File name: | bt-ddl.exe |
Full analysis: | https://app.any.run/tasks/a8f75484-0e0f-4da9-bab7-b088692105ce |
Verdict: | Malicious activity |
Analysis date: | November 30, 2020, 00:15:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | MS-DOS executable, MZ for MS-DOS |
MD5: | 0CCA673D5DDB45871D05F6A733059E56 |
SHA1: | 77F250C949E5F7D3E7BA33968C74428740FA1031 |
SHA256: | 6C121282C56F9C651FA0C56C9B495B55CD56F7A9F02E4E6F7324735C230DBD71 |
SSDEEP: | 24576:XhQMSJvM7f824wEvwLAj1TXt3l9L4Qy44Dx+fGjNE938:N/hU1BlqVRNE9M |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2014:07:26 18:04:19+02:00 |
PEType: | PE32 |
LinkerVersion: | 9 |
CodeSize: | 477696 |
InitializedDataSize: | 272384 |
UninitializedDataSize: | 670720 |
EntryPoint: | 0xa4071 |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
FileVersionNumber: | 3.5.4.26 |
ProductVersionNumber: | 2.0.2.13 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Windows, Latin1 |
CompanyName: | Adobe |
FileDescription: | Adobe Installation Helper |
FileVersion: | 3.5.4.26 |
InternalName: | host.exe |
LegalCopyright: | Copyright © Adobe Systems Incorporated |
OriginalFileName: | host.exe |
ProductName: | Adobe Installation Helper |
ProductVersion: | 2.0.2.13 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 26-Jul-2014 16:04:19 |
Detected languages: |
|
CompanyName: | Adobe |
FileDescription: | Adobe Installation Helper |
FileVersion: | 3.5.4.26 |
InternalName: | host.exe |
LegalCopyright: | Copyright © Adobe Systems Incorporated |
OriginalFilename: | host.exe |
ProductName: | Adobe Installation Helper |
ProductVersion: | 2.0.2.13 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0040 |
Pages in file: | 0x0001 |
Relocations: | 0x0000 |
Size of header: | 0x0002 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0xB400 |
OEM information: | 0xCD09 |
Address of NE header: | 0x00000040 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 26-Jul-2014 16:04:19 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.MPRESS1 | 0x00001000 | 0x000A3000 | 0x00033400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99914 |
.MPRESS2\xdb\x0b | 0x000A4000 | 0x00000BDB | 0x00000C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.99777 |
.rsrc | 0x000A5000 | 0x0000E75C | 0x0000E800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.15781 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.18054 | 1167 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.96398 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 4.24411 | 1384 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 2.1281 | 7336 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 2.14203 | 3240 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 2.36423 | 872 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 2.23335 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
8 | 2.30773 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 2.67423 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
10 | 4.87994 | 3752 | UNKNOWN | English - United States | RT_ICON |
KERNEL32.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2180 | "C:\Users\admin\AppData\Local\Temp\bt-ddl.exe" | C:\Users\admin\AppData\Local\Temp\bt-ddl.exe | — | explorer.exe |
User: admin Company: Adobe Integrity Level: MEDIUM Description: Adobe Installation Helper Exit code: 0 Version: 3.5.4.26 | ||||
2992 | "C:\Users\admin\AppData\Local\Temp\bt-ddl.exe" -Elevated | C:\Users\admin\AppData\Local\Temp\bt-ddl.exe | bt-ddl.exe | |
User: admin Company: Adobe Integrity Level: HIGH Description: Adobe Installation Helper Version: 3.5.4.26 | ||||
3264 | "C:\Program Files\Internet Explorer\iexplore.exe" https://get.adobe.com/flashplayer/completion/aih/?exitcode=-1 | C:\Program Files\Internet Explorer\iexplore.exe | bt-ddl.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2916 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3264 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
560 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2992 | bt-ddl.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\E8BN7OJ1.txt | — | |
MD5:— | SHA256:— | |||
2992 | bt-ddl.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\1XFSFNSN.txt | — | |
MD5:— | SHA256:— | |||
2992 | bt-ddl.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\1RFY276D.txt | — | |
MD5:— | SHA256:— | |||
2992 | bt-ddl.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\C0ISBZJS.txt | — | |
MD5:— | SHA256:— | |||
2992 | bt-ddl.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\11LKZ0D5.txt | text | |
MD5:9875F6DCD3D5048EBA34FB3004B702E9 | SHA256:E70DBCCA2C2D0A0B079B548689A7879DADA64A0EA79FDF4BBB870F29278055DE | |||
2992 | bt-ddl.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\YE35GAR4.txt | text | |
MD5:4C5C61F8952C1BB1CE665313348F2281 | SHA256:2DA38972FC49D126EF7B7DE9384B1D95A94F14F574E35084283784C529C89F81 | |||
2992 | bt-ddl.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\icon-blank[1].gif | image | |
MD5:047722E6940449B36DC7507352170004 | SHA256:E749A443EF9436DB67B0FF16DBB3BBBF4CC7E3BA3424EA83F1EE9181B74DCFAA | |||
2916 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 | der | |
MD5:F35594720BDB12D02C777B50A40996C7 | SHA256:7C7C3BB58FDF08A0BF4C74CAF57034C7F8DCF3CC4D587E3F90A38B17ECDDB9EB | |||
2992 | bt-ddl.exe | C:\Users\admin\AppData\Local\Temp\bt-ddl_1.exe | executable | |
MD5:0CCA673D5DDB45871D05F6A733059E56 | SHA256:6C121282C56F9C651FA0C56C9B495B55CD56F7A9F02E4E6F7324735C230DBD71 | |||
2992 | bt-ddl.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\logo-adobe[1].gif | image | |
MD5:2D32D489B011C582232B70FEBFC866B0 | SHA256:3829F33115FF4CD0FC3EC2505FB4603578F040FEBEABAFFF16C9446D53E68A3B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2992 | bt-ddl.exe | GET | 302 | 54.72.205.114:80 | http://stats.adobe.com/b/ss/adbacdcprod/1/H.25.4/s8252581608748?AQB=1&ndh=1&t=30%2F10%2F2020%200%3A16%3A9%201%200&fid=3DE7416053BAF34B-182565CBCD9C29F1&ce=UTF-8&ns=adobecorp&pageName=acdc_fp_aih_launched&g=http%3A%2F%2F127.0.0.1%3A49181%2Fmainwindow.html&ch=acdc_flashplayer&events=event96%2Cevent19&products=%3Bflashplayer_aih&c1=aih&c2=acdc%20downloads&c3=get.adobe.com&c4=en&c5=en%3Aacdc_fp_aih_launched&v18=new&v22=sunday%20-%205%3A00pm&v73=acdc_flashplayer&s=1280x720&c=32&j=1.6&v=Y&k=Y&bw=728&bh=248&ct=lan&hp=N&AQE=1 | IE | — | — | whitelisted |
2916 | iexplore.exe | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
2916 | iexplore.exe | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
2916 | iexplore.exe | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEAZ2JfwMCbGcYKxKdYCjCAA%3D | US | der | 471 b | whitelisted |
2916 | iexplore.exe | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
2916 | iexplore.exe | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEAZ2JfwMCbGcYKxKdYCjCAA%3D | US | der | 471 b | whitelisted |
2916 | iexplore.exe | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D | US | der | 471 b | whitelisted |
2916 | iexplore.exe | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAza5nSVYZrPeIlAtSf0Rcs%3D | US | der | 471 b | whitelisted |
2916 | iexplore.exe | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D | US | der | 471 b | whitelisted |
2916 | iexplore.exe | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAlARbj%2FknDlKb7yqTuYQmg%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2916 | iexplore.exe | 72.21.91.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2916 | iexplore.exe | 23.46.165.49:443 | wwwimages2.adobe.com | Cox Communications Inc. | US | unknown |
2992 | bt-ddl.exe | 193.104.215.66:443 | get.adobe.com | Level 3 Communications, Inc. | — | malicious |
2916 | iexplore.exe | 193.104.215.66:443 | get.adobe.com | Level 3 Communications, Inc. | — | malicious |
2916 | iexplore.exe | 2.20.242.24:443 | www.adobe.com | Akamai International B.V. | — | suspicious |
2992 | bt-ddl.exe | 54.72.205.114:80 | stats.adobe.com | Amazon.com, Inc. | IE | unknown |
2916 | iexplore.exe | 104.16.149.64:443 | cdn.cookielaw.org | Cloudflare Inc | US | unknown |
2916 | iexplore.exe | 2.20.242.16:443 | use.typekit.net | Akamai International B.V. | — | whitelisted |
3264 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2916 | iexplore.exe | 18.202.158.78:443 | sstats.adobe.com | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
get.adobe.com |
| whitelisted |
stats.adobe.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
wwwimages2.adobe.com |
| whitelisted |
www.adobe.com |
| whitelisted |
use.typekit.net |
| whitelisted |
cdn.cookielaw.org |
| whitelisted |
assets.adobedtm.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |