File name:

Acrobat_Set-Up (1).exe

Full analysis: https://app.any.run/tasks/90c0ec9e-02a3-477f-8279-2618a2856686
Verdict: Malicious activity
Analysis date: June 25, 2023, 03:53:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

EB99AE444AF67BCE1DC56E6F2897A024

SHA1:

E111F6E3856843E3D5F1CD459392CBC333F5935C

SHA256:

DD7608DAD886AF436CDD9B67434934AD68363D46657CAA81AE14A2E8FC23A141

SSDEEP:

49152:a51Z7F25DNGy3g9lRC8mk62yFjqGAuf75pqjf8jJPfs/kfwMflf0hchZgtyep:a515F2W+8ClgduD59fVfwM/az

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Reads Internet Explorer settings

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Reads Microsoft Outlook installation path

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Checks Windows Trust Settings

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Reads settings of System Certificates

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Reads security settings of Internet Explorer

      • Acrobat_Set-Up (1).exe (PID: 2976)

  • INFO

    • Create files in a temporary directory

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Checks supported languages

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • The process checks LSA protection

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Reads the computer name

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Reads the machine GUID from the registry

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Creates files or folders in the user directory

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Reads CPU info

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Checks proxy server information

      • Acrobat_Set-Up (1).exe (PID: 2976)

    • Process checks are UAC notifies on

      • Acrobat_Set-Up (1).exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (43.5)
.exe | Win32 EXE Yoda's Crypter (42.7)
.exe | Win32 Executable (generic) (7.2)
.exe | Generic Win/DOS Executable (3.2)
.exe | DOS Executable Generic (3.2)

EXIF

EXE

ProductVersion: 2.11.0.30
ProductName: Adobe Installer
OriginalFileName: Adobe Installer
LegalCopyright: © 2015-2023 Adobe. All rights reserved.
InternalName: Adobe Installer
FileVersion: 2.11.0.30
FileDescription: Adobe Installer
CompanyName: Adobe Inc.
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 2.11.0.30
FileVersionNumber: 2.11.0.30
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x938650
UninitializedDataSize: 6766592
InitializedDataSize: 45056
CodeSize: 2899968
LinkerVersion: 14.33
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2023:02:27 07:58:01+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 27-Feb-2023 07:58:01
Detected languages:
  • English - United States
CompanyName: Adobe Inc.
FileDescription: Adobe Installer
FileVersion: 2.11.0.30
InternalName: Adobe Installer
LegalCopyright: © 2015-2023 Adobe. All rights reserved.
OriginalFilename: Adobe Installer
ProductName: Adobe Installer
ProductVersion: 2.11.0.30

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 27-Feb-2023 07:58:01
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00674000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00675000
0x002C4000
0x002C3A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.90065
.rsrc
0x00939000
0x0000B000
0x0000AC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.82055

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.14505
1907
UNKNOWN
English - United States
RT_MANIFEST
2
2.43487
16936
UNKNOWN
English - United States
RT_ICON
3
2.47851
9640
UNKNOWN
English - United States
RT_ICON
4
2.63372
4264
UNKNOWN
English - United States
RT_ICON
5
2.70876
2440
UNKNOWN
English - United States
RT_ICON
6
2.77188
1128
UNKNOWN
English - United States
RT_ICON
101
2.75765
90
UNKNOWN
English - United States
RT_GROUP_ICON
105
7.33828
716
UNKNOWN
English - United States
XML
121
7.10177
426
UNKNOWN
English - United States
RT_HTML
122
0
939559
UNKNOWN
English - United States
CSS

Imports

KERNEL32.DLL
WS2_32.dll
urlmon.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start acrobat_set-up (1).exe

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Users\admin\AppData\Local\Temp\Acrobat_Set-Up (1).exe" C:\Users\admin\AppData\Local\Temp\Acrobat_Set-Up (1).exe
explorer.exe
User:
admin
Company:
Adobe Inc.
Integrity Level:
MEDIUM
Description:
Adobe Installer
Exit code:
0
Version:
2.11.0.30
Modules
Images
c:\users\admin\appdata\local\temp\acrobat_set-up (1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
Total events
7 327
Read events
7 291
Write events
36
Delete events
0

Modification events

(PID) Process:(2976) Acrobat_Set-Up (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2976) Acrobat_Set-Up (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2976) Acrobat_Set-Up (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2976) Acrobat_Set-Up (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2976) Acrobat_Set-Up (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2976) Acrobat_Set-Up (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2976) Acrobat_Set-Up (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2976) Acrobat_Set-Up (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2976) Acrobat_Set-Up (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(2976) Acrobat_Set-Up (1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionTime
Value:
7CF42C9F18A7D901
Executable files
0
Suspicious files
11
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
2976Acrobat_Set-Up (1).exeC:\Users\admin\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\meta_events\6377759b-22d1-49d4-a679-080aab2eff88
MD5:
SHA256:
2976Acrobat_Set-Up (1).exeC:\Users\admin\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\anon_events\3d9aaaf8-6ef2-4658-9410-97475c9b6203
MD5:
SHA256:
2976Acrobat_Set-Up (1).exeC:\Users\admin\AppData\Local\Adobe\OOBE\temp_lbs_widtext
MD5:B1ADB9A7C65A2D448848B1ABAAC5F728
SHA256:9C11DC3102CDE845966C57E45B0B65C6DE578D4E472A9436800057F0C1F95800
2976Acrobat_Set-Up (1).exeC:\Users\admin\AppData\Roaming\com.adobe.dunamis\f65a88c9-12b3-4201-a633-87cf11b91fa8\v1\0\meta_events\manifestbinary
MD5:335ECF8B087703C67A4831976CDD382C
SHA256:A0C08679CC6D6592ABCE004BB4CEC199AECDE68678E9B9A634C01DA37D58A7DD
2976Acrobat_Set-Up (1).exeC:\Users\admin\AppData\Local\Temp\Adobe\com.adobe.dunamis\dunamis-2023-06-25_03-53-35.logtext
MD5:93E86B58A68AF64AAA8A55B4B4A2795B
SHA256:68F4CADFEB8FE7B5F19137061ED6F95D1C412D0D841A47F1B902F2BBE8A33705
2976Acrobat_Set-Up (1).exeC:\Users\admin\AppData\Local\Temp\CreativeCloud\ACC\WAM.logtext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2976Acrobat_Set-Up (1).exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\AdobeMessagingClient[1].jstext
MD5:413FDDA96D845D6990A05DA4EF6F171F
SHA256:96F4BE8D45FEB14387E5D166E68F8521267A6399E1D2DFA5BBE863501F85F1D7
2976Acrobat_Set-Up (1).exeC:\Users\admin\AppData\Local\Temp\datBFA6.tmpbinary
MD5:DFCE51814CF6D2F42375F948602CD99D
SHA256:7A8A945586A1D21D2922CB4AED9E28D872129F6C396AC69F47EF3E32EA972BA0
2976Acrobat_Set-Up (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:D50FE1593D6A5D0DA71D411640C03AD6
SHA256:88B043BC738507388F9D199CA80BF1291EC31430E3F33135EB5C40079DB13BFA
2976Acrobat_Set-Up (1).exeC:\Users\admin\AppData\Local\Temp\datBF56.tmpbinary
MD5:D070306A9062178AFDFA98FCC06D2525
SHA256:8F5CCDFD3DA9185D4AD262EC386EBB64B3EB6C0521EC5BD1662CEC04E1E0F895
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
10
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2976
Acrobat_Set-Up (1).exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
US
der
471 b
whitelisted
2976
Acrobat_Set-Up (1).exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?151170e19ad66a5e
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1076
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2748
svchost.exe
239.255.255.250:1900
whitelisted
2976
Acrobat_Set-Up (1).exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
2976
Acrobat_Set-Up (1).exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2976
Acrobat_Set-Up (1).exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2976
Acrobat_Set-Up (1).exe
13.32.99.32:443
client.messaging.adobe.com
AMAZON-02
US
suspicious

DNS requests

Domain
IP
Reputation
client.messaging.adobe.com
  • 13.32.99.32
  • 13.32.99.120
  • 13.32.99.117
  • 13.32.99.75
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Acrobat_Set-Up (1).exe