File name:	Adobe.Photoshop.2024.v25.12.0.806.exe
Full analysis:	https://app.any.run/tasks/1e84c224-394a-442b-ae17-75568a039c76
Verdict:	Malicious activity
Analysis date:	October 04, 2024, 14:31:41
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	phishing-ml
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	11FE9F05E080D90C3153E976D81D1893
SHA1:	F98250D248786CD93A8F3B0D7D9EC006B58D59D1
SHA256:	1632ACA41109AA44FEAEECF520F1260F839D509055C7D59FF80720A2392E4561
SSDEEP:	393216:2UHW2ce003GzbasoMuOX3Tehvr9F3fO25YXdxn6yTjQQKt4PpsJ:e2c/2GzbTN5XQ5Rz5YN19B7p6

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:11:15 10:52:16+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.3
CodeSize:	201216
InitializedDataSize:	463360
UninitializedDataSize:	-
EntryPoint:	0x1f040
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	KpoJIuK
FileVersion:	1.0.0.0
LegalCopyright:	KpoJIuK
ProductVersion:	1.0.0.0
ProgramID:	SFX
FileDescription:	SFX
ProductName:	SFX


(PID) Process:	(5712) AUTORUN.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(5712) AUTORUN.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5712) AUTORUN.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5712) AUTORUN.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(652) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(652) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(652) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(652) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(652) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: C56FC2D23D822F00
(PID) Process:	(6176) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0

PID	Process	Filename		Type
4936	Adobe.Photoshop.2024.v25.12.0.806.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\Photoshop2024\install\products\Driver.xml		xml
		MD5:FB5264292396D6D189DDD27DECEC1EEB	SHA256:28117A4FA696937A7D8679DE6424302C5B30E9EC0D2871FA81AC5E18F4FD39CA
4936	Adobe.Photoshop.2024.v25.12.0.806.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\Photoshop2024\AUTORUN.exe		executable
		MD5:436EF80F3FBD36082A0633189FE9270C	SHA256:E08379158E5C4C7307D9F219319BF7F7337D07945A7EF41394FB8F70745B625A
4936	Adobe.Photoshop.2024.v25.12.0.806.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\Photoshop2024\AUTORUN.inf		binary
		MD5:BC852476E9D547A00708E7BA73D4B989	SHA256:520476A9BBA5CE51461F207BADB2B282446EA20DC0B7194E6DA0C5C217FDC816
4936	Adobe.Photoshop.2024.v25.12.0.806.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\Photoshop2024\install\ReleaseInformation_en.rtf		text
		MD5:3ED1B2C5EB3A30AF0D7B24B278E3AF6D	SHA256:A9D2F2DF722574A261143FB181E46F1044E23ED22AB01D44E91BDDEAC996944D
3860	Helper.exe	C:\Users\admin\AppData\Local\Temp\nscB37F.tmp\w10.7z		—
		MD5:—	SHA256:—
4936	Adobe.Photoshop.2024.v25.12.0.806.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\Photoshop2024\install\products\COCM\Application.json		binary
		MD5:D71C162294CFDF76B383DA29B201457C	SHA256:D1DED7B849F3E509836289FC58B6B4D3DFDC8243BBF9399F0EB003F662F2AD44
4936	Adobe.Photoshop.2024.v25.12.0.806.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\Photoshop2024\install\products\CORG\Application.json		binary
		MD5:BA939FFBFE2BA2EAB8F921AF4A3BA51F	SHA256:FC0F08404733E40055C4AB8411F53DEA3C3362AF0057D108D27286ED01EDEFE8
4936	Adobe.Photoshop.2024.v25.12.0.806.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\Photoshop2024\install\products\ACR\Application.json		binary
		MD5:110CD3BC4EF4805FD5BF1720929F9CDF	SHA256:9E725CF57BF291514E8FE7933979A56D822E25B08352D4ED12B7F05965A5D17B
4936	Adobe.Photoshop.2024.v25.12.0.806.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\Photoshop2024\install\config.ini		text
		MD5:96AF7D87FB75B6AF3E03B08B18AF4A54	SHA256:3C0E51CCB49EDFB65097622E8E6D6E8DBD7BCAD73C14D97033E67CE2DD759EDF
4936	Adobe.Photoshop.2024.v25.12.0.806.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\Photoshop2024\install\ReleaseInformation_ru.rtf		text
		MD5:2235F056F6A5D93302CA00C4DAE605D4	SHA256:563C4A098C4B7D9267E2E2B76AC47201EE32F9041921B1B36734165E3B30CE16

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	—
—	—	GET	304	13.107.21.239:443	https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist	unknown	—	—	—
—	—	GET	200	204.79.197.239:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	unknown	binary	1.75 Kb	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	11.9 Kb	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	735 b	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox	unknown	binary	584 b	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	43.1 Kb	whitelisted
—	—	GET	200	13.107.253.64:443	https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable	unknown	binary	13.2 Kb	whitelisted
—	—	GET	200	104.18.94.41:443	https://challenges.cloudflare.com/turnstile/v0/g/ec4b873d446c/api.js?onload=Jeuhg1&render=explicit	unknown	text	46.1 Kb	whitelisted
—	—	GET	200	104.18.95.41:443	https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/horid/0x4AAAAAAADnPIDROrmt1Wwj/light/fbE/normal/auto/	unknown	html	161 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2804	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6176	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
2804	msedge.exe	188.114.96.3:443	repack.me	—	—	whitelisted
2804	msedge.exe	204.79.197.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2804	msedge.exe	13.107.6.158:443	business.bing.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2804	msedge.exe	13.107.246.64:443	edge-mobile-static.azureedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.185.174	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
repack.me	188.114.96.3 188.114.97.3	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
business.bing.com	13.107.6.158	whitelisted
edge-mobile-static.azureedge.net	13.107.246.64	whitelisted
bzib.nelreports.net	23.48.23.26 23.48.23.51	whitelisted
www.bing.com	2.23.209.182 2.23.209.181 2.23.209.189 2.23.209.179 2.23.209.177 2.23.209.160 2.23.209.187 2.23.209.176 2.23.209.158 23.37.226.106 23.37.226.97 23.37.226.81 23.37.226.98 23.37.226.96 23.53.43.115 23.37.226.90 23.53.43.154 23.53.43.152 2.23.209.150 2.23.209.149	whitelisted
challenges.cloudflare.com	104.18.94.41 104.18.95.41	whitelisted

PID	Process	Class	Message
—	—	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Challenge-Platform Page Request to cdn-cgi
—	—	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Challenge-Platform Page Request to cdn-cgi
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
—	—	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Challenge-Platform Page Request to cdn-cgi
—	—	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Challenge-Platform Page Request to cdn-cgi

General Info

Adobe.Photoshop.2024.v25.12.0.806.exe

11FE9F05E080D90C3153E976D81D1893

F98250D248786CD93A8F3B0D7D9EC006B58D59D1

1632ACA41109AA44FEAEECF520F1260F839D509055C7D59FF80720A2392E4561

393216:2UHW2ce003GzbasoMuOX3Tehvr9F3fO25YXdxn6yTjQQKt4PpsJ:e2c/2GzbTN5XQ5Rz5YN19B7p6

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Process drops legitimate windows executable

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

The process uses the downloaded file

Process checks computer location settings

Application launched itself

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings