ID: 355727 Sample Name: Set-up.exe Cookbook: default.jbs Time: 13:38:24 Date: 21/02/2021 Version: 31.0.0 Emerald Table of Contents
Table of Contents 2 Analysis Report Set-up.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Compliance: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 10 Static File Info 10 General 10 File Icon 10 Static PE Info 10 General 10 Authenticode Signature 11 Entrypoint Preview 11 Rich Headers 12 Data Directories 12 Sections 13 Resources 13 Imports 14 Version Infos 16 Possible Origin 16 Network Behavior 16 Code Manipulations 16 Statistics 16 System Behavior 16 Analysis Process: Set-up.exe PID: 3976 Parent PID: 5896 16 Copyright null 2021 Page 2 of 21 General 16 File Activities 17 File Created 17 File Written 17 File Read 21 Registry Activities 21 Key Value Created 21 Disassembly 21 Code Analysis 21
Copyright null 2021 Page 3 of 21 Analysis Report Set-up.exe
Overview
General Information Detection Signatures Classification
Sample Set-up.exe Name: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa dd…
Analysis ID: 355727 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdehetetteeccckttt ivvf iiirarrttt uud… MD5: de70f0deed893bb… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ddyeyntneaacmt iivicciaratllullllyy…
SHA1: f351b0c2996a357… Ransomware CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qdquyuenerarryym llloiocccaaallllyee… Miner Spreading SHA256: b9a187b59c758e… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rqreeuaaeddr y tth hloeec PPaElEeBB CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrreeaadd ttthhee PPEEBB mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing
sssuusssppiiiccciiioouusss CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh riiicechah d m tahayey bPbeeE…B suspicious
cccllleeaann
clean DCDeoettnteetcacttitenedsd pfpuoontttecetnniotttiiinaaalll clcitrrryy ppwtttoho i fcffuuhnn mcctttiaiiooynn be
Exploiter Banker FDFooeuutenncddt e lllaadrrr gpgeoe t aeamntoioauuln nctttr oyopfff tnnooo fnnu---neecxxteeioccnuuttteedd…
FFoouunndd plpaoortgtteeenn tattiiiamalll ossutttrrrniiinnt ggo fdd neeoccrnrryy-pepttxtiiioeoncn u /// t aea…d Spyware Trojan / Bot
Adware PFPEoEu ///n Od LLpEEo t ffefiiilllneet ihhaaal ss t arainn g iiinn dvveaacllliiidrdy cpceteirorrtttniiifffi iic/c aatttee Score: 7 Range: 0 - 100 PPEE ff/fii illOlee L ccEoon nftittlaaeiii nnhssa sst ttrarraannn iggneev a rrreleidsso ocuuerrrrccteiefisscate
Whitelisted: false SPSaEam fiplpellle ec foffiiillnleet aiiissin ddsiii fffsfffeetrrrraeenngttt ettthh raaenns oourrriiriggciiiennsaalll … Confidence: 80% USUsasemessp 3l3e22 bfbiiliitett P PisEE d fffiiiflllefeessrent than original
UUsseess M32iiicbcrrrioto sPsooEffft tt'f''ssil e EEsnnhhaanncceedd CCrrryypptttoogg…
UUsseess cMcooidcdereo osobobfffutu'ss ccEaantttiihiooannn tttceeeccdhh nnCiiiqrqyuupeetsos g(((… Startup Uses code obfuscation techniques (
System is w10x64 Set-up.exe (PID: 3976 cmdline: 'C:\Users\user\Desktop\Set-up.exe' MD5: DE70F0DEED893BBA56CCB78EAFD59606) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
• Cryptography • Bitcoin Miner • Compliance • Spreading • Networking Copyright null 2021 Page 4 of 21 • System Summary • Data Obfuscation • Persistence and Installation Behavior • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Compliance:
Uses 32bit PE files
Creates install or setup log file
Contains modern PE file flags such as dynamic base (ASLR) or NX
Binary contains paths to debug symbols
Mitre Att&ck Matrix
Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command Path Path Virtualization/Sandbox OS System Time Remote Archive Exfiltration Encrypted Eavesdrop on Remotely Accounts and Scripting Interception Interception Evasion 1 Credential Discovery 1 Services Collected Over Other Channel 2 Insecure Track Device Interpreter 2 Dumping Data 1 Network Network Without Medium Communication Authorization Default Scripting 1 Boot or Boot or Modify Registry 1 LSASS Security Software Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Accounts Logon Logon Memory Discovery 2 1 Desktop Removable Over Redirect Phone Wipe Data Initialization Initialization Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization Domain Native Logon Script Logon Deobfuscate/Decode Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts API 1 (Windows) Script Files or Information 1 Account Evasion 1 Admin Shares Network Exfiltration Track Device Device (Windows) Manager Shared Location Cloud Drive Backups Local At (Windows) Logon Script Logon Scripting 1 NTDS File and Directory Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Script Discovery 1 Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network Obfuscated Files or LSA System Information SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Information 2 Secrets Discovery 1 5 Transfer Channels Device Script Size Limits Communication
Behavior Graph
Copyright null 2021 Page 5 of 21 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Is Windows Process
Behavior Graph Number of created Registry Values Number of created Files ID: 355727 Visual Basic Sample: Set-up.exe Startdate: 21/02/2021 Delphi Architecture: WINDOWS Java Score: 7 .Net C# or VB.NET
C, C++ or other language
started Is malicious
Internet Set-up.exe
1 11
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright null 2021 Page 6 of 21 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link Set-up.exe 1% Virustotal Browse Set-up.exe 0% Metadefender Browse Set-up.exe 0% ReversingLabs
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link cacerts.dig 0% Avira URL Cloud safe ocsp.dig 0% Avira URL Cloud safe
Copyright null 2021 Page 7 of 21 Source Detection Scanner Label Link https://127.0.0.1 0% Virustotal Browse https://127.0.0.1 0% Avira URL Cloud safe ocsp.digicert.c 0% Avira URL Cloud safe https://127.0.0.1https://127.0.0.1https://127.0.0.1https://127.0.0.1https://127.0.0.1https://127.0.0 0% Avira URL Cloud safe https://tron-qe-user-packages.s3.amazonaws.comhttps://tron-qe-user-packages.s3- 0% Avira URL Cloud safe accelerate.amazonaws.
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation typekit.com/eulas/000000000000000000014f4e Set-up.exe false high typekit.com/eulas/000000000000000000014f4d Set-up.exe false high cacerts.dig Set-up.exe, 00000000.00000002. false Avira URL Cloud: safe unknown 649160410.0000000001076000.000 00004.00000040.sdmp ocsp.dig Set-up.exe, 00000000.00000002. false Avira URL Cloud: safe unknown 649160410.0000000001076000.000 00004.00000040.sdmp https://127.0.0.1 Set-up.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe typekit.com/eulas/000000000000000000014825 Set-up.exe false high typekit.com/eulas/000000000000000000014824 Set-up.exe false high typekit.com/eulas/000000000000000000014823 Set-up.exe false high typekit.com/eulas/000000000000000000014822 Set-up.exe false high typekit.com/eulas/000000000000000000014f4f Set-up.exe false high ocsp.digicert.c Set-up.exe, 00000000.00000002. false Avira URL Cloud: safe unknown 649401359.0000000001114000.000 00004.00000001.sdmp www.winimage.com/zLibDll Set-up.exe false high typekit.com/eulas/000000000000000000014f52 Set-up.exe false high typekit.com/eulas/000000000000000000014f51 Set-up.exe false high typekit.com/eulas/000000000000000000014f50 Set-up.exe false high Set-up.exe false Avira URL Cloud: safe low https://127.0.0.1https://127.0.0.1https://127.0.0.1https://127.0. 0.1https://127.0.0.1https://127.0.0 https://tron-qe-user- Set-up.exe false Avira URL Cloud: safe unknown packages.s3.amazonaws.comhttps://tron-qe-user- packages.s3-accelerate.amazonaws.
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 355727 Start date: 21.02.2021 Start time: 13:38:24 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 28s Hypervisor based Inspection enabled: false Report type: light Sample file name: Set-up.exe
Copyright null 2021 Page 8 of 21 Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Run name: Potential for more IOCs and behavior Number of analysed new started processes analysed: 1 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean7.winEXE@1/1@0/0 EGA Information: Successful, ratio: 100% HDC Information: Failed HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated Warnings: Show All Report size getting too big, too many NtOpenKeyEx calls found.
Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Copyright null 2021 Page 9 of 21 Created / dropped Files
C:\Users\user\AppData\Local\Temp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log Process: C:\Users\user\Desktop\Set-up.exe File Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators Category: dropped Size (bytes): 2398 Entropy (8bit): 3.590938496819505 Encrypted: false SSDEEP: 24:Q41bB3invpm7S3nt3XWQU4n3WzHEn39Sn3c6D6o3n30az2woNn3cmO79zZF+H:XX3ivp/403Wr+3u3cs6I30Hw43cmO792 MD5: A4D6BE4DC93584D5F4A7579B6FB74985 SHA1: 609082F7E8FE600F08E138C7EBC1C24DFB260C01 SHA-256: 4A0CBDC9A449A0DD73A3D845EDE3F75631F0F81C2968C8849EA6FA60B4AA81FB SHA-512: A700A4196446C016A412079A3909C922AD14ABC6587B89D8A570CB7B32218099D98A016685F808B8768B944C72F3E52ABEF5C557CA2CC1477DDC5F14630F26EB Malicious: false Reputation: low Preview: ..0.2./.2.1./.2.1. .1.3.:.3.9.:.0.8.:.5.6.2. .|. .[.I.N.F.O.]. .|. .3.9.7.6. .|. .B.o.o.t.s.t.r.a.p.p.e.r. .|. .S.e.t.-.u.p. .|. .A.p.p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. .|. . .|. . .|. .3.4.0.8. .|. .*.*.*.*.*.*. *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.o.r.k.f.l.o.w. .s.t.a.r.t... .V.e.r.s.i.o.n.:. .5...2...0...4.3.6. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....0.2./.2.1./.2.1. .1.3.:.3.9.:.0.8.:.5.6.3. .|. . [.I.N.F.O.]. .|. .3.9.7.6. .|. .B.o.o.t.s.t.r.a.p.p.e.r. .|. .O.O.B.E.U.t.i.l.s. .|. .C.o.m.m.a.n.d.L.i.n.e.P.a.r.s.e.r. .|. . .|. .O.O.B.E.U.t.i.l.s. .|. .3.4.0.8. .|. .P.a.r.s.i.n.g. .t.h.e. .c.o.m. m.a.n.d. .l.i.n.e. .p.r.o.v.i.d.e.d... .N.u.m.b.e.r. .o.f. .c.o.m.m.a.n.d. .l.i.n.e. .a.r.g.u.m.e.n.t.s. .i.s. .1.....0.2./.2.1./.2.1. .1.3.:.3.9.:.0.8.:.5.8.3. .|. .[.I.N.F.O.]. .|. .3.9.7.6. .|. .B. o.o.t.s.t.r.a.p.p.e.r. .|. . .|. .A.p.p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. .|. . .|. . .|. .3.4.0.8. .|. .C.o.m.m.a.n.d. .l.i.n.e. .a.r.g.u.m.e.n.t.s. .a.s. .X.M.L.:. .<.C.o.m.m.a.n.d.
Static File Info
General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 6.429078563814221 TrID: Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Disk Image (Macintosh), GPT (2000/0) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: Set-up.exe File size: 7603760 MD5: de70f0deed893bba56ccb78eafd59606 SHA1: f351b0c2996a3573d36deab9b6b3961876189f71 SHA256: b9a187b59c758ead0022e50bbaae4133d2e37b769a0542 49afc0b6aa2e26774d SHA512: 86459d1e7ba8480cf005087450d7dcf969dcd6f6fd22801 2d7542539ff74d72105a35b3a8d8216e1b44cdee21730a1 ddb32d9b5d20073099cb4da5a56c77fc41 SSDEEP: 98304:6FvXsG/he04LbyzviYHnl0p5585O5jqYCskq1c8k ZMoB:wvX//MNL6vvl0p55R5kgoB File Content Preview: MZ...... @...... 8...... !..L.!T his program cannot be run in DOS mode....$...... <...xz~ .xz~.xz~.#.}.mz~.#.{..z~.....yz~.y.z.kz~.y.}.az~.y.{..z~.#.z ._z~...{.`z~..!z.yz~..!{.pz~.#.x.zz~.#...[z~.xz..Mx~...w.3{~
File Icon
Icon Hash: d4e896929a8a92a6
Static PE Info
General Entrypoint: 0x6c9beb Entrypoint Section: .text Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE
Copyright null 2021 Page 10 of 21 General DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x5EEE118A [Sat Jun 20 13:39:22 2020 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 1 File Version Major: 5 File Version Minor: 1 Subsystem Version Major: 5 Subsystem Version Minor: 1 Import Hash: e133890b059ac017fed069a78f415ebe
Authenticode Signature
Signature Valid: false Signature Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US Signature Validation Error: The digital signature of the object did not verify Error Number: -2146869232 Not Before, Not After 1/31/2019 1:00:00 AM 2/3/2021 1:00:00 PM Subject Chain CN=Adobe Inc., OU=AAM 256, O=Adobe Inc., L=San Jose, S=ca, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version: 3 Thumbprint MD5: A644B92DAADE3F85886B69AC1E1A9C8D Thumbprint SHA-1: E4C03D895E1590FD8138F455F4F366BF17DED35D Thumbprint SHA-256: F1D08D7B98504370C1D5C40DCD8D8DCEAB084E9095CEF544465C445A374A18B0 Serial: 06F24D9F4DB07BD7ECAD067F5EE26C29
Entrypoint Preview
Instruction call 00007F9A3C72847Dh jmp 00007F9A3C7277CFh int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 cmp dword ptr [008744F0h], 06h jl 00007F9A3C727959h bound esi, dword ptr [ecx] jle 00007F9A3C72795Ah js 00007F9A3C727912h ret movd eax, xmm0 shl eax, 1 jc 00007F9A3C72796Dh cmp eax, 9E000000h jnc 00007F9A3C727957h cvttss2si eax, xmm0 ret cmp eax, 9F000000h jnc 00007F9A3C727961h shl eax, 07h bts eax, 1Fh ret cmp eax, 7F000000h jc 00007F9A3C727937h cvttss2si ecx, dword ptr [0077C2C0h]
Copyright null 2021 Page 11 of 21 Instruction cmc sbb eax, eax ret cmp dword ptr [008744F0h], 06h jl 00007F9A3C72796Ch mov eax, 00000001h lds edi, ecx xchg eax, edx enter F162h, 7Dh mov dword ptr [eax-40h], edi lds edi, ecx jle 00007F9A3C727912h les esp, ebx jns 00007F9A3C727968h retn C301h movd eax, xmm0 shl eax, 1 jc 00007F9A3C727985h cmp eax, 9E000000h jnc 00007F9A3C727959h cvttss2si eax, xmm0 xor edx, edx ret cmp eax, BF000000h jnc 00007F9A3C727977h mov ecx, eax bts eax, 18h shr ecx, 18h shl eax, 07h sub cl, FFFFFFBEh jns 00007F9A3C72795Ah xor edx, edx shld edx, eax, cl shl eax, cl ret mov edx, eax xor eax, eax ret cmp eax, 7F000000h jc 00007F9A3C72791Fh cvttss2si ecx, dword ptr [0077C2C0h]
Rich Headers
Programming Language: [ C ] VS2015 UPD1 build 23506 [C++] VS2015 UPD1 build 23506
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x44b704 0x118 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x478000 0x29e4c8 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x73e800 0x1e30 .reloc IMAGE_DIRECTORY_ENTRY_BASERELOC 0x717000 0x313b8 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x40b6e0 0x70 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x40b750 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x37c2d8 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x36c000 0x748 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x44b2b8 0xc0 .rdata IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0
Copyright null 2021 Page 12 of 21 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x36aa10 0x36ac00 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x36c000 0xe20a6 0xe2200 False 0.409673637023 data 5.29729554703 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .data 0x44f000 0x2804c 0x21c00 False 0.0837311921296 data 2.61540802928 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x478000 0x29e4c8 0x29e600 unknown unknown unknown unknown IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x717000 0x313b8 0x31400 False 0.468953243972 data 6.66681544505 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country CSS 0x4b0a48 0x4126 assembler source, ASCII text, with very long lines, English United States with CRLF line terminators CSS 0x4b8f48 0xaf895 ASCII text, with very long lines, with CRLF line English United States terminators CSS 0x4b4b70 0x43d5 assembler source, ASCII text, with very long lines, English United States with CRLF line terminators CSS 0x5687e0 0xa12 ASCII text, with CRLF line terminators English United States DICTIONARY 0x5989b0 0x12240 Little-endian UTF-16 Unicode text, with CRLF, CR English United States line terminators DICTIONARY 0x5aabf0 0x149dc Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x5bf5d0 0x13e56 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x5d3428 0xf0c8 Little-endian UTF-16 Unicode text, with CRLF line English United States terminators DICTIONARY 0x5e24f0 0x13976 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x5f5e68 0x12c94 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x608b00 0xee7c Little-endian UTF-16 Unicode text, with CRLF line English United States terminators DICTIONARY 0x617980 0x1347e Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x62ae00 0xd488 Little-endian UTF-16 Unicode text, with CRLF line English United States terminators DICTIONARY 0x638288 0xd5ea Little-endian UTF-16 Unicode text, with CRLF line English United States terminators DICTIONARY 0x645878 0x132ae Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x658b28 0x12650 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x66b178 0x12b1e Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x67dc98 0x130d8 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x690d70 0x12df8 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x6a3b68 0x128e6 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x6b6450 0x12994 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x6c8de8 0x128d4 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x6db6c0 0x12b20 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x6ee1e0 0x13976 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators DICTIONARY 0x701b58 0x13e56 Little-endian UTF-16 Unicode text, with very long English United States lines, with CRLF line terminators GIF 0x583228 0x2b GIF image data, version 89a, 1 x 1 English United States GIF 0x56d528 0x4b1a GIF image data, version 89a, 64 x 64 English United States
Copyright null 2021 Page 13 of 21 Name RVA Size Type Language Country GIF 0x572048 0xe622 GIF image data, version 89a, 128 x 128 English United States JS 0x47b0b0 0xea25 ASCII text, with very long lines, with CRLF line English United States terminators JS 0x495478 0x16dc5 ASCII text, with very long lines, with CRLF line English United States terminators JS 0x4ac240 0x3984 ASCII text, with very long lines, with CRLF line English United States terminators JS 0x4afbc8 0xe7a ASCII text, with very long lines, with CRLF line English United States terminators JS 0x48b6a0 0x938a ASCII text, with very long lines, with CRLF, CR line English United States terminators JS 0x494a30 0xa48 ASCII text, with CRLF line terminators English United States PNG 0x5691f8 0x9f0 PNG image data, 48 x 48, 8-bit/color RGBA, non- English United States interlaced PNG 0x569be8 0x1ac2 PNG image data, 128 x 128, 8-bit/color RGBA, non- English United States interlaced PNG 0x56b6b0 0x226 PNG image data, 29 x 22, 8-bit/color RGBA, non- English United States interlaced PNG 0x56b8d8 0x42c PNG image data, 58 x 44, 8-bit/color RGBA, non- English United States interlaced PNG 0x56c490 0x127 PNG image data, 12 x 12, 8-bit/color RGBA, non- English United States interlaced PNG 0x56c5b8 0x213 PNG image data, 24 x 24, 8-bit/color RGBA, non- English United States interlaced PNG 0x56c7d0 0x1d2 PNG image data, 16 x 16, 8-bit/color RGBA, non- English United States interlaced PNG 0x56c9a8 0x3fd PNG image data, 32 x 32, 8-bit/color RGBA, non- English United States interlaced PNG 0x56cda8 0xa7 PNG image data, 12 x 12, 8-bit/color RGBA, non- English United States interlaced PNG 0x56ce50 0xfc PNG image data, 24 x 24, 8-bit/color RGBA, non- English United States interlaced PNG 0x56cf50 0x13d PNG image data, 12 x 12, 8-bit/color RGBA, non- English United States interlaced PNG 0x56d090 0x22a PNG image data, 24 x 24, 8-bit/color RGBA, non- English United States interlaced PNG 0x56d2c0 0xe0 PNG image data, 12 x 12, 8-bit/color RGBA, non- English United States interlaced PNG 0x56d3a0 0x187 PNG image data, 24 x 24, 8-bit/color RGBA, non- English United States interlaced PNG 0x580670 0xab5 PNG image data, 88 x 84, 8-bit/color RGBA, non- English United States interlaced PNG 0x56bd08 0x28e PNG image data, 30 x 22, 8-bit/color RGBA, non- English United States interlaced PNG 0x56bf98 0x4f1 PNG image data, 60 x 46, 8-bit/color RGBA, non- English United States interlaced PNG 0x581128 0x16c3 PNG image data, 176 x 168, 8-bit/color RGBA, non- English United States interlaced SVG 0x5827f0 0x121 SVG Scalable Vector Graphics image English United States SVG 0x582918 0x25a SVG Scalable Vector Graphics image English United States SVG 0x582b78 0x2ed SVG Scalable Vector Graphics image English United States SVG 0x582e68 0x3be SVG Scalable Vector Graphics image English United States RT_ICON 0x583258 0xa8c PNG image data, 256 x 256, 8-bit gray+alpha, non- English United States interlaced RT_ICON 0x583ce8 0x10828 data English United States RT_ICON 0x594510 0x25a8 dBase IV DBT of `.DBF, block length 9216, next free English United States block index 40, next free block 16777215, next used block 16777215 RT_ICON 0x596ab8 0x10a8 dBase IV DBT of @.DBF, block length 4096, next English United States free block index 40, next free block 16777215, next used block 16777215 RT_ICON 0x597b60 0x988 data English United States RT_ICON 0x5984e8 0x468 GLS_BINARY_LSB_FIRST English United States RT_GROUP_ICON 0x598950 0x5a data English United States RT_VERSION 0x7159b0 0x2fc data English United States RT_HTML 0x478df0 0x22b9 HTML document, ASCII text, with CRLF line English United States terminators RT_HTML 0x489ad8 0x1bc7 HTML document, ASCII text, with CRLF line English United States terminators RT_MANIFEST 0x715cb0 0x813 XML 1.0 document, UTF-8 Unicode (with BOM) text, English United States with very long lines, with CRLF line terminators
Imports
Copyright null 2021 Page 14 of 21 DLL Import COMCTL32.dll InitCommonControlsEx SHLWAPI.dll PathRemoveBackslashW, PathIsNetworkPathW, PathIsUNCW, PathStripPathW, UrlIsW, SHGetValueW, UrlEscapeW, PathFindFileNameW, PathRemoveFileSpecW, PathRemoveExtensionW, PathFileExistsW, PathAddExtensionW, PathIsFileSpecW, PathAppendW, PathIsDirectoryW, PathRenameExtensionW, PathIsSystemFolderW, PathFileExistsA, PathIsRelativeW, PathIsRootW, PathAddBackslashW, PathStripToRootW SHELL32.dll SHGetKnownFolderPath, ShellExecuteW, ShellExecuteExW, SHGetSpecialFolderLocation, SHCreateDirectoryExW, SHGetSpecialFolderPathW, SHGetMalloc, SHGetFolderLocation, SHGetPathFromIDListW, SHGetFolderPathW, CommandLineToArgvW, SHBrowseForFolderW KERNEL32.dll FindNextFileW, WaitForMultipleObjects, CreateFileW, CreateEventW, SetEvent, ResetEvent, GetOverlappedResult, ReadDirectoryChangesW, MultiByteToWideChar, WideCharToMultiByte, GetFileSizeEx, FindClose, GetFileAttributesW, SetFileAttributesW, DeleteFileW, GetLocalTime, GetTimeFormatW, GetDateFormatW, GetCurrentProcess, DeviceIoControl, GetTempPathW, GetVersionExW, GetComputerNameExW, FileTimeToSystemTime, GetNativeSystemInfo, RaiseException, LoadLibraryW, GetProcAddress, CreateProcessW, GetModuleHandleW, FreeLibrary, InitializeCriticalSectionEx, DecodePointer, MulDiv, GetModuleFileNameW, TerminateProcess, RemoveDirectoryW, OpenProcess, CreateToolhelp32Snapshot, Sleep, Process32NextW, Process32FirstW, CopyFileW, GetExitCodeProcess, ReadFile, SetLastError, lstrlenW, LocalAlloc, GetDiskFreeSpaceExW, GetCurrentDirectoryW, SetCurrentDirectoryW, MoveFileExW, GetFileSize, lstrcpyW, lstrcmpiW, lstrcmpW, GetDriveTypeW, GetFullPathNameW, HeapSize, HeapReAlloc, HeapDestroy, GlobalAlloc, GlobalLock, GlobalUnlock, GetSystemDirectoryW, SetDllDirectoryW, GetStdHandle, AttachConsole, FreeConsole, GetConsoleWindow, AreFileApisANSI, TryEnterCriticalSection, HeapCreate, WriteFile, GetDiskFreeSpaceW, OutputDebugStringA, LockFile, SetFilePointer, LeaveCriticalSection, SetEndOfFile, UnlockFileEx, UnmapViewOfFile, HeapValidate, GetTempPathA, GetDiskFreeSpaceA, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, GetVersionExA, DeleteFileA, GetSystemInfo, HeapCompact, UnlockFile, CreateFileMappingA, LockFileEx, SystemTimeToFileTime, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA, CreateFileMappingW, MapViewOfFile, QueryPerformanceCounter, GetTickCount, FlushFileBuffers, SizeofResource, LockResource, LoadResource, FindResourceW, GlobalFree, VerSetConditionMask, FindFirstFileW, GetUserDefaultLCID, LCMapStringW, DuplicateHandle, ProcessIdToSessionId, TerminateThread, CreateThread, FindResourceExW, GetThreadTimes, QueryFullProcessImageNameW, GetUserDefaultLangID, GetUserDefaultUILanguage, SetNamedPipeHandleState, CreateNamedPipeW, ConnectNamedPipe, CreateDirectoryW, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, GetFileTime, ReleaseSemaphore, OpenSemaphoreW, CreateSemaphoreW, GetTimeZoneInformation, QueryPerformanceFrequency, GetCurrentThread, SetFilePointerEx, ResumeThread, EnterCriticalSection, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetLocaleInfoW, CompareStringW, GetCPInfo, EncodePointer, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, GetStringTypeW, SwitchToThread, GetModuleHandleExW, QueueUserWorkItem, IsProcessorFeaturePresent, LoadLibraryExA, VirtualQuery, VirtualProtect, GetCurrentProcessId, GetCurrentThreadId, OpenMutexW, CloseHandle, ReleaseMutex, WaitForSingleObject, CreateMutexW, GetProcessHeap, HeapAlloc, HeapFree, LocalFree, GetLastError, FormatMessageW, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, VirtualAlloc, VirtualFree, CreateTimerQueue, SignalObjectAndWait, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, FreeLibraryAndExitThread, DeleteCriticalSection, GetModuleHandleA, LoadLibraryExW, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, RtlUnwind, ExitThread, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, SetStdHandle, WriteConsoleW, ExitProcess, GetConsoleCP, GetConsoleMode, IsValidLocale, EnumSystemLocalesW, ReadConsoleW, FindFirstFileExW, IsValidCodePage, GetACP, VerifyVersionInfoW, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, InitializeCriticalSection, SetEnvironmentVariableW, GetFullPathNameA USER32.dll CharNextW, BringWindowToTop, TranslateAcceleratorW, GetClassNameW, SetCapture, GetDlgItem, GetParent, RegisterWindowMessageW, GetForegroundWindow, GetSysColor, AttachThreadInput, IsChild, DestroyAcceleratorTable, ClientToScreen, RedrawWindow, InvalidateRgn, IsWindow, SetWindowTextW, ScreenToClient, FillRect, GetFocus, GetWindow, ReleaseCapture, SetForegroundWindow, InvalidateRect, IsIconic, BeginPaint, EndPaint, GetWindowTextW, GetSystemMetrics, GetWindowLongW, GetMessageW, DefWindowProcW, CreateAcceleratorTableW, DestroyWindow, SetWindowPos, CreateWindowExW, SendMessageW, MoveWindow, SetFocus, CallWindowProcW, GetWindowTextLengthW, GetWindowThreadProcessId, wsprintfW, PostThreadMessageW, RegisterClassExW, GetActiveWindow, DispatchMessageW, TranslateMessage, LoadCursorW, SetWindowLongW, PostQuitMessage, GetDesktopWindow, GetClassInfoExW, GetDC, MessageBoxW, ShowWindow, GetAsyncKeyState, ReleaseDC, PostMessageW, UnregisterClassW, GetClientRect, EnumWindows, GetShellWindow, AllowSetForegroundWindow, LoadImageW, SystemParametersInfoW, EnableMenuItem, LoadIconW, GetSystemMenu, GetClassLongW, AppendMenuW, SetClassLongW, GetWindowRect GDI32.dll CreateCompatibleDC, GetStockObject, GetDeviceCaps, GetObjectW, DeleteObject, CreateSolidBrush, DeleteDC, SelectObject, CreateCompatibleBitmap, BitBlt ADVAPI32.dll LookupAccountSidW, SetEntriesInAclW, SetNamedSecurityInfoW, GetNamedSecurityInfoW, CreateWellKnownSid, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenProcessToken, RegFlushKey, RegCloseKey, RegDeleteKeyExW, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExW, RegEnumValueW, EqualSid, InitializeSecurityDescriptor, FreeSid, AllocateAndInitializeSid, SetSecurityDescriptorDacl, DuplicateTokenEx, ConvertSidToStringSidW, ImpersonateLoggedOnUser, ConvertStringSidToSidW, RevertToSelf, CryptReleaseContext, CryptGetHashParam, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptAcquireContextW, RegQueryValueExW, CredDeleteW, CredFree, CredEnumerateW, CredReadW, CredWriteW, GetUserNameW, GetTokenInformation ole32.dll CoCreateGuid, CoAddRefServerProcess, OleRun, CoUninitialize, CoInitialize, CLSIDFromString, CreateStreamOnHGlobal, CLSIDFromProgID, CoGetClassObject, CoCreateInstance, StringFromGUID2, OleInitialize, OleUninitialize, OleLockRunning, CoTaskMemAlloc, CoTaskMemFree, CoReleaseServerProcess OLEAUT32.dll VariantChangeType, SysAllocStringLen, SysStringLen, SysFreeString, VariantInit, SysAllocString, OleCreateFontIndirect, LoadTypeLib, LoadRegTypeLib, SysAllocStringByteLen, VariantCopy, SysStringByteLen, DispCallFunc, GetErrorInfo, VariantClear bcrypt.dll BCryptCloseAlgorithmProvider, BCryptVerifySignature, BCryptGenerateSymmetricKey, BCryptSetProperty, BCryptDecrypt, BCryptDestroyKey, BCryptEncrypt, BCryptDestroyHash, BCryptOpenAlgorithmProvider, BCryptCreateHash, BCryptHashData, BCryptFinishHash, BCryptGetProperty CRYPT32.dll CertGetNameStringW, CertGetIssuerCertificateFromStore, CryptProtectData, CryptUnprotectData, CryptStringToBinaryW, CertOpenStore, CertFindCertificateInStore, CertFreeCertificateContext, CertCreateCertificateContext, CryptHashCertificate2, CryptImportPublicKeyInfoEx2, CertCloseStore, CertAddCertificateContextToStore, CertVerifySubjectCertificateContext Secur32.dll GetUserNameExW
Copyright null 2021 Page 15 of 21 DLL Import WINTRUST.dll WTHelperProvDataFromStateData, WTHelperGetProvCertFromChain, WinVerifyTrust, WTHelperGetProvSignerFromChain
Version Infos
Description Data LegalCopyright 2020 Adobe. All rights reserved. InternalName Adobe Installer FileVersion 5.2.0.436 CompanyName Adobe Inc. ProductName Adobe Installer ProductVersion 5.2.0.436 FileDescription Adobe Installer OriginalFilename Adobe Installer Translation 0x0409 0x04b0
Possible Origin
Language of compilation system Country where language is spoken Map
English United States
Network Behavior
No network behavior found
Code Manipulations
Statistics
System Behavior
Analysis Process: Set-up.exe PID: 3976 Parent PID: 5896
General
Start time: 13:39:07 Start date: 21/02/2021 Path: C:\Users\user\Desktop\Set-up.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\Set-up.exe' Imagebase: 0x150000 File size: 7603760 bytes MD5 hash: DE70F0DEED893BBA56CCB78EAFD59606 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
Copyright null 2021 Page 16 of 21 File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\CreativeCloud\ACC\AdobeDown read attributes | device synchronous io success or wait 1 3B1A07 CreateFileW load\HDInstaller.log synchronize | non alert | non generic write directory file | open reparse point
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Te unknown 2 ff fe .. success or wait 1 3B1A63 WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log C:\Users\user\AppData\Local\Te unknown 366 30 00 32 00 2f 00 32 0.2./.2.1./.2.1. .1.3.:.3.9.:. success or wait 1 3B1F1A WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log 00 31 00 2f 00 32 00 0.8.:.5.6.2. .|. .[.I.N.F.O.]. 31 00 20 00 31 00 33 .|. .3.9.7.6. .|. .B.o.o.t.s. 00 3a 00 33 00 39 00 t.r.a.p.p.e.r. .|. .S.e.t.-.u.p. 3a 00 30 00 38 00 3a .|. .A.p.p.l.i.c.a.t.i.o.n. 00 35 00 36 00 32 00 C.o.n.t.e.x.t. .|. . .|. . .|. 20 00 7c 00 20 00 5b .3.4.0.8. .|. .*.*.*.*.*.*.*. 00 49 00 4e 00 46 00 *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. 4f 00 5d 00 20 00 7c .W.o.r.k.f.l 00 20 00 33 00 39 00 37 00 36 00 20 00 7c 00 20 00 42 00 6f 00 6f 00 74 00 73 00 74 00 72 00 61 00 70 00 70 00 65 00 72 00 20 00 7c 00 20 00 53 00 65 00 74 00 2d 00 75 00 70 00 20 00 7c 00 20 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 43 00 6f 00 6e 00 74 00 65 00 78 00 74 00 20 00 7c 00 20 00 20 00 7c 00 20 00 20 00 7c 00 20 00 33 00 34 00 30 00 38 00 20 00 7c 00 20 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 2a 00 20 00 57 00 6f 00 72 00 6b 00 66 00 6c C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 3B1F33 WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log
Copyright null 2021 Page 17 of 21 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Te unknown 362 30 00 32 00 2f 00 32 0.2./.2.1./.2.1. .1.3.:.3.9.:. success or wait 1 3B1F1A WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log 00 31 00 2f 00 32 00 0.8.:.5.6.3. .|. .[.I.N.F.O.]. 31 00 20 00 31 00 33 .|. .3.9.7.6. .|. .B.o.o.t.s. 00 3a 00 33 00 39 00 t.r.a.p.p.e.r. .|. .O.O.B.E.U. 3a 00 30 00 38 00 3a t.i.l.s. .|. .C.o.m.m.a.n.d.L. 00 35 00 36 00 33 00 i.n.e.P.a.r.s.e.r. .|. . .|. . 20 00 7c 00 20 00 5b O.O.B.E.U.t.i.l.s. .|. .3.4.0. 00 49 00 4e 00 46 00 8. .|. .P.a.r.s.i.n.g. .t.h.e. 4f 00 5d 00 20 00 7c .c.o.m.m.a.n.d 00 20 00 33 00 39 00 37 00 36 00 20 00 7c 00 20 00 42 00 6f 00 6f 00 74 00 73 00 74 00 72 00 61 00 70 00 70 00 65 00 72 00 20 00 7c 00 20 00 4f 00 4f 00 42 00 45 00 55 00 74 00 69 00 6c 00 73 00 20 00 7c 00 20 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 4c 00 69 00 6e 00 65 00 50 00 61 00 72 00 73 00 65 00 72 00 20 00 7c 00 20 00 20 00 7c 00 20 00 4f 00 4f 00 42 00 45 00 55 00 74 00 69 00 6c 00 73 00 20 00 7c 00 20 00 33 00 34 00 30 00 38 00 20 00 7c 00 20 00 50 00 61 00 72 00 73 00 69 00 6e 00 67 00 20 00 74 00 68 00 65 00 20 00 63 00 6f 00 6d 00 6d 00 61 00 6e 00 64 C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 3B1F33 WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log C:\Users\user\AppData\Local\Te unknown 296 30 00 32 00 2f 00 32 0.2./.2.1./.2.1. .1.3.:.3.9.:. success or wait 1 3B1F1A WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log 00 31 00 2f 00 32 00 0.8.:.5.8.3. .|. .[.I.N.F.O.]. 31 00 20 00 31 00 33 .|. .3.9.7.6. .|. .B.o.o.t.s. 00 3a 00 33 00 39 00 t.r.a.p.p.e.r. .|. . .|. .A.p. 3a 00 30 00 38 00 3a p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. 00 35 00 38 00 33 00 .|. . .|. . .|. .3.4.0.8. .|. 20 00 7c 00 20 00 5b .C.o.m.m.a.n.d. .l.i.n.e. . 00 49 00 4e 00 46 00 a.r.g.u.m.e.n.t.s. .a.s. 4f 00 5d 00 20 00 7c .X.M.L.:. .<.C.o.m.m 00 20 00 33 00 39 00 37 00 36 00 20 00 7c 00 20 00 42 00 6f 00 6f 00 74 00 73 00 74 00 72 00 61 00 70 00 70 00 65 00 72 00 20 00 7c 00 20 00 20 00 7c 00 20 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 43 00 6f 00 6e 00 74 00 65 00 78 00 74 00 20 00 7c 00 20 00 20 00 7c 00 20 00 20 00 7c 00 20 00 33 00 34 00 30 00 38 00 20 00 7c 00 20 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 20 00 6c 00 69 00 6e 00 65 00 20 00 61 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 73 00 20 00 61 00 73 00 20 00 58 00 4d 00 4c 00 3a 00 20 00 3c 00 43 00 6f 00 6d 00 6d C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 3B1F33 WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log
Copyright null 2021 Page 18 of 21 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Te unknown 232 30 00 32 00 2f 00 32 0.2./.2.1./.2.1. .1.3.:.3.9.:. success or wait 1 3B1F1A WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log 00 31 00 2f 00 32 00 0.8.:.5.8.3. .|. .[.I.N.F.O.]. 31 00 20 00 31 00 33 .|. .3.9.7.6. .|. .B.o.o.t.s. 00 3a 00 33 00 39 00 t.r.a.p.p.e.r. .|. . .|. .A.p. 3a 00 30 00 38 00 3a p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. 00 35 00 38 00 33 00 .|. . .|. . .|. .3.4.0.8. .|. 20 00 7c 00 20 00 5b .S.e.t.t.i.n.g. .a.p.p.l.i. 00 49 00 4e 00 46 00 c.a.t.i.o.n. .M.o.d.e. 4f 00 5d 00 20 00 7c 00 20 00 33 00 39 00 37 00 36 00 20 00 7c 00 20 00 42 00 6f 00 6f 00 74 00 73 00 74 00 72 00 61 00 70 00 70 00 65 00 72 00 20 00 7c 00 20 00 20 00 7c 00 20 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 43 00 6f 00 6e 00 74 00 65 00 78 00 74 00 20 00 7c 00 20 00 20 00 7c 00 20 00 20 00 7c 00 20 00 33 00 34 00 30 00 38 00 20 00 7c 00 20 00 53 00 65 00 74 00 74 00 69 00 6e 00 67 00 20 00 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 20 00 4d 00 6f 00 64 00 65 00 C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 3B1F33 WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log C:\Users\user\AppData\Local\Te unknown 226 30 00 32 00 2f 00 32 0.2./.2.1./.2.1. .1.3.:.3.9.:. success or wait 1 3B1F1A WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log 00 31 00 2f 00 32 00 0.8.:.5.8.4. .|. .[.I.N.F.O.]. 31 00 20 00 31 00 33 .|. .3.9.7.6. .|. .B.o.o.t.s. 00 3a 00 33 00 39 00 t.r.a.p.p.e.r. .|. . .|. .A.p. 3a 00 30 00 38 00 3a p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. 00 35 00 38 00 34 00 .|. . .|. . .|. .3.4.0.8. .|. 20 00 7c 00 20 00 5b .W.A.M. .I.n.s.t.a.l.l. .m. 00 49 00 4e 00 46 00 o.d.e. .s.e.t... 4f 00 5d 00 20 00 7c 00 20 00 33 00 39 00 37 00 36 00 20 00 7c 00 20 00 42 00 6f 00 6f 00 74 00 73 00 74 00 72 00 61 00 70 00 70 00 65 00 72 00 20 00 7c 00 20 00 20 00 7c 00 20 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 43 00 6f 00 6e 00 74 00 65 00 78 00 74 00 20 00 7c 00 20 00 20 00 7c 00 20 00 20 00 7c 00 20 00 33 00 34 00 30 00 38 00 20 00 7c 00 20 00 57 00 41 00 4d 00 20 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 20 00 6d 00 6f 00 64 00 65 00 20 00 73 00 65 00 74 00 2e 00 C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 3B1F33 WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log
Copyright null 2021 Page 19 of 21 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Te unknown 258 30 00 32 00 2f 00 32 0.2./.2.1./.2.1. .1.3.:.3.9.:. success or wait 1 3B1F1A WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log 00 31 00 2f 00 32 00 0.8.:.9.0.5. .|. .[.I.N.F.O.]. 31 00 20 00 31 00 33 .|. .3.9.7.6. .|. .B.o.o.t.s. 00 3a 00 33 00 39 00 t.r.a.p.p.e.r. .|. . .|. .A.p. 3a 00 30 00 38 00 3a p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. 00 39 00 30 00 35 00 .|. . .|. . .|. .3.4.0.8. .|. 20 00 7c 00 20 00 5b .I.n.s.t.a.l.l.e.r. .c.o.d.e. 00 49 00 4e 00 46 00 .s.i.g.n. .v.a.l.i.d.a.t.i.o.n. 4f 00 5d 00 20 00 7c .f.a.i.l.e 00 20 00 33 00 39 00 37 00 36 00 20 00 7c 00 20 00 42 00 6f 00 6f 00 74 00 73 00 74 00 72 00 61 00 70 00 70 00 65 00 72 00 20 00 7c 00 20 00 20 00 7c 00 20 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 43 00 6f 00 6e 00 74 00 65 00 78 00 74 00 20 00 7c 00 20 00 20 00 7c 00 20 00 20 00 7c 00 20 00 33 00 34 00 30 00 38 00 20 00 7c 00 20 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 72 00 20 00 63 00 6f 00 64 00 65 00 20 00 73 00 69 00 67 00 6e 00 20 00 76 00 61 00 6c 00 69 00 64 00 61 00 74 00 69 00 6f 00 6e 00 20 00 66 00 61 00 69 00 6c 00 65 C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 3B1F33 WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log C:\Users\user\AppData\Local\Te unknown 422 30 00 32 00 2f 00 32 0.2./.2.1./.2.1. .1.3.:.3.9.:. success or wait 1 3B1F1A WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log 00 31 00 2f 00 32 00 0.8.:.9.3.2. .|. .[.W.A.R.N.]. 31 00 20 00 31 00 33 .|. .3.9.7.6. .|. .B.o.o.t.s. 00 3a 00 33 00 39 00 t.r.a.p.p.e.r. .|. . .|. .A.p. 3a 00 30 00 38 00 3a p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. 00 39 00 33 00 32 00 .|. . .|. . .|. .3.4.0.8. .|. 20 00 7c 00 20 00 5b .W.A.M. .D.r.i.v.e.r. .X.M.L. 00 57 00 41 00 52 00 .d.o.e.s. .n.o.t. .e.x.i.s.t. 4e 00 5d 00 20 00 7c .a.t.:. .'.C 00 20 00 33 00 39 00 37 00 36 00 20 00 7c 00 20 00 42 00 6f 00 6f 00 74 00 73 00 74 00 72 00 61 00 70 00 70 00 65 00 72 00 20 00 7c 00 20 00 20 00 7c 00 20 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 43 00 6f 00 6e 00 74 00 65 00 78 00 74 00 20 00 7c 00 20 00 20 00 7c 00 20 00 20 00 7c 00 20 00 33 00 34 00 30 00 38 00 20 00 7c 00 20 00 57 00 41 00 4d 00 20 00 44 00 72 00 69 00 76 00 65 00 72 00 20 00 58 00 4d 00 4c 00 20 00 64 00 6f 00 65 00 73 00 20 00 6e 00 6f 00 74 00 20 00 65 00 78 00 69 00 73 00 74 00 20 00 61 00 74 00 3a 00 20 00 27 00 43 C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 3B1F33 WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log
Copyright null 2021 Page 20 of 21 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Te unknown 202 30 00 32 00 2f 00 32 0.2./.2.1./.2.1. .1.3.:.3.9.:. success or wait 1 3B1F1A WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log 00 31 00 2f 00 32 00 1.2.:.7.9.6. .|. .[.E.R.R.O.R. 31 00 20 00 31 00 33 ]. .|. .3.9.7.6. .|. .B.o.o.t. 00 3a 00 33 00 39 00 s.t.r.a.p.p.e.r. .|. . .|. .m. 3a 00 31 00 32 00 3a a.i.n. .|. . .|. . .|. .3.4.0.8. .|. 00 37 00 39 00 36 00 .S.o.m.e.t.h.i.n.g. .b.a.d. 20 00 7c 00 20 00 5b .o.c.c.u.r.e.d... 00 45 00 52 00 52 00 4f 00 52 00 5d 00 20 00 7c 00 20 00 33 00 39 00 37 00 36 00 20 00 7c 00 20 00 42 00 6f 00 6f 00 74 00 73 00 74 00 72 00 61 00 70 00 70 00 65 00 72 00 20 00 7c 00 20 00 20 00 7c 00 20 00 6d 00 61 00 69 00 6e 00 20 00 7c 00 20 00 20 00 7c 00 20 00 20 00 7c 00 20 00 33 00 34 00 30 00 38 00 20 00 7c 00 20 00 53 00 6f 00 6d 00 65 00 74 00 68 00 69 00 6e 00 67 00 20 00 62 00 61 00 64 00 20 00 6f 00 63 00 63 00 75 00 72 00 65 00 64 00 2e 00 C:\Users\user\AppData\Local\Te unknown 4 0d 00 0a 00 .... success or wait 1 3B1F33 WriteFile mp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log unknown 4096 success or wait 1 458A44 ReadFile
Registry Activities
Key Value Created
Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Microsoft\Internet Set-up.exe dword 11001 success or wait 1 3B05E4 RegSetValueExW Explorer\Main\FeatureControl\FEATURE_BROWSER _EMULATION
Disassembly
Code Analysis
Copyright null 2021 Page 21 of 21