File name:

OTNYB_crack.exe

Full analysis: https://app.any.run/tasks/af8c6d98-1e95-40b7-bcd2-5bc4a370dbd2
Verdict: Malicious activity
Analysis date: December 07, 2024, 05:52:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

D1A223B06A4128F42E06F8179D7AB997

SHA1:

D46A757E77AB78363DE8880788B2A73D07E86037

SHA256:

FBA74C6AEA235F2BA0EDA3981AAE8E4E3DF2F233320AEC506B0AAA9FBC6E124B

SSDEEP:

196608:oTCsh5nUl/cDGdt7V5T7Ltf/sLnSdbkV/E5b/P9/jaZkmw5:oTC6Lqdt7V1LtMSd4V/EF/P9ba85

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • OTNYB_crack.exe (PID: 2136)

    • Application launched itself

      • OTNYB_crack.exe (PID: 2136)
      • cmd.exe (PID: 3692)
      • cmd.exe (PID: 5992)
      • cmd.exe (PID: 3208)
      • cmd.exe (PID: 2484)
      • cmd.exe (PID: 236)
      • cmd.exe (PID: 5888)
      • cmd.exe (PID: 624)

    • Reads security settings of Internet Explorer

      • OTNYB_crack.exe (PID: 3508)
      • OTNYB_crack.exe (PID: 2136)

    • Reads the date of Windows installation

      • OTNYB_crack.exe (PID: 3508)
      • OTNYB_crack.exe (PID: 2136)

    • Starts CMD.EXE for commands execution

      • OTNYB_crack.exe (PID: 3508)
      • cmd.exe (PID: 3692)
      • OTNYB_crack.exe (PID: 2136)
      • cmd.exe (PID: 5992)
      • cmd.exe (PID: 3208)
      • cmd.exe (PID: 236)
      • cmd.exe (PID: 5888)
      • cmd.exe (PID: 2484)
      • cmd.exe (PID: 624)

    • Executing commands from ".cmd" file

      • OTNYB_crack.exe (PID: 3508)

    • Uses TASKKILL.EXE to kill process

      • OTNYB_crack.exe (PID: 2136)

    • Uses REG/REGEDIT.EXE to modify registry

      • OTNYB_crack.exe (PID: 2136)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 836)
      • schtasks.exe (PID: 4264)

    • Starts SC.EXE for service management

      • OTNYB_crack.exe (PID: 2136)

  • INFO

    • Create files in a temporary directory

      • OTNYB_crack.exe (PID: 2136)

    • Reads the computer name

      • OTNYB_crack.exe (PID: 2136)
      • OTNYB_crack.exe (PID: 3508)

    • Checks supported languages

      • OTNYB_crack.exe (PID: 2136)
      • OTNYB_crack.exe (PID: 3508)

    • The process uses the downloaded file

      • OTNYB_crack.exe (PID: 3508)
      • OTNYB_crack.exe (PID: 2136)

    • Process checks computer location settings

      • OTNYB_crack.exe (PID: 3508)
      • OTNYB_crack.exe (PID: 2136)

    • Changes file name

      • cmd.exe (PID: 5992)
      • cmd.exe (PID: 2484)
      • cmd.exe (PID: 236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2018:05:21 01:49:42+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 10
CodeSize: 130560
InitializedDataSize: 429568
UninitializedDataSize: -
EntryPoint: 0x20360
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: WhiteDeath & Co
FileDescription: Crack for Acrobat Pro x64
FileVersion: 2.0.0.0
InternalName: Crack for Acrobat Pro x64
LegalCopyright: WhiteDeath & Co
OriginalFileName: crack.exe
ProductName: Crack for Acrobat Pro x64
ProductVersion: 2.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
48
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start otnyb_crack.exe otnyb_crack.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Windows\System32\cmd.exe" /c FOR /f "tokens=2*" %i IN ('REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath') DO IF EXIST %j (REN "%j\Acrobat.dll" "Acrobat.dll.bak")C:\Windows\System32\cmd.exeOTNYB_crack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
556\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624"C:\Windows\System32\sc.exe" config AGSService start= disabledC:\Windows\System32\sc.exeOTNYB_crack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
624"C:\Windows\System32\cmd.exe" /c FOR /f "tokens=2*" %i IN ('REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath') DO IF EXIST %j (COPY /y "C:\Users\admin\AppData\Local\Temp\Acrobat Temp\acrotray.exe" "%j\acrotray.exe")C:\Windows\System32\cmd.exeOTNYB_crack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
836"C:\Windows\System32\schtasks.exe" /delete /f /tn "AdobeGCInvoker-1.0"C:\Windows\System32\schtasks.exeOTNYB_crack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
848REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPathC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1380C:\WINDOWS\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPathC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1668"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement" /v "bIsNGLLicensing" /t REG_DWORD /d "00000001" /fC:\Windows\System32\reg.exeOTNYB_crack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1744"C:\Windows\System32\taskkill.exe" /f /im AGMService.exeC:\Windows\System32\taskkill.exeOTNYB_crack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
2 384
Read events
2 383
Write events
1
Delete events
0

Modification events

(PID) Process:(1668) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:bIsNGLLicensing
Value:
1
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2136OTNYB_crack.exeC:\Users\admin\AppData\Local\Temp\Acrobat Temp\Acrobat.dll
MD5:
SHA256:
2136OTNYB_crack.exeC:\Users\admin\AppData\Local\Temp\Acrobat Temp\install.cmdtext
MD5:6A84A91F8539ACD790C6ADB1D3B5DB5D
SHA256:E14B89BAF4D21A14761C2A2E886813D50579742021E657E52E0551C84F324075
2136OTNYB_crack.exeC:\Users\admin\AppData\Local\Temp\Acrobat Temp\acrotray.exeexecutable
MD5:125ADDA82A93A8645907A43EFED01FE5
SHA256:E359B8C0C3F4DF0EFE77C54BBE3F1CEE45EFD8A0CD3EA8B28E40C231597CD20A
2136OTNYB_crack.exeC:\Users\admin\AppData\Local\Temp\Acrobat Temp\acrodistdll.dllexecutable
MD5:1654F8477DDF23C3C9BFC9EDE04DFD4E
SHA256:46422638B6D611BCBC22B429ECB0BCA4241169CBD3D99F2E44A7AB68406AE51D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
132
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
132
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
132
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
132
svchost.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
132
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
132
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.21
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 104.208.16.88
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OTNYB_crack.exe