| File name: | Adobe Unlicensed Pop-up Blocker.zip |
| Full analysis: | https://app.any.run/tasks/8982377d-61ad-4491-a9fc-2c979de7fd82 |
| Verdict: | Malicious activity |
| Analysis date: | February 18, 2025, 02:03:15 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 90C07E61BE155FEA3C3A43EF33E6C7ED |
| SHA1: | F95253BF84A921568005464C04AFBFEEF20DB5DD |
| SHA256: | E0E8D1F6CC476C1DD41AA46741AB3C7D993B628D443C62AFFCACAF578690A3F7 |
| SSDEEP: | 98304:3JPje0G0CKD0uEvm4ZczWuFXFANJN8Numwu4df/n8+enf/z9l3CYK6V+o+IKjyde:IMjWX6m |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 6484)
SUSPICIOUS
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 6484)
- Start.exe (PID: 236)
Application launched itself
- Start.exe (PID: 5536)
- cmd.exe (PID: 3992)
- cmd.exe (PID: 6076)
- cmd.exe (PID: 6096)
- cmd.exe (PID: 936)
- cmd.exe (PID: 5728)
- cmd.exe (PID: 3992)
Executing commands from ".cmd" file
- Start.exe (PID: 236)
Starts CMD.EXE for commands execution
- Start.exe (PID: 236)
- cmd.exe (PID: 3992)
- cmd.exe (PID: 6076)
- cmd.exe (PID: 6096)
- cmd.exe (PID: 936)
- cmd.exe (PID: 5728)
- cmd.exe (PID: 3992)
Uses NETSH.EXE to delete a firewall rule or allowed programs
- cmd.exe (PID: 6096)
- cmd.exe (PID: 3992)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 6096)
- cmd.exe (PID: 3992)
Hides command output
- cmd.exe (PID: 6268)
- cmd.exe (PID: 6612)
- cmd.exe (PID: 1380)
- cmd.exe (PID: 5556)
- cmd.exe (PID: 436)
- cmd.exe (PID: 1864)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 6612)
- cmd.exe (PID: 6268)
- cmd.exe (PID: 1380)
- cmd.exe (PID: 5556)
- cmd.exe (PID: 6096)
- cmd.exe (PID: 1864)
- cmd.exe (PID: 436)
- cmd.exe (PID: 3992)
Uses NSLOOKUP.EXE to check DNS info
- cmd.exe (PID: 6268)
- cmd.exe (PID: 6612)
- cmd.exe (PID: 1380)
- cmd.exe (PID: 5556)
- cmd.exe (PID: 1864)
- cmd.exe (PID: 436)
Process uses IPCONFIG to clear DNS cache
- cmd.exe (PID: 6096)
- cmd.exe (PID: 3992)
Uses NETSH.EXE to add a firewall rule or allowed programs
- cmd.exe (PID: 6096)
- cmd.exe (PID: 3992)
INFO
Checks supported languages
- Start.exe (PID: 5536)
- Start.exe (PID: 236)
- wget.exe (PID: 3688)
- wget.exe (PID: 2600)
- dnsx.exe (PID: 5316)
- dnsx.exe (PID: 6288)
- wget.exe (PID: 5208)
- dnsx.exe (PID: 3840)
Create files in a temporary directory
- Start.exe (PID: 5536)
- dnsx.exe (PID: 5316)
- dnsx.exe (PID: 6288)
- dnsx.exe (PID: 3840)
Manual execution by a user
- Start.exe (PID: 5536)
- wget.exe (PID: 3688)
- dnsx.exe (PID: 6288)
- cmd.exe (PID: 3992)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 6484)
Reads the computer name
- Start.exe (PID: 5536)
- Start.exe (PID: 236)
- wget.exe (PID: 2600)
- wget.exe (PID: 5208)
Process checks computer location settings
- Start.exe (PID: 236)
Reads the machine GUID from the registry
- dnsx.exe (PID: 5316)
- dnsx.exe (PID: 6288)
- dnsx.exe (PID: 3840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2025:02:17 20:56:04 |
| ZipCRC: | 0xd155b6cb |
| ZipCompressedSize: | 10727 |
| ZipUncompressedSize: | 32412 |
| ZipFileName: | pihole.txt |
Total processes
895
Monitored processes
775
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 132 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 236 | "C:\Users\admin\Desktop\Start.exe" -sfxwaitall:1 "C:\Users\admin\Desktop\BlockIPs.cmd" | C:\Users\admin\Desktop\Start.exe | — | Start.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Adobe Unlicensed Pop-up Block Starter Exit code: 0 Version: 1.0.0.0000 Modules
| |||||||||||||||
| 436 | C:\WINDOWS\system32\cmd.exe /S /D /c" echo ,108.138.26.126,108.138.26.27,108.138.26.4,108.138.26.51,108.138.26.56,108.138.26.70,108.138.26.72,108.138.26.99,108.138.7.117,108.138.7.47,108.138.7.55,108.138.7.69,108.138.7.72,108.138.7.8,108.138.7.93,108.138.7.97,13.227.219.41,13.227.219.60,13.227.219.63,13.227.219.90,13.32.121.18,13.32.121.43,13.32.121.60,13.32.121.64,13.32.27.106,13.32.27.111,13.32.27.114,13.32.27.128,13.32.27.28,13.32.27.30,13.32.27.49,13.32.27.9,13.32.99.68,13.32.99.7,13.32.99.81,13.32.99.99,13.33.187.108,13.33.187.13,13.33.187.42,13.33.187.75,143.204.98.104,143.204.98.113,143.204.98.125,143.204.98.32,18.172.112.123,18.172.112.20,18.172.112.73,18.172.112.89,18.173.205.120,18.173.205.28,18.173.205.35,18.173.205.99,18.239.18.108,18.239.18.14,18.239.18.44,18.239.18.6,18.239.69.16,18.239.69.22,18.239.69.31,18.239.69.49,18.239.69.56,18.239.69.62,18.239.69.67,18.239.69.86,18.239.83.113,18.239.83.14,18.239.83.27,18.239.83.87,18.239.94.110,18.239.94.26,18.239.94.34,18.239.94.73,18.239.94.80,18.239.94.85,18.239.94.94,18.239.94.96,18.244.18.102,18.244.18.129,18.244.18.46,18.244.18.81," | C:\Windows\SysWOW64\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 436 | findstr /l /c:",18.245.60.99," | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 436 | C:\WINDOWS\system32\cmd.exe /c 2>nul nslookup -type=ns ic.adobe.io|findstr /i /l /c:"nameserver = " | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 448 | C:\WINDOWS\system32\cmd.exe /S /D /c" echo ,108.138.26.126,108.138.26.27,108.138.26.4,108.138.26.51,108.138.26.56,108.138.26.70,108.138.26.72,108.138.26.99,108.138.7.117," | C:\Windows\SysWOW64\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 448 | findstr /l /c:",18.65.39.126," | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 448 | findstr /l /c:",99.86.4.21," | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 512 | findstr /l /c:",99.86.4.115," | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 512 | findstr /l /c:",99.86.4.84," | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
19 765
Read events
19 709
Write events
54
Delete events
2
Modification events
| (PID) Process: | (6484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (6484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (6484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (6484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Adobe Unlicensed Pop-up Blocker.zip | |||
| (PID) Process: | (6484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (6484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (6484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (6484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (6484) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
| (PID) Process: | (6484) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 0E000000040000000300000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF | |||
Executable files
3
Suspicious files
5
Text files
21
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6484.3165\pihole.txt | text | |
MD5:2AEA8D0F1797CD9899289EA90717705E | SHA256:CDAAE7AF1A14B1850220B3F58FC105876324B2A379ACE9464D205C6A1341BCD2 | |||
| 6484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6484.3165\wget.exe | executable | |
MD5:B1F557BD6A97A95CFF5DBCC55BF6E9BB | SHA256:A6093F8F40F90AD576B0463FB352318416EA24265D3E8F43D4F7F3723F7E7F77 | |||
| 5316 | dnsx.exe | C:\Users\admin\AppData\Local\Temp\hm796407687\LOG | text | |
MD5:F68DC1A4DC4A9639E4066C0916D12A0F | SHA256:34AAF3DB12DC5600BAC34710B07D83FE7B47D84A324AF9821EA427442AB44DAA | |||
| 5032 | findstr.exe | C:\Users\admin\Desktop\pihole_new.txt | text | |
MD5:1DD5B27D6497737B52AFACA4ED00AEB1 | SHA256:DD0A6D6FA707123AE90FF72C46B7CA99B8F2CD4CA251002D6C12CD405B318940 | |||
| 5316 | dnsx.exe | C:\Users\admin\AppData\Local\Temp\hm796407687\CURRENT | text | |
MD5:6159AC332FBA78E3046D9F75EDB5E396 | SHA256:179AEE986B08DD1C9B42165766A9F86BE710E30D130C79FF234C4F8FBFB85F76 | |||
| 6484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6484.3165\Start.exe | executable | |
MD5:6C59D72A7B77E64032A18AA544632902 | SHA256:188507E2B10576BCAEE8C333D9ADF33BBBE4ED2E26D78AFACE88105721F79C0B | |||
| 5316 | dnsx.exe | C:\Users\admin\AppData\Local\Temp\hm796407687\CURRENT.0 | text | |
MD5:6159AC332FBA78E3046D9F75EDB5E396 | SHA256:179AEE986B08DD1C9B42165766A9F86BE710E30D130C79FF234C4F8FBFB85F76 | |||
| 6288 | dnsx.exe | C:\Users\admin\AppData\Local\Temp\hm629486903\CURRENT.0 | text | |
MD5:6159AC332FBA78E3046D9F75EDB5E396 | SHA256:179AEE986B08DD1C9B42165766A9F86BE710E30D130C79FF234C4F8FBFB85F76 | |||
| 5316 | dnsx.exe | C:\Users\admin\AppData\Local\Temp\hm796407687\000001.log | binary | |
MD5:D9DBA2550DD3157F8F9BF3BC63D1BFC5 | SHA256:AF2843EC1B118ABC05974F5A8C184216F8E4BD8174391A8A23BF443991B33432 | |||
| 3544 | sort.exe | C:\Users\admin\Desktop\iplist_new.txt | text | |
MD5:480261D41713FD4142CBDB70C6536D65 | SHA256:A9B928B944F5837DC5202E271CA98FCA730E173E28D3150A961CCC030C79723A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
34
DNS requests
2 509
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5564 | svchost.exe | GET | 304 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
6720 | backgroundTaskHost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
4140 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
4140 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5564 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6076 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5564 | svchost.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5564 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 104.126.37.128:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
— | — | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
5564 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
google.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |