File name:

adobe-photoshop.exe

Full analysis: https://app.any.run/tasks/5b26f604-5b06-4dae-b9ab-953234e182ce
Verdict: Malicious activity
Analysis date: May 01, 2024, 12:19:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

32DB46AC18CF85ED321840043C1D1CA2

SHA1:

947E605061C7EDB00D1F69FC904ADC3DDA2882E2

SHA256:

7CF21E876C61602DD8791FBD73BB5FB6A7338FFA097373400694EBD5BC49DE27

SSDEEP:

98304:bYkdpOGCG9/l9gECod0Gaaeh+9iqYbjv9q6k8LMF+h2lWq6DdS1vhI0aCCjKcGdp:x6mFsx8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • adobe-photoshop.exe (PID: 3960)

  • SUSPICIOUS

    • Reads the Internet Settings

      • adobe-photoshop.exe (PID: 3960)

    • Changes Internet Explorer settings (feature browser emulation)

      • adobe-photoshop.exe (PID: 3960)

    • Reads settings of System Certificates

      • adobe-photoshop.exe (PID: 3960)

    • Reads security settings of Internet Explorer

      • adobe-photoshop.exe (PID: 3960)

    • Reads Microsoft Outlook installation path

      • adobe-photoshop.exe (PID: 3960)

    • Reads Internet Explorer settings

      • adobe-photoshop.exe (PID: 3960)

    • Checks Windows Trust Settings

      • adobe-photoshop.exe (PID: 3960)

  • INFO

    • Reads the machine GUID from the registry

      • adobe-photoshop.exe (PID: 3960)

    • Checks supported languages

      • adobe-photoshop.exe (PID: 3960)
      • wmpnscfg.exe (PID: 1292)

    • Create files in a temporary directory

      • adobe-photoshop.exe (PID: 3960)

    • Reads the computer name

      • adobe-photoshop.exe (PID: 3960)
      • wmpnscfg.exe (PID: 1292)

    • Creates files or folders in the user directory

      • adobe-photoshop.exe (PID: 3960)

    • Reads the software policy settings

      • adobe-photoshop.exe (PID: 3960)

    • Checks proxy server information

      • adobe-photoshop.exe (PID: 3960)

    • Process checks whether UAC notifications are on

      • adobe-photoshop.exe (PID: 3960)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:11:11 12:29:31+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.23
CodeSize: 2478080
InitializedDataSize: 45056
UninitializedDataSize: 5378048
EntryPoint: 0x77e860
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.7.0.13
ProductVersionNumber: 2.7.0.13
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Adobe Inc.
FileDescription: Adobe Installer
FileVersion: 2.7.0.13
InternalName: Adobe Installer
LegalCopyright: © 2015-2021 Adobe. All rights reserved.
OriginalFileName: Adobe Installer
ProductName: Adobe Installer
ProductVersion: 2.7.0.13
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start adobe-photoshop.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1292"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3960"C:\Users\admin\AppData\Local\Temp\adobe-photoshop.exe" C:\Users\admin\AppData\Local\Temp\adobe-photoshop.exe
explorer.exe
User:
admin
Company:
Adobe Inc.
Integrity Level:
MEDIUM
Description:
Adobe Installer
Version:
2.7.0.13
Modules
Images
c:\users\admin\appdata\local\temp\adobe-photoshop.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
8 128
Read events
8 061
Write events
55
Delete events
12

Modification events

(PID) Process:(3960) adobe-photoshop.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:writeName:adobe-photoshop.exe
Value:
11001
(PID) Process:(3960) adobe-photoshop.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3960) adobe-photoshop.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3960) adobe-photoshop.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3960) adobe-photoshop.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3960) adobe-photoshop.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3960) adobe-photoshop.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3960) adobe-photoshop.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3960) adobe-photoshop.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3960) adobe-photoshop.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
0
Suspicious files
7
Text files
7
Unknown types
1

Dropped files

PID
Process
Filename
Type
3960adobe-photoshop.exeC:\Users\admin\AppData\Local\Temp\dat3839.tmpbinary
MD5:D070306A9062178AFDFA98FCC06D2525
SHA256:8F5CCDFD3DA9185D4AD262EC386EBB64B3EB6C0521EC5BD1662CEC04E1E0F895
3960adobe-photoshop.exeC:\Users\admin\AppData\Local\Temp\dat3829.tmpbinary
MD5:FA794EC12D353C26805FF53821331FC2
SHA256:CFDBD8A2AA463C11E483DC10C480ACD274E9786632F5571A3970E8A20A2D8237
3960adobe-photoshop.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:571B795733988A343F946C031C7D6F87
SHA256:7086F010CE0385B110E81CA2FE75997A26D1AB58635FD13F1BFE2BDE4A301847
3960adobe-photoshop.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:B111EF75AFFBD1888F5313FE0CE5226E
SHA256:3B6AB0B8281F8AEF1338F9425A45F11B9111EA03F5D41F02F7DA8334324FA603
3960adobe-photoshop.exeC:\Users\admin\AppData\Local\Temp\{CE2BD87F-E6FB-4F4F-A7FC-85CF295DB55C}\index.csstext
MD5:99578E05F734A97DE492019720A8E554
SHA256:6DF8A9780DE0CFBF723F1F1A30955C8AEE3B66F113394D016CB68CC8C9C9E442
3960adobe-photoshop.exeC:\Users\admin\AppData\Local\Temp\dat385A.tmpbinary
MD5:E204643042591AEEC2043C5EAE255099
SHA256:7F58F56A7A353F8FC78EC2757394A7C7F28165E6BBF2A37D6A6E48E845874F3E
3960adobe-photoshop.exeC:\Users\admin\AppData\Local\Adobe\OOBE\temp_lbs_widtext
MD5:8081401B68D0B68EC4FE26FA691CA5C7
SHA256:5620CFEBD7D0AE7F2005CEBADA3BF4D5E5CED7B16F88D7F69C9FCA2134252956
3960adobe-photoshop.exeC:\Users\admin\AppData\Local\Temp\dat38A9.tmpwoff
MD5:DFCE51814CF6D2F42375F948602CD99D
SHA256:7A8A945586A1D21D2922CB4AED9E28D872129F6C396AC69F47EF3E32EA972BA0
3960adobe-photoshop.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\AdobeMessagingClient[1].jstext
MD5:401A085DAF469075D7D14659F7D3CE0E
SHA256:E3FFA71CD501F9A1352A1CD7C5653ABB51538D47826FF18FD628361153DD73DB
3960adobe-photoshop.exeC:\Users\admin\AppData\Local\Temp\{CE2BD87F-E6FB-4F4F-A7FC-85CF295DB55C}\CCDInstaller.jsbinary
MD5:FBC34DA120E8A3AD11B3AD1404B6C51A
SHA256:9701B3BA335B5A11BE32DD63EA3A466A14E048C1E5881CAC81352B459BE0F202
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3960
adobe-photoshop.exe
GET
304
23.45.119.174:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0e5fb8d1864a761a
unknown
unknown
3960
adobe-photoshop.exe
GET
304
23.45.119.165:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3b09b6600c170a2b
unknown
unknown
3960
adobe-photoshop.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
unknown
1088
svchost.exe
GET
304
23.45.119.165:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e523dd86aac30a8d
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
3960
adobe-photoshop.exe
54.74.179.44:443
cc-api-data.adobe.io
AMAZON-02
IE
unknown
3960
adobe-photoshop.exe
52.36.43.249:443
na1e-acc.services.adobe.com
AMAZON-02
US
unknown
3960
adobe-photoshop.exe
13.33.187.19:443
client.messaging.adobe.com
US
unknown
3960
adobe-photoshop.exe
23.45.119.174:80
ctldl.windowsupdate.com
Akamai International B.V.
US
unknown
3960
adobe-photoshop.exe
23.45.119.165:80
ctldl.windowsupdate.com
Akamai International B.V.
US
unknown
3960
adobe-photoshop.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
cc-api-data.adobe.io
  • 54.74.179.44
  • 3.248.26.100
  • 54.77.72.255
whitelisted
na1e-acc.services.adobe.com
  • 52.36.43.249
  • 52.35.181.64
  • 44.242.119.92
  • 34.210.245.234
  • 35.162.64.27
  • 54.148.12.174
whitelisted
client.messaging.adobe.com
  • 13.33.187.19
  • 13.33.187.44
  • 13.33.187.42
  • 13.33.187.74
whitelisted
ctldl.windowsupdate.com
  • 23.45.119.174
  • 23.45.119.165
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
adobe-photoshop.exe