Loading ...

Play interactive tourEdit tour

Analysis Report Balsamiq_Mockups_3.5.17.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:125616
Start date:25.04.2019
Start time:04:38:15
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 14m 56s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Balsamiq_Mockups_3.5.17.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean18.evad.winEXE@18/72@2/0
EGA Information:
  • Successful, ratio: 57.1%
HDC Information:
  • Successful, ratio: 91.6% (good quality ratio 83.9%)
  • Quality average: 77.3%
  • Quality standard deviation: 31.6%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 52
  • Number of non-executed functions: 147
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe
  • Execution Graph export aborted for target Adobe AIR Application Installer.exe, PID 4668 because there are no executed function
  • Execution Graph export aborted for target Adobe AIR Installer.exe, PID 4256 because there are no executed function
  • Execution Graph export aborted for target Balsamiq Mockups 3.exe, PID 4200 because it is empty
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: Balsamiq_Mockups_3.5.17.exe, Balsamiq_Mockups_3.5.17.tmp

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold180 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold10 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample searches for specific file, try point organization specific fake files to the analysis machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting1Winlogon Helper DLLProcess Injection11Process Injection11Input Capture2Process Discovery1Application Deployment SoftwareInput Capture2Data CompressedStandard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDeobfuscate/Decode Files or Information1Network SniffingSecurity Software Discovery41Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionScripting1Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesSystem Information Discovery22Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B528C0 CryptDecodeObjectEx,lstrcmpA,LocalFree,10_2_00B528C0
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B529B0 CryptVerifyDetachedMessageSignature,CertFreeCertificateContext,10_2_00B529B0
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B523B0 CertDuplicateCertificateContext,CryptGetMessageCertificates,CertFindCertificateInStore,CertVerifySubjectCertificateContext,CertVerifyCRLRevocation,GetProcessHeap,HeapFree,CertFreeCertificateContext,CertCreateCertificateContext,CertVerifySubjectCertificateContext,CertFreeCertificateContext,CertFreeCertificateContext,CertFreeCertificateContext,CertCloseStore,10_2_00B523B0
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B52560 CryptGetObjectUrl,GetProcessHeap,HeapAlloc,CryptGetObjectUrl,GetProcessHeap,HeapAlloc,WideCharToMultiByte,CryptRetrieveObjectByUrlW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_00B52560
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B528C0 CryptDecodeObjectEx,lstrcmpA,LocalFree,10_1_00B528C0
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B529B0 CryptVerifyDetachedMessageSignature,CertFreeCertificateContext,10_1_00B529B0
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B523B0 CertDuplicateCertificateContext,CryptGetMessageCertificates,CertFindCertificateInStore,CertVerifySubjectCertificateContext,CertVerifyCRLRevocation,GetProcessHeap,HeapFree,CertFreeCertificateContext,CertCreateCertificateContext,CertVerifySubjectCertificateContext,CertFreeCertificateContext,CertFreeCertificateContext,CertFreeCertificateContext,CertCloseStore,10_1_00B523B0
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B52560 CryptGetObjectUrl,GetProcessHeap,HeapAlloc,CryptGetObjectUrl,GetProcessHeap,HeapAlloc,WideCharToMultiByte,CryptRetrieveObjectByUrlW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_1_00B52560

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\user\AppData\Local\Temp\AIR9454.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIRJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F37440 FindFirstFileW,FindClose,3_2_00F37440
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F2EFF8 FindFirstFileExA,3_2_00F2EFF8
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F37440 FindFirstFileW,FindClose,3_1_00F37440
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F2EFF8 FindFirstFileExA,3_1_00F2EFF8
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EF7440 FindFirstFileW,FindClose,9_2_00EF7440
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EEEFF8 FindFirstFileExA,9_2_00EEEFF8
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B5EAC5 FindFirstFileExW,10_2_00B5EAC5
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B5EAC5 FindFirstFileExW,10_1_00B5EAC5
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_00967368 FindFirstFileExA,16_2_00967368

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B52160 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,HttpQueryInfoW,HttpQueryInfoW,InternetReadFile,PostMessageW,new,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,10_2_00B52160
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: crl.starfieldtech.com
Urls found in memory or binary dataShow sources
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: http://a.
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: http://a.http://%sSharedObject.UriMismatchpendingSharedObject.BadPersistence
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmp, Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmp, Adobe AIR Application Installer.exe, 0000000C.00000003.6942922595.0000000008E55000.00000004.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmp, Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmp, masterstarfield2issuing[1].crl.12.drString found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6943846047.000000000AA8E000.00000004.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/7
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/Jl
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/OOT
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6834833704.0000000008DFC000.00000004.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/Q
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/R2
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/rityV
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6940200915.000000000AD6B000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmp, Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s5-4.crl0
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/repository/0
Source: Adobe AIR Application Installer.exeString found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crl
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6834410294.0000000008E48000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crl.
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crl0P
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6834410294.0000000008E48000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crlD
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6943679009.0000000008E47000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crlJ
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6834410294.0000000008E48000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crlL
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6834410294.0000000008E48000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crlP
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6834410294.0000000008E48000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crlR
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6834410294.0000000008E48000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crll
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/repository/sf_issuing_ca-g2.crt0T
Source: Adobe AIR Application Installer.exeString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmp, Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl4AJl
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crlb
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: http://fpdownload2.macromedia.com/get/
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/express/version_win_
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/express/version_win_.xml8
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmp, Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0;
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0H
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmp, Balsamiq_Mockups_AIR.exe, 00000009.00000003.6725710991.00000000009CA000.00000004.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.1.1#
Source: Adobe AIR Updater.exe, 00000010.00000002.8923132528.0000000009B21000.00000004.sdmpString found in binary or memory: http://www.adobe.
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6767474284.0000000007C45000.00000004.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Balsamiq_Mockups_3.5.17.exe, 00000000.00000003.6206624267.0000000002440000.00000004.sdmp, Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7068290599.0000000000401000.00000020.sdmpString found in binary or memory: http://www.innosetup.com/
Source: Balsamiq_Mockups_3.5.17.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmp, Adobe AIR Updater.exe, 00000010.00000002.8892003153.00000000030E0000.00000004.sdmpString found in binary or memory: http://www.macromedia.com
Source: Adobe AIR Installer.exe, 00000006.00000001.6553061102.000000006C773000.00000002.sdmpString found in binary or memory: http://www.macromedia.com/go/ac2e1eab
Source: Adobe AIR Installer.exe, 00000006.00000002.6569009099.0000000000130000.00000004.sdmpString found in binary or memory: http://www.macromedia.comA
Source: Adobe AIR Updater.exe, 00000010.00000002.8892003153.00000000030E0000.00000004.sdmpString found in binary or memory: http://www.macromedia.comh
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: Balsamiq_Mockups_3.5.17.exe, 00000000.00000003.6206624267.0000000002440000.00000004.sdmp, Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7068290599.0000000000401000.00000020.sdmpString found in binary or memory: http://www.remobjects.com/ps
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: https://auth.adobefpl.com/1/
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: https://auth.adobefpl.com/1/?nocache=load-authorized-features-from-data
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000003.6215236779.00000000029F0000.00000004.sdmpString found in binary or memory: https://balsamiq.com/
Source: Balsamiq_Mockups_3.5.17.exe, 00000000.00000003.7080337117.0000000000B71000.00000004.sdmp, Balsamiq_Mockups_3.5.17.tmp, 00000002.00000003.7064710155.00000000023F1000.00000004.sdmpString found in binary or memory: https://balsamiq.com/1
Source: Balsamiq_Mockups_3.5.17.exe, 00000000.00000003.7080337117.0000000000B71000.00000004.sdmp, Balsamiq_Mockups_3.5.17.tmp, 00000002.00000003.7064710155.00000000023F1000.00000004.sdmpString found in binary or memory: https://balsamiq.com/q
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
Source: Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7067468352.000000000018C000.00000004.sdmp, Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpString found in binary or memory: https://certs.starfieldtech.com/repository/0
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: https://fpdownload.macromedia.com/get/
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: https://www.macromedia.com/bin/flashdownload.cgi
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: https://www.macromedia.com/bin/flashdownload.cgihttps://fpdownload.macromedia.com/get/http://fpdownl
Source: Adobe AIR Updater.exe, 00000010.00000002.8917486314.000000000909A000.00000004.sdmpString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
Source: Adobe AIR Updater.exe, 00000010.00000002.8917486314.000000000909A000.00000004.sdmpString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/d
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/http://www.macromedia.comgpu.txterror:
Source: Adobe AIR Installer.exe, 00000006.00000002.6569009099.0000000000130000.00000004.sdmpString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/yp

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: AdobeAIRInstaller.exe, 00000003.00000002.6648730683.0000000003770000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a global mouse hookShow sources
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeWindows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dllJump to behavior

E-Banking Fraud:

barindex
Drops certificate files (DER)Show sources
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8WQYDQEU\gdig2s5-4[1].crlJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cerJump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LTYLVBDO\sfroot-g2[1].crlJump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeFile created: C:\Users\user\AppData\Roaming\Adobe\AIR\CRLCache\FAAA16B14467B1D0EC4BFA1BEC9D498BF5F2792E.crlJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cerJump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeFile created: C:\Users\user\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fla4C79.tmp\digest.sJump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeFile created: C:\Users\user\AppData\Roaming\Adobe\AIR\CRLCache\4D93F8A6E3D33B31D8F85B70C39F38DFA384EEE5.crlJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\digest.sJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile created: C:\Users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\digest.sJump to dropped file

System Summary:

barindex
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4172:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F23C2B3_2_00F23C2B
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F228023_2_00F22802
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F269403_2_00F26940
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F239493_2_00F23949
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F27D303_2_00F27D30
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F2B5003_2_00F2B500
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F24EB03_2_00F24EB0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F34A823_2_00F34A82
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F28E703_2_00F28E70
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F297203_2_00F29720
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F28F103_2_00F28F10
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F293003_2_00F29300
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F23C2B3_1_00F23C2B
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F228023_1_00F22802
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F269403_1_00F26940
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F239493_1_00F23949
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F27D303_1_00F27D30
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F2B5003_1_00F2B500
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F24EB03_1_00F24EB0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F34A823_1_00F34A82
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F28E703_1_00F28E70
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F297203_1_00F29720
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F28F103_1_00F28F10
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F293003_1_00F29300
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4F036_3_001E4F03
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4F036_3_001E4F03
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4F036_3_001E4F03
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4F036_3_001E4F03
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001CF0086_3_001CF008
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001D24A86_3_001D24A8
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4F036_3_001E4F03
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4F036_3_001E4F03
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4F036_3_001E4F03
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4F036_3_001E4F03
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001D30DF6_3_001D30DF
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001D24CC6_3_001D24CC
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001D24C06_3_001D24C0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE3C2B9_2_00EE3C2B
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE28029_2_00EE2802
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE39499_2_00EE3949
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE69409_2_00EE6940
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE7D309_2_00EE7D30
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EEB5009_2_00EEB500
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE4EB09_2_00EE4EB0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EF4A829_2_00EF4A82
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE8E709_2_00EE8E70
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE97209_2_00EE9720
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE93009_2_00EE9300
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE8F109_2_00EE8F10
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B622AE10_2_00B622AE
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B59B5410_2_00B59B54
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B59D8310_2_00B59D83
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B515C010_2_00B515C0
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B61E0010_2_00B61E00
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B65F7C10_2_00B65F7C
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B622AE10_1_00B622AE
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B59B5410_1_00B59B54
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B59D8310_1_00B59D83
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B515C010_1_00B515C0
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B61E0010_1_00B61E00
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B65F7C10_1_00B65F7C
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeCode function: 12_3_07C63D0812_3_07C63D08
Source: C:\Program Files (x86)\Balsamiq Mockups 3\Balsamiq Mockups 3.exeCode function: 15_2_053316D015_2_053316D0
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_0096B0BF16_2_0096B0BF
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_061A041316_2_061A0413
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_061A9A3216_2_061A9A32
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_061B3A8116_2_061B3A81
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_061BE70416_2_061BE704
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_061B796216_2_061B7962
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_06164BD716_2_06164BD7
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_06164BD116_2_06164BD1
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_061B5FFA16_2_061B5FFA
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_061BD7E816_2_061BD7E8
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: String function: 00F21930 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: String function: 00F2FD01 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: String function: 00B54EE0 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: String function: 00B5536D appears 38 times
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: String function: 00B5E7F1 appears 36 times
PE file contains executable resources (Code or Archives)Show sources
Source: Balsamiq_Mockups_3.5.17.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Balsamiq_Mockups_3.5.17.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
PE file contains strange resourcesShow sources
Source: Balsamiq_Mockups_3.5.17.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Balsamiq_Mockups_3.5.17.tmp.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Balsamiq_Mockups_3.5.17.tmp.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FDMO6.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-FDMO6.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-SU70D.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-SU70D.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: airappinstaller.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: airappinstaller.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Balsamiq Mockups 3.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Balsamiq Mockups 3.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: airappinstaller.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: airappinstaller.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: Balsamiq_Mockups_3.5.17.exe, 00000000.00000002.7082494480.00000000001D0000.00000002.sdmpBinary or memory string: OriginalFilenamenetmsg.DLLj% vs Balsamiq_Mockups_3.5.17.exe
Source: Balsamiq_Mockups_3.5.17.exe, 00000000.00000002.7086396216.0000000002350000.00000002.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Balsamiq_Mockups_3.5.17.exe
Source: Balsamiq_Mockups_3.5.17.exe, 00000000.00000003.6206624267.0000000002440000.00000004.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Balsamiq_Mockups_3.5.17.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exeFile read: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeSection loaded: comres.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeSection loaded: ws2help.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeSection loaded: xpsp2res.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeSection loaded: comres.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeSection loaded: ws2help.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeSection loaded: xpsp2res.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Program Files (x86)\Balsamiq Mockups 3\Balsamiq Mockups 3.exeSection loaded: wow64log.dll
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeSection loaded: wow64log.dll
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: airappinstaller.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: airappinstaller.exe.12.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: clean18.evad.winEXE@18/72@2/0
Creates files inside the program directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile created: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.msiJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-V2TF4.tmpJump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: kernel32.dll3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: kernel32.dll3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: entID="P758"3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: D="P758"3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: 758"3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: AttachConsole3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: kernel32.dll3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: AIR3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: 1.2.113_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: .launch3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: kernel32.dll3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: kernel32.dll3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: entID="P758"3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: D="P758"3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: 758"3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: AttachConsole3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: kernel32.dll3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: AIR3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: 1.2.113_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: .launch3_2_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: kernel32.dll3_1_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: kernel32.dll3_1_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: entID="P758"3_1_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: D="P758"3_1_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: 758"3_1_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: AttachConsole3_1_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: kernel32.dll3_1_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: AIR3_1_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: 1.2.113_1_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCommand line argument: .launch3_1_00F361D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCommand line argument: kernel32.dll9_2_00EF61D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCommand line argument: kernel32.dll9_2_00EF61D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCommand line argument: entID="P758"9_2_00EF61D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCommand line argument: D="P758"9_2_00EF61D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCommand line argument: 758"9_2_00EF61D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCommand line argument: AttachConsole9_2_00EF61D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCommand line argument: kernel32.dll9_2_00EF61D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCommand line argument: AIR9_2_00EF61D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCommand line argument: 1.2.119_2_00EF61D0
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCommand line argument: .launch9_2_00EF61D0
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the Windows registered organization settingsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
SQL strings found in memory and binary dataShow sources
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpBinary or memory string: select * from sqlite_master;
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exe 'C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmp 'C:\Users\user~1\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmp' /SL5='$A0062,15640953,117760,C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exe 'C:\Users\user~1\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exe' -silent
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exe 'C:\Users\user~1\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exe' -silent
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exe 'C:\Users\user~1\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exe' -silent -desktopShortcut -programMenu
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exe 'C:\Users\user~1\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exe' -silent -desktopShortcut -programMenu
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe 'Adobe AIR Application Installer.exe' -silent -desktopShortcut -programMenu 'C:\Users\user~1\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3'
Source: unknownProcess created: C:\Program Files (x86)\Balsamiq Mockups 3\Balsamiq Mockups 3.exe C:\Program Files (x86)\Balsamiq Mockups 3\Balsamiq Mockups 3.exe
Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe 'c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe' -eula -nai
Source: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exeProcess created: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmp 'C:\Users\user~1\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmp' /SL5='$A0062,15640953,117760,C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exe 'C:\Users\user~1\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exe' -silentJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exe 'C:\Users\user~1\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exe' -silent -desktopShortcut -programMenuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess created: C:\Program Files (x86)\Balsamiq Mockups 3\Balsamiq Mockups 3.exe C:\Program Files (x86)\Balsamiq Mockups 3\Balsamiq Mockups 3.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeProcess created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exe 'C:\Users\user~1\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exe' -silentJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeProcess created: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exe 'C:\Users\user~1\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exe' -silent -desktopShortcut -programMenuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeProcess created: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe 'Adobe AIR Application Installer.exe' -silent -desktopShortcut -programMenu 'C:\Users\user~1\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3'Jump to behavior
Source: C:\Program Files (x86)\Balsamiq Mockups 3\Balsamiq Mockups 3.exeProcess created: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe 'c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe' -eula -nai
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Reads the Windows registered owner settingsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpWindow found: window name: TMainFormJump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpAutomated click: Next >
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: Balsamiq_Mockups_3.5.17.exeStatic file information: File size 16037376 > 1048576
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Balsamiq_Mockups_3.5.17.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: E:\r\ws\St_Make\code\build\win\results\Release\info\AppInstaller.pdb source: Adobe AIR Application Installer.exe, 0000000C.00000000.6738830755.000000000023D000.00000002.sdmp
Source: Binary string: E:\r\ws\St_Make\code\build\win\results\Release\info\ExtendedAppEntry.vc2015.pdb source: Balsamiq_Mockups_AIR.exe, 00000009.00000003.6721749237.00000000009C9000.00000004.sdmp
Source: Binary string: E:\r\ws\St_Make\code\build\win\results\Release\info\runtime_enduser_withdrm\Runtime-EndUser-WithDRM.vc2015.pdb( source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmp
Source: Binary string: E:\r\ws\St_Make\code\build\win\results\Release\info\SelfExtractorSDK.pdb source: Balsamiq_Mockups_AIR.exe, 00000009.00000000.6656424493.0000000000EF8000.00000002.sdmp
Source: Binary string: E:\r\ws\St_Make\code\build\win\results\Release\info\RuntimeInstaller.vc2015.pdb source: Adobe AIR Installer.exe, 00000006.00000002.6573045558.0000000000C5D000.00000002.sdmp, Adobe AIR Updater.exe, 00000010.00000001.7089816252.000000000096D000.00000002.sdmp
Source: Binary string: E:\r\ws\St_Make\code\build\win\results\Release\info\NativeAppInstallBootstrapper.pdb source: Install Balsamiq Mockups 3.exe, 0000000A.00000000.6733585786.0000000000B68000.00000002.sdmp
Source: Binary string: E:\r\ws\St_Make\code\build\win\int\SelfExtractor.build\Release\info\SelfExtractor.pdb source: AdobeAIRInstaller.exe, 00000003.00000001.6276793830.0000000000F38000.00000002.sdmp
Source: Binary string: E:\r\ws\St_Make\code\build\win\results\Release\info\runtime_enduser_withdrm\Runtime-EndUser-WithDRM.vc2015.pdb source: Adobe AIR Installer.exe, 00000006.00000002.6597376266.000000006C09E000.00000002.sdmp

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: Balsamiq_Mockups_3.5.17.exeStatic PE information: real checksum: 0xf52c1b should be:
Source: is-FDMO6.tmp.2.drStatic PE information: real checksum: 0xb213d7 should be:
Source: Balsamiq_Mockups_3.5.17.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x1242d8
Source: Balsamiq Mockups 3.exe.9.drStatic PE information: real checksum: 0x0 should be: 0x45930
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F21976 push ecx; ret 3_2_00F21989
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F21976 push ecx; ret 3_1_00F21989
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4D09 push 50071535h; iretd 6_3_001E4D15
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4D09 push 50071535h; iretd 6_3_001E4D15
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4D09 push 50071535h; iretd 6_3_001E4D15
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4D09 push 50071535h; iretd 6_3_001E4D15
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001DCC1A pushad ; iretd 6_3_001DCC29
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001DD06F pushad ; ret 6_3_001DD0A9
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001DD0AA pushad ; ret 6_3_001DD0A9
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001DD583 push eax; ret 6_3_001DD589
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001DCDCF push D0071AEBh; iretd 6_3_001DCDE9
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001DADC7 push 30046975h; retf 6_3_001DADDD
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001DB1C2 push eax; iretd 6_3_001DB1D5
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001DADE4 push 30046975h; retf 6_3_001DADDD
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001C10AD push ss; ret 6_3_001C121B
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4D09 push 50071535h; iretd 6_3_001E4D15
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4D09 push 50071535h; iretd 6_3_001E4D15
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4D09 push 50071535h; iretd 6_3_001E4D15
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeCode function: 6_3_001E4D09 push 50071535h; iretd 6_3_001E4D15
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE1976 push ecx; ret 9_2_00EE1989
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B54F26 push ecx; ret 10_2_00B54F39
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B54F26 push ecx; ret 10_1_00B54F39
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeCode function: 12_3_07C60DF8 pushad ; retf 12_3_07C6109F
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeCode function: 12_3_07C61078 pushad ; retf 12_3_07C6109F
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeCode function: 12_3_07C63D08 push 0000002Ch; iretd 12_3_07C645D2
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeCode function: 12_3_07C4CF73 push eax; ret 12_3_07C4CF99
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeCode function: 12_3_07C4A515 push esi; retf 12_3_07C4A524
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeCode function: 12_3_07C49C13 push esi; retf 12_3_07C49C14
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeCode function: 12_3_08E4C1D3 push 00000078h; retf 12_3_08E4C1D5
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeCode function: 12_3_08DF2D68 push esp; ret 12_3_08DF2DD6
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeCode function: 12_3_08DF1184 push es; retf 12_3_08DF118A

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\is-FDMO6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile created: C:\Users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeFile created: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\template.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeFile created: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\Balsamiq Mockups 3.exeJump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeFile created: C:\Users\user\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fla4C79.tmp\airappinstaller.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\is-SU70D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dllJump to dropped file
Source: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exeFile created: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpJump to dropped file
Creates install or setup log fileShow sources
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpFile created: C:\Users\user~1\AppData\Local\Temp\Setup Log 2019-04-25 #001.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile created: C:\Users\user\AppData\Local\Adobe\AIR\logs\Install.logJump to behavior
Creates license or readme fileShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile created: C:\Users\user~1\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\LGPL License.txtJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Flash file may contain encrypted javascriptShow sources
Source: initial sampleStatic Flash information: Found token: eval in evalecern sobre la
Source: initial sampleStatic Flash information: Found token: eval in evalecern sobre la
Source: initial sampleStatic Flash information: Found token: eval in evaluateBezierevalu
Source: initial sampleStatic Flash information: Found token: unescape in unescapeStringreadN
Source: initial sampleStatic Flash information: Found token: eval in evalExpressions+mx.u
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeFile Volume queried: C:\ FullSizeInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\user\AppData\Local\Temp\AIR9454.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeFile opened: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIRJump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeDropped PE file which has not been started: C:\Users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\template.exeJump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fla4C79.tmp\airappinstaller.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF64.dllJump to dropped file
Found evasive API chain (date check)Show sources
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_10-11381
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_9-9697
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-9025
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exe TID: 924Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe TID: 5036Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe TID: 3712Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe TID: 4312Thread sleep time: -922337203685477s >= -30000s
Queries keyboard layoutsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F37440 FindFirstFileW,FindClose,3_2_00F37440
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F2EFF8 FindFirstFileExA,3_2_00F2EFF8
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F37440 FindFirstFileW,FindClose,3_1_00F37440
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F2EFF8 FindFirstFileExA,3_1_00F2EFF8
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EF7440 FindFirstFileW,FindClose,9_2_00EF7440
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EEEFF8 FindFirstFileExA,9_2_00EEEFF8
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B5EAC5 FindFirstFileExW,10_2_00B5EAC5
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B5EAC5 FindFirstFileExW,10_1_00B5EAC5
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_00967368 FindFirstFileExA,16_2_00967368
Contains functionality to query system informationShow sources
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B55845 GetModuleHandleW,GetProcAddress,GetSystemInfo,10_2_00B55845
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Adobe AIR Application Installer.exe, 0000000C.00000003.6943180332.0000000008DF1000.00000004.sdmpBinary or memory string: Hyper-V RAWy
Source: Balsamiq_Mockups_3.5.17.exe, 00000000.00000002.7086396216.0000000002350000.00000002.sdmp, Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7075372845.0000000002830000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Adobe AIR Installer.exe, 00000006.00000001.6549761698.000000006C654000.00000008.sdmpBinary or memory string: l.?AVPlayerAvmDebugger@avmplus@@
Source: Adobe AIR Installer.exe, 00000006.00000001.6549761698.000000006C654000.00000008.sdmpBinary or memory string: .?AVPlayerAvmDebugger@avmplus@@
Source: Adobe AIR Application Installer.exeBinary or memory string: Hyper-V RAW
Source: Balsamiq_Mockups_3.5.17.exe, 00000000.00000002.7086396216.0000000002350000.00000002.sdmp, Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7075372845.0000000002830000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Balsamiq_Mockups_3.5.17.exe, 00000000.00000002.7086396216.0000000002350000.00000002.sdmp, Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7075372845.0000000002830000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Balsamiq_Mockups_3.5.17.exe, 00000000.00000002.7086396216.0000000002350000.00000002.sdmp, Balsamiq_Mockups_3.5.17.tmp, 00000002.00000002.7075372845.0000000002830000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9069
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9083
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9119
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9066
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9116
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9102
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9087
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9052
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9032
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9114
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9056
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9095
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9106
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9097
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9034
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9110
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9901
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9061
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9048
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9076
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9090
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9016
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9041
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9039
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9029
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9036
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9128
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9899
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9135
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeAPI call chain: ExitProcess graph end nodegraph_3-9906
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9785
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9735
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9756
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9778
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9770
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9762
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9790
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9787
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9743
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9748
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9802
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9701
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9767
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9760
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9766
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9713
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9704
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9690
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9724
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9741
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9776
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9707
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9710
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9809
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9714
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-10003
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-10007
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9721
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeAPI call chain: ExitProcess graph end nodegraph_9-9730
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeAPI call chain: ExitProcess graph end nodegraph_16-21602
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeAPI call chain: ExitProcess graph end nodegraph_16-21598
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeAPI call chain: ExitProcess graph end nodegraph_16-21583
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeAPI call chain: ExitProcess graph end nodegraph_16-21593
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_1_appdata_local_temp_air29be.tmp_32db24bab21409fb.cdf-ms
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_1_appdata_local_temp_is-df2t6.tmp_cdc551e96cb9f19e.cdf-ms
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_1_appdata_local_temp_air9454.tmp_1186f306e4e0873b.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F2E6E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00F2E6E7
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F2DC16 mov eax, dword ptr fs:[00000030h]3_2_00F2DC16
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F2DC16 mov eax, dword ptr fs:[00000030h]3_1_00F2DC16
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EEDC16 mov eax, dword ptr fs:[00000030h]9_2_00EEDC16
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B5B4ED mov eax, dword ptr fs:[00000030h]10_2_00B5B4ED
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B5B4ED mov eax, dword ptr fs:[00000030h]10_1_00B5B4ED
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_00964417 mov eax, dword ptr fs:[00000030h]16_2_00964417
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F361D0 GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,ExitProcess,GetCommandLineW,GetModuleFileNameW,ExitProcess,CopyFileW,ExitProcess,CommandLineToArgvW,ExitProcess,DeleteFileW,RemoveDirectoryW,ExitProcess,GetModuleHandleW,GetProcAddress,AttachConsole,CreateThread,GetModuleFileNameW,ExitProcess,GetTempPathW,ExitProcess,GetTempFileNameW,ExitProcess,DeleteFileW,CreateDirectoryW,ExitProcess,CreateFileW,ExitProcess,ExitProcess,ExitProcess,CreateDirectoryW,GetLastError,ExitProcess,CreateFileW,ExitProcess,ReadFile,ExitProcess,ExitProcess,ExitProcess,ReadFile,ExitProcess,ExitProcess,MultiByteToWideChar,ExitProcess,SetFilePointer,ExitProcess,CreateDirectoryW,GetLastError,ExitProcess,SetFilePointer,ExitProcess,CreateFileW,ExitProcess,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,ReadFile,ExitProcess,ExitProcess,ExitProcess,ExitProcess,ExitProcess,GetProcessHeap,HeapFree,ReadFile,ExitProcess,ExitProcess,WriteFile,ExitProcess,ExitProcess,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,PathAppe3_2_00F361D0
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F21860 SetUnhandledExceptionFilter,3_2_00F21860
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F2E6E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00F2E6E7
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F21B42 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00F21B42
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F21712 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00F21712
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F21860 SetUnhandledExceptionFilter,3_1_00F21860
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F2E6E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_1_00F2E6E7
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F21B42 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_1_00F21B42
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_1_00F21712 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_1_00F21712
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE1860 SetUnhandledExceptionFilter,9_2_00EE1860
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EEE6E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00EEE6E7
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE1B42 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00EE1B42
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeCode function: 9_2_00EE1712 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00EE1712
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B54E0A SetUnhandledExceptionFilter,10_2_00B54E0A
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B5432E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00B5432E
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B54CAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00B54CAB
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_2_00B5C43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00B5C43A
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B54E0A SetUnhandledExceptionFilter,10_1_00B54E0A
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B5432E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_1_00B5432E
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B54CAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_1_00B54CAB
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeCode function: 10_1_00B5C43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_1_00B5C43A
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_00961D3D SetUnhandledExceptionFilter,16_2_00961D3D
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_00962011 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00962011
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_00964E65 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00964E65
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeCode function: 16_2_00961BAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00961BAB

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exeProcess created: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmp 'C:\Users\user~1\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmp' /SL5='$A0062,15640953,117760,C:\Users\user\Desktop\Balsamiq_Mockups_3.5.17.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exe 'C:\Users\user~1\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exe' -silentJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exe 'C:\Users\user~1\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exe' -silent -desktopShortcut -programMenuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V2TF4.tmp\Balsamiq_Mockups_3.5.17.tmpProcess created: C:\Program Files (x86)\Balsamiq Mockups 3\Balsamiq Mockups 3.exe C:\Program Files (x86)\Balsamiq Mockups 3\Balsamiq Mockups 3.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeProcess created: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exe 'C:\Users\user~1\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exe' -silentJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeProcess created: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exe 'C:\Users\user~1\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exe' -silent -desktopShortcut -programMenuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exeProcess created: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe 'Adobe AIR Application Installer.exe' -silent -desktopShortcut -programMenu 'C:\Users\user~1\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3'Jump to behavior
Source: C:\Program Files (x86)\Balsamiq Mockups 3\Balsamiq Mockups 3.exeProcess created: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe 'c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe' -eula -nai
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Balsamiq Mockups 3.exe, 0000000F.00000002.8864315850.0000000002F40000.00000002.sdmp, Adobe AIR Updater.exe, 00000010.00000002.8893664089.00000000037F0000.00000002.sdmpBinary or memory string: Program Manager
Source: Balsamiq Mockups 3.exe, 0000000F.00000002.8864315850.0000000002F40000.00000002.sdmp, Adobe AIR Updater.exe, 00000010.00000002.8893664089.00000000037F0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: Balsamiq Mockups 3.exe, 0000000F.00000002.8864315850.0000000002F40000.00000002.sdmp, Adobe AIR Updater.exe, 00000010.00000002.8893664089.00000000037F0000.00000002.sdmpBinary or memory string: Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F2198B cpuid 3_2_00F2198B
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\setup.swf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\digest.s VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\digest.s VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\setup.msi VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\setup.msi VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\Balsamiq_Mockups_AIR.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\digest.s VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\digest.s VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\AIR\application.xml VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\AIR\application.xml VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\AIR\hash VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\AIR\hash VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\signatures.xml VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\signatures.xml VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\AIR\application.xml VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\AIR\application.xml VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\AIR\hash VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\AIR\hash VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\signatures.xml VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\signatures.xml VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\Balsamiq Mockups 3.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\balsamiq_mockups_3.5.17.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\balsamiq_mockups_3.5.17.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\balsamiq_mockups_3.5.17.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\balsamiq_mockups_3.5.17.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\framework_4.6.0.23201.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\framework_4.6.0.23201.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\framework_4.6.0.23201.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\framework_4.6.0.23201.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_128.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_128.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_128.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_128.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_16.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_16.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_16.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_16.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_29.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_29.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_29.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_29.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_32.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_32.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_32.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_32.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_36.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_36.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_36.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_36.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_48.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_48.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_48.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_48.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_512.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_512.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_512.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_doc_ico_512.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_128.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_128.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_128.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_128.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_16.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_16.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_16.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_16.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_29.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_29.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_29.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_29.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_32.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_32.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_32.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_32.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_36.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_36.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_36.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_36.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_48.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_48.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_48.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_48.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_512.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_512.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_512.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\icons\mockups_ico_512.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\AIR\application.xml VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\AIR\hash VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\META-INF\signatures.xml VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\mimetype VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\mimetype VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\mimetype VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\mimetype VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\setup.msi VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\skins\sketch.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\skins\sketch.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\skins\sketch.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\skins\sketch.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\skins\wireframe.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\skins\wireframe.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\skins\wireframe.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\skins\wireframe.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\textLayout_2.0.0.232.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\textLayout_2.0.0.232.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\textLayout_2.0.0.232.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\textLayout_2.0.0.232.swf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exeQueries volume information: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeQueries volume information: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\setup.swf VolumeInformation
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeQueries volume information: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\stylesNative.swf VolumeInformation
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeQueries volume information: C:\Users\user\AppData\Local\Temp\flaE425.tmp VolumeInformation
Source: C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exeQueries volume information: C:\ VolumeInformation
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\AdobeAIRInstaller.exeCode function: 3_2_00F215EF GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00F215EF
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 125616 Sample: Balsamiq_Mockups_3.5.17.exe Startdate: 25/04/2019 Architecture: WINDOWS Score: 18 63 Flash file may contain encrypted javascript 2->63 9 Balsamiq_Mockups_3.5.17.exe 2 2->9         started        process3 file4 37 C:\Users\user\...\Balsamiq_Mockups_3.5.17.tmp, PE32 9->37 dropped 12 Balsamiq_Mockups_3.5.17.tmp 5 13 9->12         started        process5 file6 39 C:\Users\user\AppData\Local\...\is-SU70D.tmp, PE32 12->39 dropped 41 C:\Users\user\AppData\Local\...\is-FDMO6.tmp, PE32 12->41 dropped 43 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->43 dropped 15 AdobeAIRInstaller.exe 41 12->15         started        18 Balsamiq_Mockups_AIR.exe 44 12->18         started        20 Balsamiq Mockups 3.exe 12->20         started        process7 file8 47 C:\Users\user\AppData\Local\...\template.exe, PE32 15->47 dropped 49 C:\Users\user\AppData\...\airappinstaller.exe, PE32 15->49 dropped 51 C:\Users\user\AppData\Local\...\WebKit.dll, PE32 15->51 dropped 57 6 other files (none is malicious) 15->57 dropped 22 Adobe AIR Installer.exe 28 15->22         started        53 C:\Users\...\Install Balsamiq Mockups 3.exe, PE32 18->53 dropped 55 C:\Users\user\...\Balsamiq Mockups 3.exe, PE32 18->55 dropped 25 Install Balsamiq Mockups 3.exe 3 18->25         started        27 Adobe AIR Updater.exe 20->27         started        process9 file10 35 C:\Users\Default\...\airappinstaller.exe, PE32 22->35 dropped 29 Adobe AIR Application Installer.exe 4 37 25->29         started        33 conhost.exe 25->33         started        process11 dnsIp12 59 crl.starfieldtech.com 29->59 61 crl.godaddy.com 29->61 45 C:\Users\user\AppData\...\airappinstaller.exe, PE32 29->45 dropped file13

Simulations

Behavior and APIs

TimeTypeDescription
04:39:17API Interceptor5x Sleep call for process: Balsamiq_Mockups_3.5.17.exe modified
04:39:51API Interceptor2x Sleep call for process: Adobe AIR Installer.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
Balsamiq_Mockups_3.5.17.exe0%virustotalBrowse
Balsamiq_Mockups_3.5.17.exe3%metadefenderBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe0%virustotalBrowse
C:\Users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe0%metadefenderBrowse
C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\Balsamiq Mockups 3.exe1%virustotalBrowse
C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Balsamiq Mockups 3\Balsamiq Mockups 3.exe0%metadefenderBrowse
C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exe0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\AIR29BE.tmp\Install Balsamiq Mockups 3.exe0%metadefenderBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exe0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR Installer.exe0%metadefenderBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe0%metadefenderBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll0%metadefenderBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe0%metadefenderBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll0%metadefenderBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF64.dll0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF64.dll0%metadefenderBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\AIR9454.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll0%metadefenderBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://a.http://%sSharedObject.UriMismatchpendingSharedObject.BadPersistence0%Avira URL Cloudsafe
http://www.macromedia.comh0%Avira URL Cloudsafe
http://www.macromedia.comA0%Avira URL Cloudsafe
https://auth.adobefpl.com/1/?nocache=load-authorized-features-from-data0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\Users\user\AppData\Local\Temp\is-DF2T6.tmp\_isetup\_setup64.tmpdc149e8a-fe99-4d4e-9676-fbdb95a66874.exeGet hashmaliciousBrowse
    http://deepnut.com/DeepNutSetup.exeGet hashmaliciousBrowse
      pw11-free.exeGet hashmaliciousBrowse
        xelPi.exeGet hashmaliciousBrowse
          ntlsd.exeGet hashmaliciousBrowse
            chico2018.exeGet hashmaliciousBrowse
              feDQAZGsjj.exeGet hashmaliciousBrowse
                https://download.aoscdn.com/down.php?softid=vdcsaasGet hashmaliciousBrowse
                  Revo Uninstaller Pro v.4.0.0 Multi + NL by ElChaca.exeGet hashmaliciousBrowse
                    3aEjXSuA0D.exeGet hashmaliciousBrowse
                      AnalyticsEdgeBasicInstaller.exeGet hashmaliciousBrowse
                        bgtrade_setup_win_x64.exeGet hashmaliciousBrowse
                          RENIEC-PortalCiudadano-1.1.exeGet hashmaliciousBrowse
                            putty.exeGet hashmaliciousBrowse
                              https://go.microsoft.com/fwlink/?LinkId=708343&clcid=0x409Get hashmaliciousBrowse
                                AdsShow.exeGet hashmaliciousBrowse
                                  pw11-free.exeGet hashmaliciousBrowse
                                    clipgrab-3.8.1-cgorg.exeGet hashmaliciousBrowse
                                      http://download.easeus.com/free/tb_free.exeGet hashmaliciousBrowse

                                        Screenshots

                                        Thumbnails

                                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.