Edit tour

Windows Analysis Report
Acrobat_Set-Up.exe

Overview

General Information

Sample name:	Acrobat_Set-Up.exe
Analysis ID:	1592172
MD5:	7391ec5108729d5727b38be8a850c277
SHA1:	7fcf271ef339dfe898acd6b3348582d9ea587b81
SHA256:	a5993cf572ebef5ded10fb6dd1dea454a3dafa3e7a69bc6990adfdf270868b45

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Query firmware table information (likely to detect VMs)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Process Tree

System is w11x64_office

Acrobat_Set-Up.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\Acrobat_Set-Up.exe" MD5: 7391EC5108729D5727B38BE8A850C277)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Acrobat_Set-Up.exe

Source: Acrobat_Set-Up.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Acrobat_Set-Up.exe

Static PE information: certificate valid

Source: Acrobat_Set-Up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown	Network traffic detected: HTTP traffic on port 53055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53061
Source: unknown	Network traffic detected: HTTP traffic on port 53063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53060
Source: unknown	Network traffic detected: HTTP traffic on port 53061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53063

Source: Acrobat_Set-Up.exe	Static PE information: Resource name: DICTIONARY type: DOS executable (COM)
Source: Acrobat_Set-Up.exe	Static PE information: Resource name: JS type: DOS executable (COM)

Source: Acrobat_Set-Up.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.evad.winEXE@1/12@1/38

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe User OS InfoNglSyncRunnable
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe Package Info ()NglSyncRunnable
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{3EBE6875-9C4E-4782-8A43-275AFFFCA6FB}
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe Profile InfoNglSyncRunnable
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\WAM.log
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\.ADOBE_WEBVIEW_FLAGS_SERVER.CONFIG
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\17984755fe166b7170b9b5099053521c
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\.CAPABILITY
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe App Info (Q3JlYXRpdmVDbG91ZEluc3RhbGxlcjF7fTIwMTgwNzIwMDE)NglAsnpMetaDataContentionLock
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe User OS Info
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe Proxy PasswordNglSyncRunnable
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe Proxy UsernameNglSyncRunnable
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\359dca4322b8b4a0f7f92bf448150fb
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe App Info (Q3JlYXRpdmVDbG91ZEluc3RhbGxlcjF7fTIwMTgwNzIwMDE)NglSyncRunnable
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe App Info (Q3JlYXRpdmVDbG91ZEluc3RhbGxlcjF7fTIwMTgwNzIwMDE)
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe App Prefetched Info (Q3JlYXRpdmVDbG91ZEluc3RhbGxlcjF7fTIwMTgwNzIwMDE)NglSyncRunnable
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_MSIExecute
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe App Prefetched Info (Q3JlYXRpdmVDbG91ZEluc3RhbGxlcjF7fTIwMTgwNzIwMDE)
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe User InfoNglSyncRunnable
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe Proxy Username
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe User Info

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

File created: C:\Users\user\AppData\Local\Temp\CreativeCloud

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

File read: C:\Users\user\Desktop\Acrobat_Set-Up.exe

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: msxml3.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: sensapi.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: sensapi.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: webio.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: Acrobat_Set-Up.exe

Static PE information: certificate valid

Source: Acrobat_Set-Up.exe

Static file information: File size 3313016 > 1048576

Source: Acrobat_Set-Up.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x31aa00

Source: Acrobat_Set-Up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Acrobat_Set-Up.exe

Static PE information: real checksum: 0x336356 should be: 0x332b2c

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (133).png

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

System information queried: FirmwareTableInformation

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Window / User API: threadDelayed 931
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Window / User API: threadDelayed 6060

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe TID: 7468	Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe TID: 7392	Thread sleep time: -46550s >= -30000s
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe TID: 7404	Thread sleep time: -66000s >= -30000s
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe TID: 7392	Thread sleep time: -303000s >= -30000s

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\CreativeCloud\ACC\WAM.log VolumeInformation

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Acrobat_Set-Up.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	21 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Masquerading	OS Credential Dumping	13 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	Boot or Logon Initialization Scripts	14 Virtualization/Sandbox Evasion	LSASS Memory	14 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Modify Registry	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	43 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
d1n897799gitxr.cloudfront.net	18.245.60.41	true	false	unknown
resources-prod.licensingstack.com	13.32.47.160	true	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.245.60.41	d1n897799gitxr.cloudfront.net	United States	16509	AMAZON-02US	false
13.32.47.160	resources-prod.licensingstack.com	United States	16509	AMAZON-02US	false
52.31.218.129	unknown	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592172
Start date and time:	2025-01-15 21:25:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Acrobat_Set-Up.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@1/12@1/38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, appidcertstorecheck.exe
Excluded IPs from analysis (whitelisted): 104.18.38.233, 172.64.149.23, 2.16.168.108, 2.16.168.118, 2.16.168.110
Excluded domains from analysis (whitelisted): cdp-f-tlu-net.trafficmanager.net, crt.comodoca.com.cdn.cloudflare.net, slscr.update.microsoft.com, data-edge.smartscreen.microsoft.com, nav.smartscreen.microsoft.com, edge.microsoft.com, crt.comodoca.com, login.live.com, msedge.b.tlu.dl.delivery.mp.microsoft.com, wildcard.f.tlu.dl.delivery.mp.microsoft.com.edgesuite.net, config.edge.skype.com, star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, a1847.dscd.akamai.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: d1n897799gitxr.cloudfront.net

Created / dropped Files

C:\Users\user\AppData\Local\Adobe\OOBE\temp_lbs_wid

Download File

Process:	C:\Users\user\Desktop\Acrobat_Set-Up.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	3.776449961841122
Encrypted:	false
SSDEEP:
MD5:	4471A6528AAFB054CB64AA8E11070C16
SHA1:	4AC9394A34F46622F4E18FDCD8B6B8B113FF1B1A
SHA-256:	45DC8863820C2B45495F1D2608952E215B47C4302B498E24FD701803F4FF5743
SHA-512:	F32645CB1912C99B1991D122D173F9C45F376121EF521DA55F5C989F5880DDC0DCE24C9A69DFC7A29B37F7464C8FA3EE8E70B350F0295E9CB32B6DBB7AAE801A
Malicious:	false
Reputation:	unknown
Preview:	{EA95EC91-1939-495E-AAD7-96E020925D80}

C:\Users\user\AppData\Local\Temp\CreativeCloud\ACC\WAM.log

Download File

Process:	C:\Users\user\Desktop\Acrobat_Set-Up.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (413), with CRLF, LF line terminators
Category:	modified
Size (bytes):	23726
Entropy (8bit):	3.6667379959912476
Encrypted:	false
SSDEEP:
MD5:	79ECC4AAC56B8AB4818FF3E14566DB7D
SHA1:	8F4EF5CF1D411B1A072CBB0BB4AC6D97E4D94060
SHA-256:	EFF75C14E4AB39A041770A8D533672679496433F5B5629EA0A4B6564B339A865
SHA-512:	AF381CBCAE618A5438C1D451EFCFCE4A94FDCA5B85CEC90E6DE357D843C8CF438F068AD611F89905BC5E4227B60F48A5F24F0B4AE63D2F405C9E16EE5232CC44
Malicious:	false
Reputation:	unknown
Preview:	..0.1./.1.5./.2.5. .1.6.:.2.8.:.4.5.:.0.9.5. .\|. .[.I.N.F.O.]. .\|. . .\|. .A.d.m.i.n. .\|. .S.e.t.u.p. .\|. .A.p.p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. .\|. . .\|. . .\|. .6.7.6.8. .\|. ........................ .W.o.r.k.f.l.o.w. .s.t.a.r.t... .V.e.r.s.i.o.n.:. .2...1.3...0...1.4. ..........................*.....0.1./.1.5./.2.5. .1.6.:.2.8.:.4.5.:.0.9.6. .\|. .[.I.N.F.O.]. .\|. . .\|. .A.d.m.i.n. .\|. .O.O.B.E.U.t.i.l.s. .\|. .C.o.m.m.a.n.d.L.i.n.e.P.a.r.s.e.r. .\|. . .\|. .O.O.B.E.U.t.i.l.s. .\|. .6.7.6.8. .\|. .P.a.r.s.i.n.g. .t.h.e. .c.o.m.m.a.n.d. .l.i.n.e. .p.r.o.v.i.d.e.d... .N.u.m.b.e.r. .o.f. .c.o.m.m.a.n.d. .l.i.n.e. .a.r.g.u.m.e.n.t.s. .i.s. .1.....0.1./.1.5./.2.5. .1.6.:.2.8.:.4.5.:.0.9.6. .\|. .[.I.N.F.O.]. .\|. . .\|. .A.d.m.i.n. .\|. .W.A.M.B. .\|. .C.o.n.f.i.g.X.m.l. .\|. . .\|. .W.A.M.B. .\|. .6.7.6.8. .\|. .I.n.s.i.d.e. .r.e.a.d.V.a.l.u.e.s.F.r.o.m.F.G.F.e.a.t.u.r.e.s.L.i.s.t... .A.d.d.i.n.g. .p.a.r.a.m.:.:. .e.n.a.b.l.e.W.e.b.v.i.e.w.2. .:. .t.r.u.e...

C:\Users\user\AppData\Local\Temp\NGL\NGLClient_CreativeCloudInstaller1.ngllogcontrolconfig

Download File

Process:	C:\Users\user\Desktop\Acrobat_Set-Up.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.8547202010557555
Encrypted:	false
SSDEEP:
MD5:	06E127BB2A9B7DF80B64FB2599EAC750
SHA1:	FFAC03CAF707CCA61F5179737428FCE9CAB894EA
SHA-256:	B3208276FED72CBD60E58DC2472CA329F1E9683C13086A785FEE0654A272977B
SHA-512:	8AF06AE3B9DB2DBE087EA480AC22ECC404A7DE090BA0114C0236E2AEBA14307EB7F9FD58F91A8C56F2775DB76E66CFD6F1AC1C04071691D86BAF0E16BAF5A668
Malicious:	false
Reputation:	unknown
Preview:	{..."level" : "INFO",..."maxFileUploadSize" : 1000,..."minFileUploadSize" : 500,..."uploadInterval" : 604800000,..."uploadOnError" : false,..."uploadOnSessionStart" : false..}

C:\Users\user\AppData\Local\Temp\{53B6AA41-1C94-490D-A23A-1C3C8674F7A5}\CCDInstaller.js

Download File

Process:	C:\Users\user\Desktop\Acrobat_Set-Up.exe
File Type:	Unicode text, UTF-8 text, with very long lines (62606)
Category:	dropped
Size (bytes):	1315340
Entropy (8bit):	5.661794679493512
Encrypted:	false
SSDEEP:
MD5:	4B02242ED1B6281DB19B4F60C127CC5D
SHA1:	69EA4924A273DBB03F31D3C7D6D2CFD2270CAD1C
SHA-256:	9FBF9FF720E09C16DA2066B8BAB9879A4C83682F687EBE806C5EA78E1EB9467B
SHA-512:	DD44025147F63E307636424D80405F14A02AD2CC4AD4F80878537B21DF7981F546115348711FFF6E13483FE6FB04684C079309AF28C8EBF43EF83FFE9B49FC1F
Malicious:	false
Reputation:	unknown
Preview:	!function(e){var t={};function a(n){if(t[n])return t[n].exports;var o=t[n]={i:n,l:!1,exports:{}};return e[n].call(o.exports,o,o.exports,a),o.l=!0,o.exports}a.m=e,a.c=t,a.d=function(e,t,n){a.o(e,t)\|\|Object.defineProperty(e,t,{enumerable:!0,get:n})},a.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},a.t=function(e,t){if(1&t&&(e=a(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(a.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var o in e)a.d(n,o,function(t){return e[t]}.bind(null,o));return n},a.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return a.d(t,"a",t),t},a.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},a.p="",a(a.s=642)}([function(e,t,a){"use strict";e.exports=a(370)},function(e,t,a){e.exports=a(388)()},fun

C:\Users\user\AppData\Local\Temp\{53B6AA41-1C94-490D-A23A-1C3C8674F7A5}\index.css

Download File

Process:	C:\Users\user\Desktop\Acrobat_Set-Up.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	939796
Entropy (8bit):	6.068145511974107
Encrypted:	false
SSDEEP:
MD5:	714E04A1F8FB3331BBAFA9E43D6DEF10
SHA1:	0091F5FC5CB5DF898499C8078A9AD3AA5A7D2DB5
SHA-256:	86281E1AF2459D957E514EDDA85B86797BEAA231CFAA55E877A6A10F5506F5A1
SHA-512:	990AA9EB87A62CEE43499BDA0D9CC2060C223493FF9B565C323F54AAEC97AD8A935EBCD3868003F90D17518AF28159CC435D94D4A2E441D399110F53A13589E5
Malicious:	false
Reputation:	unknown
Preview:	/! normalize.css v7.0.0 \| MIT License \| github.com/necolas/normalize.css /html{line-height:1.15;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}article,aside,footer,header,nav,section{display:block}h1{font-size:2em;margin:.67em 0}figcaption,figure,main{display:block}figure{margin:1em 40px}hr{box-sizing:content-box;height:0;overflow:visible}pre{font-family:monospace,monospace;font-size:1em}a{background-color:rgba(0,0,0,0);-webkit-text-decoration-skip:objects}abbr[title]{border-bottom:none;text-decoration:underline;text-decoration:underline dotted}b,strong{font-weight:inherit;font-weight:bolder}code,kbd,samp{font-family:monospace,monospace;font-size:1em}dfn{font-style:italic}mark{background-color:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,inp

C:\Users\user\AppData\Local\Temp\{53B6AA41-1C94-490D-A23A-1C3C8674F7A5}\index.html

Download File

Process:	C:\Users\user\Desktop\Acrobat_Set-Up.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	426
Entropy (8bit):	5.032152269928686
Encrypted:	false
SSDEEP:
MD5:	A28AB17B18FF254173DFEEF03245EFD0
SHA1:	C6CE20924565644601D4E0DD0FBA9DDE8DEA5C77
SHA-256:	886C0AB69E6E9D9D5B5909451640EA587ACCFCDF11B8369CAD8542D1626AC375
SHA-512:	9371A699921B028BD93C35F9F2896D9997B906C8ABA90DD4279ABBA0AE1909A8808A43BF829584E552CCFE534B2C991A5A7E3E3DE7618343F50B1C47CFF269D6
Malicious:	false
Reputation:	unknown
Preview:	....<!DOCTYPE html>..<html>..<head>.. .. <meta charset='utf-8'>.. <meta http-equiv='X-UA-Compatible' content='chrome=1'>.. <meta name='viewport' content='width=1024, initial-scale=0.3, maximum-scale=1'>.... <title>CCD Installer</title>.... ....<link href="index.css" rel="stylesheet"></head>..<body>..<div id='root'>..</div>..<script type="text/javascript" src="CCDInstaller.js"></script></body>....</html>..

C:\Users\user\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\anon_events\2b05e2d2-755f-4618-b0b9-642348d8f7b3

Download File

Process:	C:\Users\user\Desktop\Acrobat_Set-Up.exe
File Type:	data
Category:	dropped
Size (bytes):	10485904
Entropy (8bit):	0.06652352534425497
Encrypted:	false
SSDEEP:
MD5:	7B5654334EE67534EE6113624EC5EF71
SHA1:	B841D645F9D126AEE666492097C07A59F9A608D8
SHA-256:	341F442F7213256BA66B66E1BCC0B1AA9AA664786E232B42BA85698C7AF69224
SHA-512:	0EFA0F419FFCF055D1319BE45BD55C2ACDADF46616068B541CCB79982FABFD6E442445A86D8DC53E2A9CD7D6D7B963611550FC394CD0FF58FBF3D16D32C2EFE0
Malicious:	false
Reputation:	unknown
Preview:	]....+y$........................................................................................................h............................... ...[g...)[].h1..\|@.........%S.}..Eqc......6....S..Vyi..1'=.n[.@Pi...Y.Xj...... ...;%.'._.`.0..#.f3.t.8w{?..@F.2gJ1...8....,.......=P.[.'A.w...j.".\|"....&..^...y..l..A.....E.....5.^..L4.R..[#..5:....L.....c..6.....x0._.=..d.....d.3HT.r....~]...J......v....1J1(.4o...U.......@D.>..w%.vJ.#..e\|.9..CF0?...._.&.Q.I.k..?.....B.....)...d.....i.....]xW..z....'&\.:..i.....6.s....3..7..^.x....:..83.....h./`...`..._....#S.....P.Y....68v;7.4.p..n...h.../..1G.O.;1Z.. ..u..)..."..t.....Q...<.....l..)y'....R...J.V.9..s.E./.R..0.9..)....@.9..Z..V.._..".A..~.......V.{1.\|..........\3....N<.Ay....k.!..-....c.@.....uuQh.....uD.....#..T......K.....r.c.u..n.....'*8.....2..W..... iM....E..VZ..?J.P.....7!....u...S.......<..u..~...M..t{....-.@._..hT.......\...4k.YWK$..Bv...mW.+.2.u..X..Z..]1].f.I..<..`...P2E...~R...k=.........

C:\Users\user\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\anon_events\manifest

Download File

Process:	C:\Users\user\Desktop\Acrobat_Set-Up.exe
File Type:	data
Category:	modified
Size (bytes):	224
Entropy (8bit):	1.8019520944245364
Encrypted:	false
SSDEEP:
MD5:	99E8A8E293CC85E66282BEE1810AC117
SHA1:	4E4BBF697329596603AA0D0D3B2D189A793567AB
SHA-256:	E6E77FA60D0EC902FE65FBB03D52C83FBF2DFF96EB0730CAED29AF4B6A087FBA
SHA-512:	72DE8A51EA0E3A75D75C5AC25F2A4B3B3A56C85A61CF0D15BCE66F33F47D6ED797129F5C0AAB8795F87A88ED4EB9AE9D498D783000A66C4C9D4C22BD17E5A563
Malicious:	false
Reputation:	unknown
Preview:	]....+y$........................................(.......P.......P.......P.......................................................................$...2b05e2d2-755f-4618-b0b9-642348d8f7b3........................................

C:\Users\user\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\meta_events\e9267471-4041-463e-88d8-824046f81ac0

Download File

Process:	C:\Users\user\Desktop\Acrobat_Set-Up.exe
File Type:	data
Category:	dropped
Size (bytes):	10485904
Entropy (8bit):	0.0026271443102674546
Encrypted:	false
SSDEEP:
MD5:	E9ECB0C4C6E1AC488E38389B4D9343DF
SHA1:	0C508C16D0165B45E54E964E52ED3A3109559F88
SHA-256:	EBC43ABECA41BA5C68FAF972B26F5019A37423ABE0660F5851FF5E783006B853
SHA-512:	FB9E838E72A00E0DF56EE566C04B24A7519AF1EABB16195D2E5A7B1A3D1EFB6BC094E33A503884946A0A078DCE95423793A162FA03EA79BDCCC0CC496C634F39
Malicious:	false
Reputation:	unknown
Preview:	]....+y$............................................................................................................................................[g...)[].h1..\|@.........%S.}..Eqc......6....S..Vyi..1'=.n[.@Pi...Y.Xj...... ...;%.'._.`.0..#.f3...4...?{.....W.wyj.....A.(3..H.8...v.5....n...U.....q.......E.CB......p..ssVy.Hj..S.B..6.}..nAG.R.}...1....o.MnzHD..v\|..j.-..5.xU\.74...^.}....B..../....P....WkIsl.f.A...>...I..l....#...)..%...9...9...;../.E.Z!)..EFFB/K.........F{..=W\....A.XY....<.,...G.=..~.....\|..U..q%g...l`u#..8x...{...=@.q.W\.B...LVX...X.trA.M~..a4?Hi.9.D2v@.Um..&;u......X#.6......D6.ec.V.U....\|:.6..P]..ev....XI/~.H..glv.(...(...B\|...D...Nv.).9......../P...?.[....T....2...R...%....:...w~.......J.........q..HLB.Y.....x..Rz.............!......<....fW...9..\..>....7.0....p......xJ(...Ki.^oK.....JmW}.b..I....K.eM!t..i.k...\...N..~..'......&....}6<f..s....W......9..4..w.{J{f.d..3rn.x.Z1..I.7....!h,..._\8.6.g....e..8i.Ta..%\.g.J...

C:\Users\user\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\meta_events\manifest

Download File

Process:	C:\Users\user\Desktop\Acrobat_Set-Up.exe
File Type:	data
Category:	dropped
Size (bytes):	224
Entropy (8bit):	1.7790975610371982
Encrypted:	false
SSDEEP:
MD5:	ECDC4D7DCE2C8575E1188C1213715862
SHA1:	04B73AEFB5ED315264A58F702699AC2B0DEB9B18
SHA-256:	F98380C6A2AF2F8B3864A8DB331B74906E95F720CD387953C6017DE39AB24D65
SHA-512:	14B057751924DCD3212474A7789A6C148AE745FA775C81C820D503823C05DC017717C9FBA787621F54BD7C660C0D7E5B9A4B4FAC526A2EE1E78328A8B8428E6A
Malicious:	false
Reputation:	unknown
Preview:	]....+y$........................................(.......P.......P.......P.......................................................................$...e9267471-4041-463e-88d8-824046f81ac0........................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.905997916036349
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Acrobat_Set-Up.exe
File size:	3'313'016 bytes
MD5:	7391ec5108729d5727b38be8a850c277
SHA1:	7fcf271ef339dfe898acd6b3348582d9ea587b81
SHA256:	a5993cf572ebef5ded10fb6dd1dea454a3dafa3e7a69bc6990adfdf270868b45
SHA512:	9dae98bd2ee54ceac751a722a90b8b57ae722c969eaba769cd7f91c2703759efe04c138d8756d38ef157bce0759458a47b915a32e160476ff0f3bd6dcd88aa7b
SSDEEP:	49152:sm7wIIjaSOV+THnJY4fsC1EBG0fRGtxbZdxajwbrS79F5/wcr6QqbD82:X8IsaSOolY4fsCmbIBSw09D/KTk2
TLSH:	CAE533B4A13ADF59E52F7432E06382F1652BDD25CD9823EFB1893E063135611EA702DB
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......xs7.<.Y.<.Y.<.Y.wj\...Y..i]./.Y..iZ.%.Y..i].>.Y..i\.M.Y..i\.J.Y.<.Y.:.Y.wjZ.(.Y.wj]...Y.wj_.=.Y.wjX.9.Y.<.X.x.Y..iP.X.Y..i..=.Y

File Icon


Icon Hash:	55ce539272690d72

Static PE Info

General

Entrypoint:	0xe13680
Entrypoint Section:	UPX1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x664460CA [Wed May 15 07:14:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	28a18f58924d2f4dd2bffbbc85a12952

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	03/11/2023 01:00:00 05/11/2025 00:59:59
Subject Chain	CN=Adobe Inc., OU=AAM 256, O=Adobe Inc., L=San Jose, S=ca, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	27F5C05722CD5478ADEB03BADB1B4103
Thumbprint SHA-1:	02E4107713CE4E95A736D4ACE47926EDED13555C
Thumbprint SHA-256:	1079E99A5160154F92A969871111FECC98F0CD6D4E7BE96ACAE9FBBB5511DB9D
Serial:	098A2F313AB2C29CD42B062A0E467B0C

Entrypoint Preview

Instruction
pushad
mov esi, 00AF9000h
lea edi, dword ptr [esi-006F8000h]
push edi
jmp 00007F0FB44CC38Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F0FB44CC389h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0FB44CC36Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F0FB44CC389h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F0FB44CC38Dh
jne 00007F0FB44CC3AAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0FB44CC3A1h
dec eax
add ebx, ebx
jne 00007F0FB44CC389h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F0FB44CC356h
add ebx, ebx
jne 00007F0FB44CC389h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F0FB44CC3D4h
xor ecx, ecx
sub eax, 03h
jc 00007F0FB44CC393h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F0FB44CC3F7h
sar eax, 1
mov ebp, eax
jmp 00007F0FB44CC38Dh
add ebx, ebx
jne 00007F0FB44CC389h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0FB44CC34Eh
inc ecx
add ebx, ebx
jne 00007F0FB44CC389h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0FB44CC340h
add ebx, ebx
jne 00007F0FB44CC389h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F0FB44CC371h
jne 00007F0FB44CC38Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F0FB44CC366h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F0FB44CC390h
mov al, byte ptr [edx]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1e91c	0xd4	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa14000	0xa91c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x325a00	0x3378	UPX0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa1e9f0	0x1c	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa13854	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa1387c	0xc0	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x617c4c	0x2a0	UPX0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x6f8000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x6f9000	0x31b000	0x31aa00	98b73a12576e2154cd160d8c5e89db9a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xa14000	0xb000	0xac00	eb566e70454bba039a51b5d6a33e9d85	False	0.1675826671511628	data	3.8152293033877993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
CSS	0x67b774	0xe5714	empty	English	United States	0
DICTIONARY	0x760e88	0x9210	data	English	United States	0.9953198545143346
DICTIONARY	0x76a098	0xaa58	data	English	United States	0.9936250229315722
DICTIONARY	0x774af0	0xb022	data	English	United States	0.9837658017298736
DICTIONARY	0x77fb14	0xc273	data	English	United States	0.9918841278450752
DICTIONARY	0x78bd88	0xa5d9	data	English	United States	0.9920390041689239
DICTIONARY	0x796364	0x9dde	data	English	United States	0.9943831345573316
DICTIONARY	0x7a0144	0xab1c	data	English	United States	0.9832435394027943
DICTIONARY	0x7aac60	0xa26e	data	English	United States	0.9836708191044202
DICTIONARY	0x7b4ed0	0x8b1f	data	English	United States	0.9931770321493752
DICTIONARY	0x7bd9f0	0x8d8e	data	English	United States	0.9936806667034604
DICTIONARY	0x7c6780	0x9ff7	data	English	United States	0.995873116651608
DICTIONARY	0x7d0778	0x9bb4	data	English	United States	0.9950827897641746
DICTIONARY	0x7da32c	0xa699	data	English	United States	0.995685713615794
DICTIONARY	0x7e49c8	0xa4b2	data	English	United States	0.9955172904511171
DICTIONARY	0x7eee7c	0xe588	data	English	United States	0.9944860449285228
DICTIONARY	0x7fd404	0xa3ff	data	English	United States	0.9919967605935736
DICTIONARY	0x807804	0x9c47	data	English	United States	0.9932761766690829
DICTIONARY	0x81144c	0x9f5e	data	English	United States	0.9936761605961076
DICTIONARY	0x81b3ac	0x9d4b	data	English	United States	0.9938411105868329
DICTIONARY	0x8250f8	0xa5db	data	English	United States	0.9965849407663864
DICTIONARY	0x82f6d4	0xb048	DOS executable (COM)	English	United States	0.9968977131714235
JS	0x83a71c	0x14120c	DOS executable (COM)	English	United States	0.9548664093017578
XML	0x97b928	0x2c8	data	English	United States	1.0154494382022472
RT_ICON	0xa14778	0x1045	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9080432172869147
RT_ICON	0xa157c4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m	English	United States	0.03719886632026453
RT_ICON	0xa199f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m	English	United States	0.04948132780082987
RT_ICON	0xa1bf9c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m	English	United States	0.0799718574108818
RT_ICON	0xa1d048	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 11811 x 11811 px/m	English	United States	0.1069672131147541
RT_ICON	0xa1d9d4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m	English	United States	0.15602836879432624
RT_GROUP_ICON	0xa1de40	0x5a	data	English	United States	0.7666666666666667
RT_VERSION	0xa1dea0	0x304	data	English	United States	0.43523316062176165
RT_HTML	0x985600	0x1aa	data	English	United States	1.0258215962441315
RT_MANIFEST	0xa1e1a8	0x773	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1847), with CRLF line terminators	English	United States	0.29365495542737285

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
WS2_32.dll	WSACleanup

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Acrobat_Set-Up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Local\Adobe\OOBE\temp_lbs_wid

C:\Users\user\AppData\Local\Temp\CreativeCloud\ACC\WAM.log

C:\Users\user\AppData\Local\Temp\NGL\NGLClient_CreativeCloudInstaller1.ngllogcontrolconfig

C:\Users\user\AppData\Local\Temp\{53B6AA41-1C94-490D-A23A-1C3C8674F7A5}\CCDInstaller.js

C:\Users\user\AppData\Local\Temp\{53B6AA41-1C94-490D-A23A-1C3C8674F7A5}\index.css

C:\Users\user\AppData\Local\Temp\{53B6AA41-1C94-490D-A23A-1C3C8674F7A5}\index.html

C:\Users\user\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\anon_events\2b05e2d2-755f-4618-b0b9-642348d8f7b3

C:\Users\user\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\anon_events\manifest

C:\Users\user\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\meta_events\e9267471-4041-463e-88d8-824046f81ac0

C:\Users\user\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\meta_events\manifest

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
Acrobat_Set-Up.exe