File name:

Reader_en_install.exe

Full analysis: https://app.any.run/tasks/c6b539c4-0769-4760-8c2a-e949115d5d9a
Verdict: Malicious activity
Analysis date: December 08, 2024, 14:38:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

220C6EB8710940AE3AE85ADC36D64D1D

SHA1:

A11BE1540235639EE51D0CC7ED9950931BF8B820

SHA256:

0FE0B86968AF4CB73E1115CB2C660E66D12015ECFFE445AF85DAA9CC41657E61

SSDEEP:

49152:/mB4ZsraOhUKmgguGKw31KJBdRbI72odLKOBF4YnGlVaAixgbv5KW9hKBWCmlGhv:gjyggnK2cRQvLKOBFlnGldi0KsKNqOu2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

  • SUSPICIOUS

    • Application launched itself

      • Reader_en_install.exe (PID: 2844)

    • Checks Windows Trust Settings

      • Reader_en_install.exe (PID: 6468)
      • Reader_en_install.exe (PID: 2844)
      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Reads security settings of Internet Explorer

      • Reader_en_install.exe (PID: 6468)
      • Reader_en_install.exe (PID: 2844)
      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Reads Internet Explorer settings

      • Reader_en_install.exe (PID: 2844)

    • Reads Microsoft Outlook installation path

      • Reader_en_install.exe (PID: 2844)

    • Executable content was dropped or overwritten

      • Reader_en_install.exe (PID: 2844)
      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Starts application with an unusual extension

      • Reader_en_install.exe (PID: 6468)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • The process creates files with name similar to system file names

      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • The process verifies whether the antivirus software is installed

      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)
      • McCHSvc.exe (PID: 6504)
      • McCHSvc.exe (PID: 4052)
      • SSScheduler.exe (PID: 3092)

    • Process drops legitimate windows executable

      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Creates a software uninstall entry

      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Executes as Windows Service

      • McCHSvc.exe (PID: 4052)

    • Searches for installed software

      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Adds/modifies Windows certificates

      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

  • INFO

    • Checks supported languages

      • Reader_en_install.exe (PID: 2844)
      • Reader_en_install.exe (PID: 6468)
      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)
      • McCHSvc.exe (PID: 4052)
      • McCHSvc.exe (PID: 6504)
      • SSScheduler.exe (PID: 3092)

    • Create files in a temporary directory

      • Reader_en_install.exe (PID: 2844)
      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Reads the computer name

      • Reader_en_install.exe (PID: 2844)
      • Reader_en_install.exe (PID: 6468)
      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)
      • McCHSvc.exe (PID: 4052)
      • McCHSvc.exe (PID: 6504)

    • Process checks computer location settings

      • Reader_en_install.exe (PID: 2844)
      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Reads the machine GUID from the registry

      • Reader_en_install.exe (PID: 6468)
      • Reader_en_install.exe (PID: 2844)
      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Creates files or folders in the user directory

      • Reader_en_install.exe (PID: 6468)
      • Reader_en_install.exe (PID: 2844)
      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Reads the software policy settings

      • Reader_en_install.exe (PID: 6468)
      • Reader_en_install.exe (PID: 2844)
      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Checks proxy server information

      • Reader_en_install.exe (PID: 6468)
      • Reader_en_install.exe (PID: 2844)
      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)

    • Creates files in the program directory

      • AA05E62F-E7FE-4987-ABB3-718454903AA0 (PID: 7028)
      • McCHSvc.exe (PID: 4052)
      • SSScheduler.exe (PID: 3092)

    • The process uses the downloaded file

      • Reader_en_install.exe (PID: 2844)

    • UPX packer has been detected

      • Reader_en_install.exe (PID: 2844)

    • Application launched itself

      • msedge.exe (PID: 4628)
      • Acrobat.exe (PID: 5568)
      • AcroCEF.exe (PID: 7192)

    • Sends debugging messages

      • Acrobat.exe (PID: 7084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:05 07:42:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.35
CodeSize: 1597440
InitializedDataSize: 20480
UninitializedDataSize: 3080192
EntryPoint: 0x4768d0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.790
ProductVersionNumber: 2.0.0.790
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Adobe Inc
FileDescription: Adobe Download Manager
FileVersion: 2.0.0.790s
InternalName: Adobe Download Manager
LegalCopyright: Copyright 2019 Adobe Inc. All rights reserved.
OriginalFileName: Adobe Download Manager
ProductName: Adobe Download Manager
ProductVersion: 2.0.0.790s
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
31
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start reader_en_install.exe reader_en_install.exe aa05e62f-e7fe-4987-abb3-718454903aa0 mcchsvc.exe no specs mcchsvc.exe no specs ssscheduler.exe no specs msedge.exe acrobat.exe msedge.exe no specs acrobat.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs explorer.exe no specs msedge.exe no specs msedge.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2324"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2352 --field-trial-handle=2168,i,4725310224404383461,7289096504975233168,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2456"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3496 --field-trial-handle=2168,i,4725310224404383461,7289096504975233168,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2844"C:\Users\admin\AppData\Local\Temp\Reader_en_install.exe" C:\Users\admin\AppData\Local\Temp\Reader_en_install.exe
explorer.exe
User:
admin
Company:
Adobe Inc
Integrity Level:
MEDIUM
Description:
Adobe Download Manager
Exit code:
0
Version:
2.0.0.790s
Modules
Images
c:\users\admin\appdata\local\temp\reader_en_install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3092"C:\Program Files (x86)\McAfee Security Scan\4.1.482\SSScheduler.exe"C:\Program Files (x86)\McAfee Security Scan\4.1.482\SSScheduler.exeAA05E62F-E7FE-4987-ABB3-718454903AA0
User:
admin
Company:
McAfee, LLC
Integrity Level:
HIGH
Description:
McAfee Security Scanner Scheduler
Version:
4,1,482,0
Modules
Images
c:\program files (x86)\mcafee security scan\4.1.482\ssscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3208"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x31c,0x328,0x32c,0x324,0x308,0x7ff821955fd8,0x7ff821955fe4,0x7ff821955ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3744"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3960 --field-trial-handle=2168,i,4725310224404383461,7289096504975233168,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3840"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2656 --field-trial-handle=2168,i,4725310224404383461,7289096504975233168,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4052"C:\Program Files (x86)\McAfee Security Scan\4.1.482\McCHSvc.exe"C:\Program Files (x86)\McAfee Security Scan\4.1.482\McCHSvc.exeservices.exe
User:
SYSTEM
Company:
McAfee, LLC
Integrity Level:
SYSTEM
Description:
Component Host Service
Exit code:
0
Version:
4,1,482,0
Modules
Images
c:\program files (x86)\mcafee security scan\4.1.482\mcchsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4548"C:\WINDOWS\system32\explorer.exe"C:\Windows\SysWOW64\explorer.exeReader_en_install.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
4628"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://get.adobe.com/reader/completion/adm/?exitcode=-1&type=install&appId=300&preinstalled=1&workflow=64C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Reader_en_install.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
32 716
Read events
32 555
Write events
150
Delete events
11

Modification events

(PID) Process:(2844) Reader_en_install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2844) Reader_en_install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2844) Reader_en_install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7028) AA05E62F-E7FE-4987-ABB3-718454903AA0Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7028) AA05E62F-E7FE-4987-ABB3-718454903AA0Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7028) AA05E62F-E7FE-4987-ABB3-718454903AA0Key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7028) AA05E62F-E7FE-4987-ABB3-718454903AA0Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Value:
(PID) Process:(7028) AA05E62F-E7FE-4987-ABB3-718454903AA0Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
040000000100000010000000E94FB54871208C00DF70F708AC47085B0F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C0300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B809000000010000000C000000300A06082B060105050703031D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD91400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B53000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF860B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B4200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(7028) AA05E62F-E7FE-4987-ABB3-718454903AA0Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
5C0000000100000004000000001000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B40B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000006200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF8653000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C01400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B1D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD909000000010000000C000000300A06082B060105050703030300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B80F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C040000000100000010000000E94FB54871208C00DF70F708AC47085B200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(7028) AA05E62F-E7FE-4987-ABB3-718454903AA0Key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:D69B561148F01C77C54578C10926DF5B856976AD
Value:
Executable files
21
Suspicious files
244
Text files
64
Unknown types
4

Dropped files

PID
Process
Filename
Type
2844Reader_en_install.exeC:\Users\admin\AppData\Local\Adobe\E9F37BD7-D03F-41DD-A27F-0F5633377BA9\9A6BC63D-9495-4294-9DF4-E0C8C297604C\AA05E62F-E7FE-4987-ABB3-718454903AA0.aamdownload
MD5:
SHA256:
6468Reader_en_install.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:673727D0D36E48A831A6C11CB671A426
SHA256:4C223EA88C9F122D93F026906987E13343613B1DCF3A315B153C8CA91A7A0261
2844Reader_en_install.exeC:\Users\admin\AppData\Local\Temp\Adobe_ADMLogs\Adobe_ADM.logtext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
6468Reader_en_install.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:15C629222AFDE0CB41FDAE3E54FB6526
SHA256:60C14C33F73E449CD0FF7257B14023AE0CE10E1C7700F7300143827C860D2CE3
2844Reader_en_install.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419der
MD5:A4460C6EB195429E2D507D1AC2A94617
SHA256:27DAADC656FE8659BB78F1B9B532A4EE993E0D8FC1A670874B4154301A3C0607
6468Reader_en_install.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:C604848A3DE89C41BB3875F856C1C0C6
SHA256:2BB62F402165F0A2DD88185EE9373E2F76E36D8F4A358D8523A1122BF7C98332
6468Reader_en_install.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F47D0D738DC3C3984730C80B8D674D25der
MD5:9BF08460C426467389969CCB0CF70E65
SHA256:886BA43A22F359FE8F686C537A122927DF4AB452C0EEB02697F474645218B42C
2844Reader_en_install.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:58E8BDCEEA9EFF6B2547F65204B6774B
SHA256:43C1B69039FA35879BF24D86029838C799BFF5C42FA1FFF9F5F2AF0D799BFEED
6468Reader_en_install.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:C7FE65FDE6418B6363C5CB4A0F1C2091
SHA256:1AEC7821339933C7F7B3BD25BBE77A435F841DB98E1304A23B8BF9974910E0AC
2844Reader_en_install.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\d[1]woff
MD5:DF0CD5EDE266E9EA694C3D28209FCE9F
SHA256:5ECD3C64E4C0D1A51D13E2762BECB9E7DA2ACD30D670058A6B16761BE3E017DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
107
DNS requests
116
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
2.16.164.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6468
Reader_en_install.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7028
AA05E62F-E7FE-4987-ABB3-718454903AA0
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBE0LjmjWL0GhJVvAYUGauQ%3D
unknown
whitelisted
7028
AA05E62F-E7FE-4987-ABB3-718454903AA0
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS1ltXHf0Gu7UbTwUFXQxqswh7XKQQUrrrnB8N4tGHsArqIlJV3X9NjtKoCEHyfTd%2Fqg0L%2Ff%2BJPDnmJnMc%3D
unknown
whitelisted
6220
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6616
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5568
Acrobat.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
6616
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.164.18:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.209.185:443
www.bing.com
Akamai International B.V.
GB
whitelisted
6468
Reader_en_install.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2844
Reader_en_install.exe
2.19.126.198:443
use.typekit.net
Akamai International B.V.
DE
whitelisted
2844
Reader_en_install.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.18
  • 2.16.164.40
  • 2.16.164.99
  • 2.16.164.17
  • 2.16.164.122
  • 2.16.164.9
  • 2.16.164.114
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.140
  • 2.23.209.179
  • 2.23.209.149
  • 2.23.209.133
  • 2.23.209.176
  • 2.23.209.182
  • 2.23.209.130
  • 104.126.37.178
  • 104.126.37.163
  • 104.126.37.171
  • 104.126.37.153
  • 104.126.37.136
  • 104.126.37.144
  • 104.126.37.155
  • 104.126.37.139
  • 104.126.37.170
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
use.typekit.net
  • 2.19.126.198
  • 2.19.126.206
  • 184.24.77.141
  • 184.24.77.156
whitelisted
geo-dc.adobe.com
  • 23.32.184.135
  • 23.213.164.167
whitelisted
p.typekit.net
  • 2.19.126.219
  • 2.19.126.211
  • 184.24.77.146
  • 184.24.77.154
shared
rdc.adobe.io
  • 52.48.126.58
  • 54.228.247.11
  • 34.246.54.182
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Reader_en_install.exe