Windows Analysis Report
AdobePhotoshop.exe

Overview

General Information

Sample Name: AdobePhotoshop.exe
Analysis ID: 831162
MD5: bedbec22f0ae7c2548ce8fd07bfb04ef
SHA1: 753a2ca15710cf7ec16b59abc768a459f451e8e3
SHA256: 797bd80d43c4ef7ab8fde178ca551ad2f9141ca3552ce42c8e96ccc95dc6d3bb
Tags: exefakeloaderstealer
Infos:

Detection

Score: 12
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Obfuscated command line found
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Drops PE files
PE file contains sections with non-standard names
Detected potential crypto function
PE / OLE file has an invalid certificate
Found dropped PE file which has not been started or loaded
Uses Microsoft's Enhanced Cryptographic Provider
PE file contains executable resources (Code or Archives)

Classification

Antivirus or Machine Learning detection for unpacked file
Source: 1.2.AdobePhotoshop.tmp.36f9ed0.1.unpack Avira: Label: TR/Patched.Ren.Gen3
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Code function: 1_2_10001000 ISCryptGetVersion, 1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Code function: 1_2_10001130 ArcFourCrypt, 1_2_10001130
Uses 32bit PE files
Source: AdobePhotoshop.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: AdobePhotoshop.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517028042.00000000034E3000.00000002.00000001.01000000.00000007.sdmp, _isdecmp.dll.1.dr
Source: Binary string: ISADMINLOGGEDONRelease\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.usertru
Source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://repository.certum.pl/cscasha
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr String found in binary or memory: http://subca.ocsp-certum.com01
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr String found in binary or memory: http://www.certum.pl/CPS0
Source: AdobePhotoshop.exe, 00000000.00000002.513844223.0000000002378000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247193947.0000000002680000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000003.251571715.0000000003470000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.514556832.00000000024A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.haysoft.org%1-k
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr String found in binary or memory: https://jrsoftware.org/
Source: AdobePhotoshop.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr String found in binary or memory: https://jrsoftware.org0
Source: AdobePhotoshop.exe, AdobePhotoshop.tmp.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS05
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr String found in binary or memory: https://www.certum.pl/CPS0
Source: AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247627651.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000000.249756458.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AdobePhotoshop.tmp.0.dr String found in binary or memory: https://www.innosetup.com/
Source: AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247627651.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000000.249756458.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AdobePhotoshop.tmp.0.dr String found in binary or memory: https://www.remobjects.com/ps
Uses 32bit PE files
Source: AdobePhotoshop.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Sample file is different than original file name gathered from version info
Source: AdobePhotoshop.exe, 00000000.00000000.246912093.00000000004C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs AdobePhotoshop.exe
Source: AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FE75000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs AdobePhotoshop.exe
Source: AdobePhotoshop.exe, 00000000.00000003.247627651.00000000028A9000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs AdobePhotoshop.exe
Source: AdobePhotoshop.exe, 00000000.00000002.513844223.0000000002448000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs AdobePhotoshop.exe
Source: AdobePhotoshop.exe Binary or memory string: OriginalFileName vs AdobePhotoshop.exe
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Code function: 1_2_034E1260 1_2_034E1260
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Code function: 1_2_034E1D20 1_2_034E1D20
PE / OLE file has an invalid certificate
Source: AdobePhotoshop.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: AdobePhotoshop.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: C:\Users\user\Desktop\AdobePhotoshop.exe File read: C:\Users\user\Desktop\AdobePhotoshop.exe Jump to behavior
Source: C:\Users\user\Desktop\AdobePhotoshop.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\AdobePhotoshop.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\AdobePhotoshop.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\AdobePhotoshop.exe C:\Users\user\Desktop\AdobePhotoshop.exe
Source: C:\Users\user\Desktop\AdobePhotoshop.exe Process created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"
Source: C:\Users\user\Desktop\AdobePhotoshop.exe Process created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\Desktop\AdobePhotoshop.exe File created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp Jump to behavior
Source: AdobePhotoshop.exe String found in binary or memory: /LOADINF="filename"
Source: classification engine Classification label: clean12.winEXE@3/4@0/0
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Window found: window name: TSelectLanguageForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: AdobePhotoshop.exe Static file information: File size 1894312 > 1048576
Source: AdobePhotoshop.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517028042.00000000034E3000.00000002.00000001.01000000.00000007.sdmp, _isdecmp.dll.1.dr
Source: Binary string: ISADMINLOGGEDONRelease\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\Users\user\Desktop\AdobePhotoshop.exe Process created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"
Source: C:\Users\user\Desktop\AdobePhotoshop.exe Process created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe" Jump to behavior
PE file contains sections with non-standard names
Source: AdobePhotoshop.exe Static PE information: section name: .didata
Source: AdobePhotoshop.tmp.0.dr Static PE information: section name: .didata
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp File created: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp File created: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\Desktop\AdobePhotoshop.exe File created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp File created: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\Desktop\AdobePhotoshop.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp Code function: 1_2_10001000 ISCryptGetVersion, 1_2_10001000
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 831162 Sample: AdobePhotoshop.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 12 5 AdobePhotoshop.exe 2 2->5         started        file3 12 C:\Users\user\AppData\...\AdobePhotoshop.tmp, PE32 5->12 dropped 20 Obfuscated command line found 5->20 9 AdobePhotoshop.tmp 3 15 5->9         started        signatures4 process5 file6 14 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 9->14 dropped 16 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 9->16 dropped 18 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 9->18 dropped
No contacted IP infos