File name: | 5CEE.tmp |
Full analysis: | https://app.any.run/tasks/6c310a4c-d3ea-420f-9573-fca04c3bd3a9 |
Verdict: | No threats detected |
Analysis date: | March 19, 2019, 12:23:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
MD5: | 637299B765F5790DCA95B1BF5092948C |
SHA1: | B7AB5F3CAFA85D427BE1D77380330B5A214F0E5D |
SHA256: | 923E318BBB07309ED12BADBDAB53CDE98F3D2BFDE70EC27AF425319A9884C2C3 |
SSDEEP: | 6144:hjUTRt7HythULCb4VNbPMMCaOm7Apv6+Pjig76xb+:hUnS+LK4VNLBImEV6PW6s |
.scr | | | Windows screen saver (43.2) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (21.7) |
.exe | | | Win32 Executable (generic) (14.8) |
.exe | | | Win16/32 Executable Delphi generic (6.8) |
.exe | | | Generic Win/DOS Executable (6.6) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x1000 |
UninitializedDataSize: | - |
InitializedDataSize: | 24576 |
CodeSize: | 290816 |
LinkerVersion: | 12 |
PEType: | PE32 |
TimeStamp: | 2016:11:10 13:03:12+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 10-Nov-2016 12:03:12 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 10-Nov-2016 12:03:12 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0004E000 | 0x00047000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.99344 |
.rdata | 0x0004F000 | 0x000008F1 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.25504 |
.data | 0x00050000 | 0x00000E48 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.69382 |
.rsrc | 0x00051000 | 0x000024C0 | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0362102 |
.reloc | 0x00054000 | 0x00000264 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 1.49112 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 0 | 3072 | UNKNOWN | UNKNOWN | RT_STRING |
2 | 0 | 3072 | UNKNOWN | UNKNOWN | RT_STRING |
3 | 0 | 3072 | UNKNOWN | UNKNOWN | RT_STRING |
advapi32.dll |
authz.dll |
clbcatq.dll |
clusapi.dll |
crypt32.dll |
kernel32.dll |
resutils.dll |
shell32.dll |
user32.dll |
Title | Ordinal | Address |
---|---|---|
DllCanUnloadNow | 1 | 0x00029574 |
DllGetClassObject | 2 | 0x00029548 |
DllUnRegisterServer | 3 | 0x0002956C |
DllRegisterServer | 4 | 0x00029564 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\5CEE.tmp | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3760 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\5CEE.tmp" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | rundll32.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641 | ||||
3288 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\5CEE.tmp" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641 | ||||
2948 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Exit code: 3221225547 Version: 15.23.20053.211670 | ||||
3452 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2948.0.980465468\1844082882" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3288 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
3288 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rzfxbbj_1iryhfw_2jc.tmp | — | |
MD5:— | SHA256:— | |||
3288 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rvsk40y_1iryhfx_2jc.tmp | — | |
MD5:— | SHA256:— | |||
3288 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R15kbnai_1iryhfy_2jc.tmp | — | |
MD5:— | SHA256:— | |||
3288 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R7r8ubl_1iryhfz_2jc.tmp | — | |
MD5:— | SHA256:— | |||
3288 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1jcs7ec_1iryhg0_2jc.tmp | — | |
MD5:— | SHA256:— | |||
3288 | AcroRd32.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat | binary | |
MD5:E724D72264DA270D3DA2293F7579F7CC | SHA256:3516E878C6EF18D6D7DF8F3D01B63D7E7E87C865D822F62358B96C0576456975 | |||
3288 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages | sqlite | |
MD5:213FB73326D24A80BF86030CB2814E51 | SHA256:D28739F54BC371790EC2C7801CEFA181FBD28CB10EB13F38F102CC1EFE132D80 | |||
2948 | RdrCEF.exe | C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\data_1 | binary | |
MD5:404F6CE318C4015EEBE9FCBC6BC39C4A | SHA256:EFA9EF19EF1603D3B12C3E144E037BF2A0475B5D67B5C65EF32080A097D7063A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3760 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | unknown | — | — | whitelisted |
3760 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/279_15_23_20070.zip | unknown | — | — | whitelisted |
3760 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip | unknown | — | — | whitelisted |
3760 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip | unknown | — | — | whitelisted |
3760 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3760 | AcroRd32.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3760 | AcroRd32.exe | 2.16.186.33:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |