Malware analysis AdobeCreativeCloudCleanerTool (1).exe Malicious activity

Add for printing

File name:	AdobeCreativeCloudCleanerTool (1).exe
Full analysis:	https://app.any.run/tasks/0f0eb72b-00a6-41af-89bf-6eceb8c7f1f4
Verdict:	Malicious activity
Analysis date:	June 04, 2025, 05:26:04
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (console) Intel 80386, for MS Windows, 5 sections
MD5:	EEAFB3CBA2DAF4306ADFF30D6B9BCF78
SHA1:	A3F74C99D18FAA3BDF70A99BCB13545706539B39
SHA256:	320F55221EBF96C547A515DDFA1907BD416F8B15628A3F63865045E762FA5A6E
SSDEEP:	98304:52/qgVM7Kyjnake23xp3E1SJqabwotqH39TA+PfgMVh9qyHJND0MZSyeDgI1cLZR:OInKD+uol1FFxa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - AdobeCreativeCloudCleanerTool (1).exe (PID: 6248)
  - ACToolMain.exe (PID: 4120)
- Process drops python dynamic module
  - ACToolMain.exe (PID: 4120)
- Application launched itself
  - ACToolMain.exe (PID: 4120)
- The process drops C-runtime libraries
  - ACToolMain.exe (PID: 4120)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 4628)
  - schtasks.exe (PID: 7304)
- Starts CMD.EXE for commands execution
  - ACToolMain.exe (PID: 3096)
- Uses TASKKILL.EXE to kill process
  - ACToolMain.exe (PID: 3096)
- Process drops legitimate windows executable
  - ACToolMain.exe (PID: 4120)
INFO
- Checks supported languages
  - AdobeCreativeCloudCleanerTool (1).exe (PID: 6248)
  - ACToolMain.exe (PID: 4120)
  - ACToolMain.exe (PID: 3096)
- The sample compiled with english language support
  - AdobeCreativeCloudCleanerTool (1).exe (PID: 6248)
  - ACToolMain.exe (PID: 4120)
- Creates files in the program directory
  - AdobeCreativeCloudCleanerTool (1).exe (PID: 6248)
- Create files in a temporary directory
  - ACToolMain.exe (PID: 4120)
  - ACToolMain.exe (PID: 3096)
- Reads the computer name
  - ACToolMain.exe (PID: 3096)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:03:03 06:00:44+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.24
CodeSize:	104448
InitializedDataSize:	8602112
UninitializedDataSize:	-
EntryPoint:	0xa48f
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	4.3.0.864
ProductVersionNumber:	4.3.0.864
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Adobe System Incorporated.
FileDescription:	Adobe Creative Cloud Cleaner Tool
FileVersion:	4.3.0.864
InternalName:	PackageI.exe
LegalCopyright:	© 2013-2017 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFileName:	PackageI.exe
ProductName:	Adobe Creative Cloud Cleaner Tool
ProductVersion:	4.3.0.864

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

139

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

516

C:\WINDOWS\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

—

ACToolMain.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1120

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

AdobeCreativeCloudCleanerTool (1).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2392

cmdkey /list

C:\Windows\SysWOW64\cmdkey.exe

—

ACToolMain.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Credential Manager Command Line Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmdkey.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3096

"C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe"

C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe

—

ACToolMain.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

HIGH

Description:

Adobe Creative Cloud Cleaner Tool

Exit code:

Version:

4.3.0.864

Modules

Images
c:\program files (x86)\common files\adobe\adobecreativecloudcleanertool\actoolmain.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

4120

"C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe"

C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe

AdobeCreativeCloudCleanerTool (1).exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

HIGH

Description:

Adobe Creative Cloud Cleaner Tool

Exit code:

Version:

4.3.0.864

Modules

Images
c:\program files (x86)\common files\adobe\adobecreativecloudcleanertool\actoolmain.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

4628

schtasks /delete /TN "AdobeAAMUpdater-1.0-DESKTOP-JGLLJLD-admin" /F

C:\Windows\SysWOW64\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6248

"C:\Users\admin\AppData\Local\Temp\AdobeCreativeCloudCleanerTool (1).exe"

C:\Users\admin\AppData\Local\Temp\AdobeCreativeCloudCleanerTool (1).exe

explorer.exe

User:

admin

Company:

Adobe System Incorporated.

Integrity Level:

HIGH

Description:

Adobe Creative Cloud Cleaner Tool

Exit code:

Version:

4.3.0.864

Modules

Images
c:\users\admin\appdata\local\temp\adobecreativecloudcleanertool (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

6300

"C:\Users\admin\AppData\Local\Temp\AdobeCreativeCloudCleanerTool (1).exe"

C:\Users\admin\AppData\Local\Temp\AdobeCreativeCloudCleanerTool (1).exe

—

explorer.exe

User:

admin

Company:

Adobe System Incorporated.

Integrity Level:

MEDIUM

Description:

Adobe Creative Cloud Cleaner Tool

Exit code:

3221226540

Version:

4.3.0.864

Modules

Images
c:\users\admin\appdata\local\temp\adobecreativecloudcleanertool (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

6368

C:\WINDOWS\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

—

ACToolMain.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

7184

C:\WINDOWS\system32\cmd.exe /c schtasks /delete /TN "AdobeAAMUpdater-1.0-DESKTOP-JGLLJLD-admin" /F

C:\Windows\SysWOW64\cmd.exe

—

ACToolMain.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

586

Read events

584

Write events

Delete events

Modification events


(PID) Process:	(3096) ACToolMain.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	AdobeAAMUpdater-1.0
Value:
(PID) Process:	(3096) ACToolMain.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	ADOBE_UPDATER_STARTUP_UTILITY
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6248	AdobeCreativeCloudCleanerTool (1).exe	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ProdInstallList.xml		—
		MD5:—	SHA256:—
6248	AdobeCreativeCloudCleanerTool (1).exe	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe		executable
		MD5:8CF0C4AFDF5A6753926288F51DB8790B	SHA256:8E222FFD1A2AC4370006CA54083D9A83FEBAFB0BAC3DC91B4B3B6A390B7EDF51
6248	AdobeCreativeCloudCleanerTool (1).exe	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\CleanUpRMDIR.exe		executable
		MD5:9E93BE49110B1EF8F4CD29D243DDEEB1	SHA256:F6E4F95F9C2E0D53FEEB7562993150AC78C3AAFC991CA68F9E5E36B44BDEF5B2
6248	AdobeCreativeCloudCleanerTool (1).exe	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\en_US.txt		text
		MD5:30CD177A4424D4229D8A1FB25A6B1E28	SHA256:388EC8C0E2524F39C04BD9EEFCB8A9F54BE1B84A7F48C6CDCAC26EF4FCB476B8
6248	AdobeCreativeCloudCleanerTool (1).exe	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\CS4CleanUpAddition.exe		executable
		MD5:DD6FAAE1BDC27BAB4D894B219A0DC2D9	SHA256:B8CD1DF2BAD56DF025FF46A48F66BA604848C1901C529F9A9FD11E6F75E67EE4
6248	AdobeCreativeCloudCleanerTool (1).exe	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\adbcl.exe		executable
		MD5:3F976EE680AD2BB4921CCFE699A3E585	SHA256:461E25E3F3B1EAB099B08A044903C7814FF23D0D82E834D3168EB10CAD52C5AC
6248	AdobeCreativeCloudCleanerTool (1).exe	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\HFCLib.dll		executable
		MD5:72961E8EC399C9BE327065439C52D2F5	SHA256:3FAE19585E51DFFE47DF89D73A1E8288A055B51A57AB53A23299FADC7434D883
4120	ACToolMain.exe	C:\Users\admin\AppData\Local\Temp\_MEI41202\_ssl.pyd		executable
		MD5:7D80DD91EB753E79E080EF2F2412AAC6	SHA256:E219AF4F7F2277AA08207675013EB47D723B7073BAEA584C871AE77195A274F3
4120	ACToolMain.exe	C:\Users\admin\AppData\Local\Temp\_MEI41202\unicodedata.pyd		executable
		MD5:822EA0B194D6013647922D60606544EE	SHA256:34F96CF856C494B632F94D2DBBF4D3EB64AB5EE15702AD39B2629852C7A4323E
4120	ACToolMain.exe	C:\Users\admin\AppData\Local\Temp\_MEI41202\_win32sysloader.pyd		executable
		MD5:76581A2EA6438493650C8D762978FA56	SHA256:A7EE2A35245234F9033DB717BFF0B0B5FB8EF7A198505FF868DA362EFC56BA50

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7636	svchost.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7636	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7348	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7348	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
7736	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7636	svchost.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7636	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7636	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6544	svchost.exe	20.190.160.132:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.185.78	whitelisted
crl.microsoft.com	23.216.77.42 23.216.77.6	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
login.live.com	20.190.160.132 20.190.160.22 40.126.32.138 20.190.160.128 40.126.32.133 40.126.32.72 20.190.160.5 20.190.160.67	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

AdobeCreativeCloudCleanerTool (1).exe

EEAFB3CBA2DAF4306ADFF30D6B9BCF78

A3F74C99D18FAA3BDF70A99BCB13545706539B39

320F55221EBF96C547A515DDFA1907BD416F8B15628A3F63865045E762FA5A6E

98304:52/qgVM7Kyjnake23xp3E1SJqabwotqH39TA+PfgMVh9qyHJND0MZSyeDgI1cLZR:OInKD+uol1FFxa

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Process drops python dynamic module

Application launched itself

The process drops C-runtime libraries

Deletes scheduled task without confirmation

Starts CMD.EXE for commands execution

Uses TASKKILL.EXE to kill process

Process drops legitimate windows executable

INFO

Checks supported languages

The sample compiled with english language support

Creates files in the program directory

Create files in a temporary directory

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings