Malware analysis Acrobat_Set-Up.exe Malicious activity

Add for printing

File name:	Acrobat_Set-Up.exe
Full analysis:	https://app.any.run/tasks/336a9202-96b6-4e08-8e2c-46deceda8088
Verdict:	Malicious activity
Analysis date:	April 19, 2025, 10:29:17
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	upx arch-scr
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:	23B017085AF8E33A627CCDF1911EF50C
SHA1:	C534DE12205923310D7332D9709ABCE303C14807
SHA256:	22E3E05647003403D3D17E9979D77BFC297AE52E92CE598F541F9338826B0648
SSDEEP:	98304:u4lTUghYoYfNMFMgF7DyCFKPrtTCKm8zgiXb7r+cIYYVx3X+D2Flokb5DN3Zv5na:pnFpk3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads Microsoft Outlook installation path
  - Acrobat_Set-Up.exe (PID: 7280)
- Application launched itself
  - Acrobat_Set-Up.exe (PID: 7280)
- Starts CMD.EXE for commands execution
  - Acrobat_Set-Up.exe (PID: 7280)
- Adds/modifies Windows certificates
  - Acrobat_Set-Up.exe (PID: 7280)
- Reads Internet Explorer settings
  - Acrobat_Set-Up.exe (PID: 7280)
- Reads security settings of Internet Explorer
  - Acrobat_Set-Up.exe (PID: 7280)
INFO
- The sample compiled with english language support
  - Acrobat_Set-Up.exe (PID: 7280)
  - firefox.exe (PID: 5596)
- Reads the machine GUID from the registry
  - Acrobat_Set-Up.exe (PID: 7280)
- Process checks whether UAC notifications are on
  - Acrobat_Set-Up.exe (PID: 7280)
- Create files in a temporary directory
  - Acrobat_Set-Up.exe (PID: 7280)
  - Acrobat_Set-Up.exe (PID: 1452)
- Checks proxy server information
  - Acrobat_Set-Up.exe (PID: 7280)
  - slui.exe (PID: 4944)
  - Acrobat_Set-Up.exe (PID: 1452)
- Reads CPU info
  - Acrobat_Set-Up.exe (PID: 1452)
  - Acrobat_Set-Up.exe (PID: 7280)
- Creates files or folders in the user directory
  - Acrobat_Set-Up.exe (PID: 7280)
  - Acrobat_Set-Up.exe (PID: 1452)
- Reads the software policy settings
  - slui.exe (PID: 7696)
  - slui.exe (PID: 4944)
  - Acrobat_Set-Up.exe (PID: 1452)
  - Acrobat_Set-Up.exe (PID: 7280)
- UPX packer has been detected
  - Acrobat_Set-Up.exe (PID: 7280)
  - Acrobat_Set-Up.exe (PID: 1452)
- Process checks computer location settings
  - Acrobat_Set-Up.exe (PID: 7280)
- Checks supported languages
  - Acrobat_Set-Up.exe (PID: 1452)
  - Acrobat_Set-Up.exe (PID: 7280)
- Reads the computer name
  - Acrobat_Set-Up.exe (PID: 1452)
  - Acrobat_Set-Up.exe (PID: 7280)
- Application launched itself
  - firefox.exe (PID: 7860)
  - firefox.exe (PID: 5364)
  - firefox.exe (PID: 7356)
  - firefox.exe (PID: 5596)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 5596)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	UPX compressed Win32 Executable (43.5)
.exe	\|	Win32 EXE Yoda's Crypter (42.7)
.exe	\|	Win32 Executable (generic) (7.2)
.exe	\|	Generic Win/DOS Executable (3.2)
.exe	\|	DOS Executable Generic (3.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:02:03 15:43:40+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.33
CodeSize:	3289088
InitializedDataSize:	45056
UninitializedDataSize:	7741440
EntryPoint:	0xa85250
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	2.14.0.35
ProductVersionNumber:	2.14.0.35
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Adobe Inc.
FileDescription:	Adobe Installer
FileVersion:	2.14.0.35
InternalName:	Adobe Installer
LegalCopyright:	© 2015-2024 Adobe. All rights reserved.
OriginalFileName:	Adobe Installer
ProductName:	Adobe Installer
ProductVersion:	2.14.0.35

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

171

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

720

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4964 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab3ba6eb-e3f1-444c-a7de-299ea664a4aa} 7356 "\\.\pipe\gecko-crash-server-pipe.7356" 22fb824c510 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll

732

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 5 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 31144 -prefMapSize 244583 -jsInitHandle 1568 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0724dc2e-a4bf-467c-b5d3-65e81afc21ae} 7356 "\\.\pipe\gecko-crash-server-pipe.7356" 22fb650af50 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll

780

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 8 -isForBrowser -prefsHandle 5620 -prefMapHandle 5616 -prefsLen 28920 -prefMapSize 240426 -jsInitHandle 1324 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e825dbac-3bc1-41f1-9af8-7d41748c60e2} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 23d4b0c9d90 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll

1452

"C:\Users\admin\AppData\Local\Temp\Acrobat_Set-Up.exe" --pipename={9D4137E7-170C-417B-AB1D-11A2CB092CBD} --pid=7280 --locale=en_US --webviewType=1

C:\Users\admin\AppData\Local\Temp\Acrobat_Set-Up.exe

Acrobat_Set-Up.exe

User:

admin

Company:

Adobe Inc.

Integrity Level:

HIGH

Description:

Adobe Installer

Exit code:

Version:

2.14.0.35

Modules

Images
c:\users\admin\appdata\local\temp\acrobat_set-up.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

1628

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3336 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 3292 -prefsLen 21575 -prefMapSize 240426 -jsInitHandle 1324 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e34fef27-15a5-466e-a1c0-c95feb13040f} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 23d4397a850 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll

3676

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4572 -childID 5 -isForBrowser -prefsHandle 4516 -prefMapHandle 4336 -prefsLen 23233 -prefMapSize 240426 -jsInitHandle 1324 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6008a41d-d728-4ba0-9a77-af23c33d4290} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 23d47e89f50 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll

3784

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240213221259 -prefsHandle 2028 -prefMapHandle 2016 -prefsLen 19989 -prefMapSize 240426 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdc94c76-76d7-4eb4-9634-2854e0186e86} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 23d33b84710 socket

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3896

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5128 -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 4264 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1568 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccca4e96-eb62-4782-a8a1-f0f296182b01} 7356 "\\.\pipe\gecko-crash-server-pipe.7356" 22fb832fa10 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll

4628

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -childID 3 -isForBrowser -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 23576 -prefMapSize 240426 -jsInitHandle 1324 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c71272de-9246-40b7-8ab2-59575abc7470} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 23d472ad850 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll

4932

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 7 -isForBrowser -prefsHandle 4580 -prefMapHandle 4628 -prefsLen 28920 -prefMapSize 240426 -jsInitHandle 1324 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a18f6e11-a271-4858-9235-41a1bf4cf2e8} 5596 "\\.\pipe\gecko-crash-server-pipe.5596" 23d464b8150 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll

Add for printing

Total events

35 519

Read events

35 491

Write events

Delete events

Modification events


(PID) Process:	(7280) Acrobat_Set-Up.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7280) Acrobat_Set-Up.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7280) Acrobat_Set-Up.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7280) Acrobat_Set-Up.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\AdobeCertStore\Certificates
Operation:	delete value	Name:	686DF0A4A89F7CB6BFB4D33C6A48E2EE5FB6C4FB
Value:
(PID) Process:	(7280) Acrobat_Set-Up.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\AdobeCertStore\Certificates\686DF0A4A89F7CB6BFB4D33C6A48E2EE5FB6C4FB
Operation:	write	Name:	Blob
Value: 030000000100000014000000686DF0A4A89F7CB6BFB4D33C6A48E2EE5FB6C4FB2000000001000000C3050000308205BF308203A7A003020102020401CFBD1C300D06092A864886F70D01010D050030818E310B30090603550406130255533113301106035504080C0A43616C69666F726E69613111300F06035504070C0853616E204A6F736531163014060355040A0C0D41646F62652053797374656D7331193017060355040B0C10436C6F756420546563686E6F6C6F67793124302206035504030C1B41646F626520496E7465726D6564696174652043412031302D3139301E170D3233303830373135313132375A170D3330303830353135313132355A308191310B30090603550406130255533113301106035504080C0A43616C69666F726E69613111300F06035504070C0853616E204A6F736531163014060355040A0C0D41646F62652053797374656D7331193017060355040B0C10436C6F756420546563686E6F6C6F67793127302506035504030C1E41646F626520436F6E74656E742043657274696669636174652031302D3830820222300D06092A864886F70D01010105000382020F003082020A0282020100D119F9B8D2D41D892ABF9F1F3CD1F947141B9867E9BE6D96E479C74C87E42F61F5B927BCCB7CAEBE27B26465B8E2F1118C2041980B88D7F559B8F9D041110E19F29CE5033FE9B8184D47982257E97D1B62744521BC329A7861A2376EEB8F3248EB031A7B43B1F22174FCC3C642033770137CAD8329B240970127EDD3030D9A69AF242FC7405B5867D0F5950BB0B79F702E84180EE43CA21F46ADCE07AD014F5CFD7BE25E735EB0431889BCCE40A4E94791FCA5A65DA24838D189B85218C9961EB1BCE8DB4CB2FFC7A2C3419788E68098350CACC6AA61DFB3D8476454927F9AB767037A84ED4E39862B3F386A065B169403259617150679E34AF188035D8BEBD9F4F22544CBF81F0D0516799D39A17A56C12E5C151945D65084367647C6F6A78ADE46F7BCC0B8ACA7D8ABFE3EB34AB2D1FB7800A98DA86C8DA956B267E309634D55FF7F6570F9B926BD602D4A94E77C662D1479C576B972D87BB35EA634B5F676774D40E04A0A908948C269C7DC71778ED5D15D9B8F4519EE858BC273A49AFC7A206AFD97286716B832E64154A074305D7BBCB7F2205017D1ED5CA6E42EDC6D35FABC88DD188028B15E5AA5296E12C03486A80A6E3CB0C001E4742B1EDF02FA70C2EBDCBEC606480054FC467729E99D1EB80BEE04B36FB17C722068079146FDE54B06C3EC5C4BAFAF113D2000EF36AEBE8454560E81D0CF982A798BAE3C39CD430203010001A320301E300E0603551D0F0101FF040403020780300C0603551D130101FF04023000300D06092A864886F70D01010D050003820201006BF0137EE63D74F0DF4EE19376625AC33574898A025B764E9BD69F8C7D9FA1C7F9B58F0355F206CAB84927D626275A8FD0D1C6A3B9A7811B361A68523AD86199EC1188922CE525246BFEF1B4DD23EB5B8EE0894D4495CEB1C0F27BCA3812C7C02432F9A693C7A331C53162A76C687C0FF60B31389A0E11F9DA1FD8CEAE91FF671222083643E0A7C0B97F170AB051856AB58C8B3278D16753CFAAC05CEC9A08C0FCC2E993AAEA79225D70E9EC8BFB53C93BE8915B2026A35BF05D3C9E5E417FABC5648D9FD8F153E8787F1E3CDD637FE2ABD8C8A5D1C9171C342E588A77FF2739DC6B88C79DC933DEDF535C496BA652A184B6B65B831AA7706251494108D58F8565624E37A343696F2E42C029333DAB8B1A9E34BDA64B58546906E9BD3F0D67F3CB830E8B6BF3B01F653C938DA93B53A6878A14FE75550B546D580FA40F0E6E6FAC25113513F48C9FC79B27689B906AFD59D11ABBDF4FDE466D2A93431606DB3938D9E9F7505D1A0CD91E4F116A2F3E1837BA0C1AB0CC74724916A65D9B2C09B00EEF96BDA7156F789449923371B5AAC2A6728B0B3E71AC656EBC820BAD65977CEBAF56611C8D322C78AF95C5DC1C2E56D95ECA6EFB5664010860DD6C82FAF60A9CD493EECC6B013449633928D96BB0D38F28F838564DB989958ECFD5325FA51F8EC4148545C5A94705BEB7200B427F978959CC7A031FE58F7E2F42AD48E3BB82
(PID) Process:	(7280) Acrobat_Set-Up.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\AdobeCertStore\Certificates
Operation:	delete value	Name:	85E2C5B0D9CFF505363FA62A5E8B8C1D76A60B46
Value:
(PID) Process:	(7280) Acrobat_Set-Up.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\AdobeCertStore\Certificates\85E2C5B0D9CFF505363FA62A5E8B8C1D76A60B46
Operation:	write	Name:	Blob
Value: 03000000010000001400000085E2C5B0D9CFF505363FA62A5E8B8C1D76A60B462000000001000000BC050000308205B8308203A0A003020102020426C66CD0300D06092A864886F70D01010D0500308185310B30090603550406130255533113301106035504080C0A43616C69666F726E69613111300F06035504070C0853616E204A6F736531163014060355040A0C0D41646F62652053797374656D7331193017060355040B0C10436C6F756420546563686E6F6C6F6779311B301906035504030C1241646F626520526F6F742043412031302D333020170D3138303831373137333831395A180F32303638303830343137333831395A30818E310B30090603550406130255533113301106035504080C0A43616C69666F726E69613111300F06035504070C0853616E204A6F736531163014060355040A0C0D41646F62652053797374656D7331193017060355040B0C10436C6F756420546563686E6F6C6F67793124302206035504030C1B41646F626520496E7465726D6564696174652043412031302D313930820222300D06092A864886F70D01010105000382020F003082020A0282020100B533B875034A0E7563110700E026D838B4ED1369EE54D6DB09EBF764A4778EF8A7DC7DFBA9386A78E61BE8FF8722D2CA1535CC02C111F9FAE54FDC09698D22D9D936B3133AAB757B596A1C093CF3559F351D3F10DC44FB0F9787E1F685E83DC775C74D0E563F1509071A1D4BCD919D0B9EBAF925867A85E7E5B9B13040760DFBE2A9BD70E028963DD69631E9CF2F5CA3A6634AC8BFE2DAE5CDE9DF35E935B4F88A17FC78786052BADF6E5A378E34A16D16EC7EEB69BF0917FD7210AE129AE2B5F3473E28EA73E25E81176229F0AD99B74069CF6C30413AB85D86F7FEC519E01806A928CF2E5EA9C9AAE9F57A60401E76313FD017BBE23541B455DA6C7D49E39F6B451A67EA2160056781067C489526D297410AC05E87FBECA66D75BDA1EAEEC9652891598957F4C19FB53EC491B1D600D1AD75D7C164D613BA6CE275682F44399515C247D11D72DC440FD800225A13AE8D16494EAA9F1F82120D2F51243683D2AA62CDCF5BE075720B7D566EADB5E46EE3299B43296A49BF3FBE2E672E72E42E7918E608466028DE4F215CD362CFD921200FF946168717D09AF99095950812F5A4DE4073E2C5697A318B9EB51A585A36E74DBD8FB7277C8AEB7DDD42FFBEB32C181F9EDADDC1480B95F16E7EA37D0DAB3F2F5009D570AA4624B66A7017C75F1CAA7C544E15DEF0C6E6CF6A4F26312B68F633B7A5A4203C97E77A32141E7CF4970203010001A3233021300E0603551D0F0101FF040403020204300F0603551D130101FF040530030101FF300D06092A864886F70D01010D050003820201005BD66C82CA184490136B886EF3B5F5B6866768C8CFD13F701025AEB8DC8B7B4539C071032663327F1B55D773E062EA01551038BC12895B4A760A23EC0EF1E24C1D25649B12DAD880B576A952BA1F9D1ED0C5BDF45E8A9F9465C091E22FF7165912FBA642B3E2979897339AB2AE511615D3E20B27E3E60E13FE188C7C7119F14029CCFAF1E9FEF5C7E53CE1C0D1CFCB8507131C446AF5B7F67B701E1EE4151CADD14048737CF0EC86F8964D75B8509BF07A984441641622568D5EA1B9124101DB76C578BEE86ACDB651A90B5C3ABDAB541F3A41E82CBFC0D30319E1975924540A71E8D1A3603CAADE3CEFCF0B362B62FA09EFE97827276B0B79F58553136C89AA72A9F3F7FDAA87E5789978ABE6AF28C04F7D673954594329ACE012159C5EE6B2CB43B55F507E0E0F68233E8A3C6FE13A2CB23B4F38DDECAEAE21E99BD6E152793AD59B8286256EDE041654CB8A7C069D773868F8BDDEA44FCCDCFC4C0CFEC6F9357093024D88519A40BDB3B77B0988051418FCBA0A67C5CAABC66F21D094E5D612DD7F951291892A4F8EF35EFDB2C9D940FCBDDFDB75D19B1B215A36DEC147C9D716BB4A06047E90D0D0FAD64A56F24A6B650843D5CDD2ABA7E8894B4693D775AEBC8D65063D1813B0BE5C9C6357C43BE7AEA9B3B6021935ACC2B8F38746AEAB5EAA06F447BE0CFFF20B38811E273023CD035F14AD3A7BABEE646909282CC3EF
(PID) Process:	(7280) Acrobat_Set-Up.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\AdobeCertStore\Certificates
Operation:	delete value	Name:	4C7C2E87F0BC79A039D39B05F899A1CC521FDE99
Value:
(PID) Process:	(7280) Acrobat_Set-Up.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\AdobeCertStore\Certificates\4C7C2E87F0BC79A039D39B05F899A1CC521FDE99
Operation:	write	Name:	Blob
Value: 0300000001000000140000004C7C2E87F0BC79A039D39B05F899A1CC521FDE992000000001000000C3050000308205BF308203A7A00302010202046E271780300D06092A864886F70D01010D050030818E310B30090603550406130255533113301106035504080C0A43616C69666F726E69613111300F06035504070C0853616E204A6F736531163014060355040A0C0D41646F62652053797374656D7331193017060355040B0C10436C6F756420546563686E6F6C6F67793124302206035504030C1B41646F626520496E7465726D6564696174652043412031302D3135301E170D3233303830373133343834335A170D3330303830353133343834315A308191310B30090603550406130255533113301106035504080C0A43616C69666F726E69613111300F06035504070C0853616E204A6F736531163014060355040A0C0D41646F62652053797374656D7331193017060355040B0C10436C6F756420546563686E6F6C6F67793127302506035504030C1E41646F626520436F6E74656E742043657274696669636174652031302D3730820222300D06092A864886F70D01010105000382020F003082020A0282020100AD280D5CFB35F4129A580996209E83CD117CAB917F7F8B85E353C39899FA07BC7050077DB622FE4B43C477C0ABB8325A1EE90F76416E2AF5CB76ED9CCEC153694C6ADD14358E1C5C45D32DB721654781BA134E981AE3B21D56FE739AFD397DB8101FA65554AD67D9B808D45487D9913BD7CF30E094A948546DA75F51395AB7B0F122244976683D87CE6797AAEA3D5EE468553FC658B2B9530E33E2AA418950458D4147270F8773E3D93DA7DF6A1E8F58E439218236D110A658BF5037260D3F596E1F06B9E963F758ECA3F99FAA454640628E3BC66C16E914AAD9BEA5A47F954CA0FF73CF4237E8545E5E82F66795493508A6852F4564EF44DBB31B23C27D6DCC54E749094BB404073ED05AB6BF54AFADEC8EA7B58CE2D935C4B0EC8A054BEF86CEBFD63FAAB8FAE41104E8BDAF1F3F2474D78E050C8F33510C80ABBA83C0DA198107E47B40CD119B71827A510AE65E9B97D5E617B397CF517CFECBC47A890BBC350C5B631A50F254151D4D84CD512E0F57241E10B1BD1569287A900D4BF4A23532556266BC1C8B1014972F126B20A2E2E7DB73774EB822669FC2BCF56D817EE3F5D20F9B029EC62D377D5328000CE5D921C965337C500416A6C3E828ED27AD8ED370F8B9035C322CE75ED6DE25002E363475F95E24AD6E30B9350EB2934A431BF09C8B4DF073213FD6393192D796022B4275A73E5B4A2BF3B226D6A537E96C450203010001A320301E300E0603551D0F0101FF040403020780300C0603551D130101FF04023000300D06092A864886F70D01010D05000382020100315188A437CB6A526AB679D888EF1051EA301191B36FF818D3E7E1B8CBC8E1C078FC058E0D7BD61B11FD8EFEF27B411C3F494F6734C286008FFB39D2EECF012929913628C5B160F6CA24FAB63068FC48CB91293FC302F3D16F5DE8DBDFE3A57ABCA9A081C4CFA82FA3E06F36A318251A351C5E08FE4F4A286D1EBB4BF87278F7E54FAF53E1B37148F19F210136C5F3B5981A89A3AAF8351490555D001AEE6C9AB2BD27CC13D162EF6314C47FCE2C668E16ED641D2B6871EF3B0AFBC8E5E2B93D775049061496057A361C2CD1ED7CBDADD143A0F114E9D5066C6E2F2BFD771B44C8979CF0F094D2D89E104C935EF362EABCCCDA4559BB33E640B3C1920CF314688FDC639665E8E81F6B9312516D937A6DB751FD39E044271432D0E83BFCB5E8DF5CBE2A7C15E272E09AA96F939AC7B6655FCFE91E59474B3A4CECF12490CB1F3AA2A80AE53CBE867CCAEFF9CA84D487BF438F4213B253148FF8BE54CAEE1E4AA157353F707A966F946E89A8FC8964849EB948BD54B2B2E6D1DD85BA7DF45208206472A5AA93860C5EE8F6460739EA3231EC590F09602FF29F09ECEDBDBD635CB42670C8288B3F051DD6C393240D0A668B9A2C20BD70F182CE58D152089385AB717C7C624826EC39424050AD45048927D2E771BE6F6693055589F3612DF47C206D6AE8600F9D60F7AEBC5567458D8A423B76D6082AB213FFF88584909E76B458AB
(PID) Process:	(7280) Acrobat_Set-Up.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\AdobeCertStore\Certificates
Operation:	delete value	Name:	A5C8D928986EC17FCC7D5F2353885D1709B73A29
Value:

Add for printing

Executable files

Suspicious files

394

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7280	Acrobat_Set-Up.exe	C:\Users\admin\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\meta_events\d8821f2b-73e7-4359-b03b-60a8f4dea2a5		—
		MD5:—	SHA256:—
7280	Acrobat_Set-Up.exe	C:\Users\admin\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\anon_events\fb1f4c05-b26a-4cd9-a73e-edad6060e35a		—
		MD5:—	SHA256:—
7280	Acrobat_Set-Up.exe	C:\Users\admin\AppData\Local\Temp\CreativeCloud\ACC\WAM.log		text
		MD5:F3B25701FE362EC84616A93A45CE9998	SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
7280	Acrobat_Set-Up.exe	C:\Users\admin\AppData\Local\Temp\{8DA70C31-6F81-4854-A7EC-580635E79DC3}\index.html		html
		MD5:A28AB17B18FF254173DFEEF03245EFD0	SHA256:886C0AB69E6E9D9D5B5909451640EA587ACCFCDF11B8369CAD8542D1626AC375
7280	Acrobat_Set-Up.exe	C:\Users\admin\AppData\Local\Temp\{8DA70C31-6F81-4854-A7EC-580635E79DC3}\index.css		text
		MD5:4CEDE05AD3C27ADA493516D8B3F624E4	SHA256:A388389E33EBB569D5E4BFF4A87223CA0E540D5670127BB2E7ECB01207D34B61
7280	Acrobat_Set-Up.exe	C:\Users\admin\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\meta_events\manifest		binary
		MD5:45971D4E3A47775BB5A7260BB5EA3C36	SHA256:81C611F35BFF79491538B2F7CF201C7597A661A5C549633541C62BDC8AF1613F
7280	Acrobat_Set-Up.exe	C:\Users\admin\AppData\Local\Temp\datB895.tmp		binary
		MD5:D070306A9062178AFDFA98FCC06D2525	SHA256:8F5CCDFD3DA9185D4AD262EC386EBB64B3EB6C0521EC5BD1662CEC04E1E0F895
7280	Acrobat_Set-Up.exe	C:\Users\admin\AppData\Local\Temp\Adobe\com.adobe.dunamis\dunamis-2025-04-19_10-29-23.log		text
		MD5:638C388C16FF37078B36520923DF8845	SHA256:C81F7A3FD7EB292E708CDAE401E79F1181E392F75360D10E4A1EEE565E871DF4
7280	Acrobat_Set-Up.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:9FFAD5B0F8CAF9584ED679265076FCD6	SHA256:E6D13DBD555FA10CC00C626C7E5FB94130FDEE336509EFD584B2EF34101D0513
1452	Acrobat_Set-Up.exe	C:\Users\admin\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\1\meta_events\db13f98a-eafd-4c1e-b1af-4d5b300eb124		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

163

DNS requests

243

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	84.53.175.17:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7020	SIHClient.exe	GET	200	23.200.189.225:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7280	Acrobat_Set-Up.exe	GET	200	104.78.173.167:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAmKLzE6ssKc1CsGKg5Geww%3D	unknown	—	—	whitelisted
7280	Acrobat_Set-Up.exe	GET	200	104.78.173.167:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D	unknown	—	—	whitelisted
7020	SIHClient.exe	GET	200	23.200.189.225:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7356	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
7356	firefox.exe	POST	200	104.78.173.167:80	http://ocsp.digicert.com/	unknown	—	—	whitelisted
5332	RUXIMICS.exe	GET	200	84.53.175.17:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	84.53.175.17:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7280	Acrobat_Set-Up.exe	GET	200	104.78.173.167:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5332	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	84.53.175.17:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5496	MoUsoCoreWorker.exe	84.53.175.17:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5332	RUXIMICS.exe	84.53.175.17:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
7280	Acrobat_Set-Up.exe	104.78.173.167:80	ocsp.digicert.com	AKAMAI-AS	GB	whitelisted
7280	Acrobat_Set-Up.exe	18.65.39.7:443	client.messaging.adobe.com	AMAZON-02	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	216.58.214.14	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
crl.microsoft.com	84.53.175.17	whitelisted
p13n.adobe.io	—	whitelisted
cc-api-data.adobe.io	34.252.184.159	whitelisted
cdn-ffc.oobesaas.adobe.com	18.239.18.109	whitelisted
ocsp.digicert.com	104.78.173.167	whitelisted
client.messaging.adobe.com	18.65.39.7	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	—	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Acrobat_Set-Up.exe

23B017085AF8E33A627CCDF1911EF50C

C534DE12205923310D7332D9709ABCE303C14807

22E3E05647003403D3D17E9979D77BFC297AE52E92CE598F541F9338826B0648

98304:u4lTUghYoYfNMFMgF7DyCFKPrtTCKm8zgiXb7r+cIYYVx3X+D2Flokb5DN3Zv5na:pnFpk3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads Microsoft Outlook installation path

Application launched itself

Starts CMD.EXE for commands execution

Adds/modifies Windows certificates

Reads Internet Explorer settings

Reads security settings of Internet Explorer

INFO

The sample compiled with english language support

Reads the machine GUID from the registry

Process checks whether UAC notifications are on

Create files in a temporary directory

Checks proxy server information

Reads CPU info

Creates files or folders in the user directory

Reads the software policy settings

UPX packer has been detected

Process checks computer location settings

Checks supported languages

Reads the computer name

Application launched itself

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings