45711CE3037794ED12604FE3E9D72C5A5C437
SHA256:	5436AA7C6C8E183003A02ABB82F9F364C8F297A3386EF40AE09F2B89A7472C2C
SSDEEP:	98304:UR+n3gYYUhSt33hKVhFZFNt0f3R7mFDBP1nUgghHesMU9EI00RIaqQuZjW56HLE+:pt

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2025:04:08 19:55:10
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	1/


(PID) Process:	(7612) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7612) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7612) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7612) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\AdobeUnlicensedPopupBlocker.zip
(PID) Process:	(7612) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7612) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7612) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7612) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7612) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 32
(PID) Process:	(7612) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:	write	Name:	DefScanner
Value: Windows Defender

PID	Process	Filename		Type
7612	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7612.45064\AdobeUnlicensedPopupBlocker.zip\1\AdobeUnlicensedPopupBlocker\iplist.txt		text
		MD5:9E9EAA75D8A3BB90E24B62009A54D068	SHA256:1B59078D3D19BB7B9DBA9CB97C6A526976746EB9EB9075D5EF5B60D0E695EC48
7612	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7612.45064\AdobeUnlicensedPopupBlocker.zip\1\AdobeUnlicensedPopupBlocker\BlockIPs.cmd		text
		MD5:D4C60D2D549FB0D94D026E0EB3C1177C	SHA256:991F75A4946FC7A151A5D3434E3540D0F8BBDAA9F9D7558B7562DE1D1FF046D7
7612	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7612.45064\AdobeUnlicensedPopupBlocker.zip\1\AdobeUnlicensedPopupBlocker\pihole.txt		text
		MD5:0E6998346E11345F9AA99DEADC5C2FA1	SHA256:4D68A640D0292F8F54F4E225396CF5150C091DB3F82813642AFBCA561511783C
7612	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7612.45064\AdobeUnlicensedPopupBlocker.zip\AdobeUnlicensedPopupBlocker.pimx		xml
		MD5:89E20C9115A8EEBEA95532FBEF6BBBE4	SHA256:ED149A19DADFBD442CC6D8ACADB688A0243AEF14DB4960CCBCCC1D62F5DCB765
7612	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7612.45064\Rar$Scan88960.bat		text
		MD5:D49E705BC0731609E69464EFD2BE7469	SHA256:8AC9E83AE03B5BFB646DE85D47185F66E11FA27C0A1DB1FF1A70DD5EFC0CE4A5
7612	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7612.45064\AdobeUnlicensedPopupBlocker.zip\1\AdobeUnlicensedPopupBlocker\UnPP.xml		xml
		MD5:6E919EA3448C1E74150CCA760A342374	SHA256:0F9947FB498E0F21A4AE9FC256BD34D524F8BE6E4697E09C4B696D758323852A
7612	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7612.45064\AdobeUnlicensedPopupBlocker.zip\1\AdobeUnlicensedPopupBlocker\RunOnce.cmd		text
		MD5:935602FFC48E0FEE04DB8011ED902BC1	SHA256:E1CA97789C269AD8E1BDC2095D505ECD4AFC28985D1765C2E9569B5044F1CB6E
7612	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7612.45064\AdobeUnlicensedPopupBlocker.zip\1\AdobeUnlicensedPopupBlocker\dnsx.exe		executable
		MD5:47C028F041C83817250E3D49126A8C88	SHA256:9F7A353258017C04C5197379F5F5F6821E32712346C9AC4611313B2712805120
7248	MpCmdRun.exe	C:\Users\admin\AppData\Local\Temp\MpCmdRun.log		binary
		MD5:8B3EC15FF91FE256DACC3F0F62780D4A	SHA256:CAFDA1A5117EDEFAA9DB020120081E52A931193EB9DA62F84A99DB569A5DF7B6
7612	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7612.45064\AdobeUnlicensedPopupBlocker.zip\1\AdobeUnlicensedPopupBlocker\wget.exe		executable
		MD5:B1F557BD6A97A95CFF5DBCC55BF6E9BB	SHA256:A6093F8F40F90AD576B0463FB352318416EA24265D3E8F43D4F7F3723F7E7F77

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
6048	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6048	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6048	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
6048	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	200	172.202.163.200:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	—
—	—	POST	200	40.126.31.0:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4208	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	40.126.31.67:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158 20.73.194.208	whitelisted
google.com	142.250.186.142	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12 2.16.168.114 2.16.168.124	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
login.live.com	40.126.31.67 20.190.159.71 40.126.31.1 40.126.31.71 20.190.159.4 40.126.31.73 40.126.31.2 20.190.159.68	whitelisted
2.100.168.192.in-addr.arpa	—	whitelisted
ic.adobe.io	—	whitelisted
slscr.update.microsoft.com	20.109.210.53 4.175.87.197	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted

General Info

AdobeUnlicensedPopupBlocker.zip

65C82183C3E22469C475D787176547B8

E5F45711CE3037794ED12604FE3E9D72C5A5C437

5436AA7C6C8E183003A02ABB82F9F364C8F297A3386EF40AE09F2B89A7472C2C

98304:UR+n3gYYUhSt33hKVhFZFNt0f3R7mFDBP1nUgghHesMU9EI00RIaqQuZjW56HLE+:pt

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Uses Task Scheduler to run other applications

SUSPICIOUS

Starts CMD.EXE for commands execution

Using 'findstr.exe' to search for text patterns in files and output

Uses NETSH.EXE to delete a firewall rule or allowed programs

Runs PING.EXE to delay simulation

Application launched itself

Hides command output

Uses NSLOOKUP.EXE to check DNS info

Deletes scheduled task without confirmation

Windows service management via SC.EXE

Starts SC.EXE for service management

Stops a currently running service

Uses TASKKILL.EXE to kill process

Executing commands from a ".bat" file

Reads security settings of Internet Explorer

INFO

Manual execution by a user

Reads security settings of Internet Explorer

Checks supported languages

Reads Microsoft Office registry keys

Executable content was dropped or overwritten

Create files in a temporary directory

Reads the computer name

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings