Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AdobePhotoshop.exe

Overview

General Information

Sample Name:AdobePhotoshop.exe
Analysis ID:831162
MD5:bedbec22f0ae7c2548ce8fd07bfb04ef
SHA1:753a2ca15710cf7ec16b59abc768a459f451e8e3
SHA256:797bd80d43c4ef7ab8fde178ca551ad2f9141ca3552ce42c8e96ccc95dc6d3bb
Tags:exefakeloaderstealer
Infos:

Detection

Score:12
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Obfuscated command line found
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Drops PE files
PE file contains sections with non-standard names
Detected potential crypto function
PE / OLE file has an invalid certificate
Found dropped PE file which has not been started or loaded
Uses Microsoft's Enhanced Cryptographic Provider
PE file contains executable resources (Code or Archives)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • AdobePhotoshop.exe (PID: 6108 cmdline: C:\Users\user\Desktop\AdobePhotoshop.exe MD5: BEDBEC22F0AE7C2548CE8FD07BFB04EF)
    • AdobePhotoshop.tmp (PID: 6088 cmdline: "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe" MD5: C35E48F7A65E98E6DDC5C270B899FF35)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: 1.2.AdobePhotoshop.tmp.36f9ed0.1.unpackAvira: Label: TR/Patched.Ren.Gen3
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpCode function: 1_2_10001000 ISCryptGetVersion,
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpCode function: 1_2_10001130 ArcFourCrypt,
Source: AdobePhotoshop.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: AdobePhotoshop.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517028042.00000000034E3000.00000002.00000001.01000000.00000007.sdmp, _isdecmp.dll.1.dr
Source: Binary string: ISADMINLOGGEDONRelease\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drString found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drString found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.usertru
Source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/cscasha
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drString found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drString found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drString found in binary or memory: http://subca.ocsp-certum.com01
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drString found in binary or memory: http://www.certum.pl/CPS0
Source: AdobePhotoshop.exe, 00000000.00000002.513844223.0000000002378000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247193947.0000000002680000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000003.251571715.0000000003470000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.514556832.00000000024A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.haysoft.org%1-k
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drString found in binary or memory: https://jrsoftware.org/
Source: AdobePhotoshop.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drString found in binary or memory: https://jrsoftware.org0
Source: AdobePhotoshop.exe, AdobePhotoshop.tmp.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS05
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drString found in binary or memory: https://sectigo.com/CPS0D
Source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drString found in binary or memory: https://www.certum.pl/CPS0
Source: AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247627651.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000000.249756458.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AdobePhotoshop.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247627651.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000000.249756458.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AdobePhotoshop.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps
Source: AdobePhotoshop.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: AdobePhotoshop.exe, 00000000.00000000.246912093.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs AdobePhotoshop.exe
Source: AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FE75000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs AdobePhotoshop.exe
Source: AdobePhotoshop.exe, 00000000.00000003.247627651.00000000028A9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs AdobePhotoshop.exe
Source: AdobePhotoshop.exe, 00000000.00000002.513844223.0000000002448000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs AdobePhotoshop.exe
Source: AdobePhotoshop.exeBinary or memory string: OriginalFileName vs AdobePhotoshop.exe
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpCode function: 1_2_034E1260
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpCode function: 1_2_034E1D20
Source: AdobePhotoshop.exeStatic PE information: invalid certificate
Source: AdobePhotoshop.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: C:\Users\user\Desktop\AdobePhotoshop.exeFile read: C:\Users\user\Desktop\AdobePhotoshop.exeJump to behavior
Source: C:\Users\user\Desktop\AdobePhotoshop.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\AdobePhotoshop.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\AdobePhotoshop.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: unknownProcess created: C:\Users\user\Desktop\AdobePhotoshop.exe C:\Users\user\Desktop\AdobePhotoshop.exe
Source: C:\Users\user\Desktop\AdobePhotoshop.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"
Source: C:\Users\user\Desktop\AdobePhotoshop.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Users\user\Desktop\AdobePhotoshop.exeFile created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmpJump to behavior
Source: AdobePhotoshop.exeString found in binary or memory: /LOADINF="filename"
Source: classification engineClassification label: clean12.winEXE@3/4@0/0
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpWindow found: window name: TSelectLanguageForm
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: AdobePhotoshop.exeStatic file information: File size 1894312 > 1048576
Source: AdobePhotoshop.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517028042.00000000034E3000.00000002.00000001.01000000.00000007.sdmp, _isdecmp.dll.1.dr
Source: Binary string: ISADMINLOGGEDONRelease\isunzlib.pdb source: AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Obfuscated command line found
Source: C:\Users\user\Desktop\AdobePhotoshop.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"
Source: C:\Users\user\Desktop\AdobePhotoshop.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp "C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"
Source: AdobePhotoshop.exeStatic PE information: section name: .didata
Source: AdobePhotoshop.tmp.0.drStatic PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_isdecmp.dllJump to dropped file
Source: C:\Users\user\Desktop\AdobePhotoshop.exeFile created: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_iscrypt.dllJump to dropped file
Source: C:\Users\user\Desktop\AdobePhotoshop.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_isdecmp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmpCode function: 1_2_10001000 ISCryptGetVersion,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts12
Command and Scripting Interpreter		Path Interception1
Process Injection		1
Masquerading		OS Credential Dumping2
System Owner/User Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium2
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Software Packing		LSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AdobePhotoshop.exe3%ReversingLabsWin32.PUA.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_iscrypt.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_isdecmp.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_setup64.tmp0%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
1.2.AdobePhotoshop.tmp.36f9ed0.1.unpack100%AviraTR/Patched.Ren.Gen3Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.haysoft.org%1-k0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://www.remobjects.com/ps0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://subca.ocsp-certum.com010%URL Reputationsafe
https://www.innosetup.com/0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
http://cscasha2.ocsp-certum.com040%URL Reputationsafe
https://sectigo.com/CPS050%Avira URL Cloudsafe
https://jrsoftware.org00%Avira URL Cloudsafe
http://ocsp.usertru0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.haysoft.org%1-kAdobePhotoshop.exe, 00000000.00000002.513844223.0000000002378000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247193947.0000000002680000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000003.251571715.0000000003470000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.514556832.00000000024A0000.00000004.00001000.00020000.00000000.sdmpfalse
  • URL Reputation: safe
low
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tAdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.drfalse
  • URL Reputation: safe
unknown
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUAdobePhotoshop.exefalse
    		high
    https://sectigo.com/CPS0AdobePhotoshop.exe, AdobePhotoshop.tmp.0.drfalse
    • URL Reputation: safe
    		unknown
    http://repository.certum.pl/ctnca.cer09AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drfalse
      		high
      http://repository.certum.pl/cscasha2.cer0AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drfalse
        		high
        http://ocsp.sectigo.com0AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.drfalse
        • URL Reputation: safe
        		unknown
        http://crl.certum.pl/ctnca.crl0kAdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drfalse
          		high
          https://www.remobjects.com/psAdobePhotoshop.exe, 00000000.00000003.248003228.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247627651.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000000.249756458.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AdobePhotoshop.tmp.0.drfalse
          • URL Reputation: safe
          		unknown
          http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#AdobePhotoshop.exe, _isdecmp.dll.1.dr, AdobePhotoshop.tmp.0.drfalse
          • URL Reputation: safe
          		unknown
          http://subca.ocsp-certum.com01AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drfalse
          • URL Reputation: safe
          		unknown
          https://www.innosetup.com/AdobePhotoshop.exe, 00000000.00000003.248003228.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.exe, 00000000.00000003.247627651.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000000.249756458.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AdobePhotoshop.tmp.0.drfalse
          • URL Reputation: safe
          		unknown
          http://ocsp.usertruAdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://sectigo.com/CPS0DAdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drfalse
          • URL Reputation: safe
          		unknown
          https://jrsoftware.org0AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://jrsoftware.org/AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drfalse
            		high
            https://www.certum.pl/CPS0AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drfalse
              		high
              http://crl.certum.pl/cscasha2.crl0qAdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drfalse
                		high
                http://www.certum.pl/CPS0AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drfalse
                  		high
                  https://sectigo.com/CPS05AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://repository.certum.pl/cscashaAdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://cscasha2.ocsp-certum.com04AdobePhotoshop.tmp, 00000001.00000003.251571715.000000000353B000.00000004.00001000.00020000.00000000.sdmp, AdobePhotoshop.tmp, 00000001.00000002.517058225.00000000036EF000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.drfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox Version:37.0.0 Beryl
                    Analysis ID:831162
                    Start date and time:2023-03-21 07:13:09 +01:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 25s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:13
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample file name:AdobePhotoshop.exe
                    Detection:CLEAN
                    Classification:clean12.winEXE@3/4@0/0
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 90% (good quality ratio 90%)
                    • Quality average: 91.5%
                    • Quality standard deviation: 16.8%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
                    • Execution Graph export aborted for target AdobePhotoshop.tmp, PID 6088 because there are no executed function
                    • Not all processes where analyzed, report is missing behavior information
                    • VT rate limit hit for: AdobePhotoshop.exe

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp

                    Download File
                    Process:C:\Users\user\Desktop\AdobePhotoshop.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):3248832
                    Entropy (8bit):6.374526695886884
                    Encrypted:false
                    SSDEEP:49152:Zdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjc333vw:qHDYsqiPRhINnq95FoHVBc333o
                    MD5:C35E48F7A65E98E6DDC5C270B899FF35
                    SHA1:614A308DB5B47D12AB9E3E457C342767BCCEE14B
                    SHA-256:0C36B4BB44A2F95A6B1B43549891E40C54E29A89EF0570A7EF9E60A5CD4B48DF
                    SHA-512:2A1686B3B26D997B777B21E8F50BE109492616FFB47AEBFC96ED20095F3BF7970D1D8D403FF4301BDFC63E239F034A9107F91577C7406C1641397E550F3752AA
                    Malicious:true
                    Reputation:low
                    Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,..6......`V,......`,...@..........................`2.......2...@......@....................-.......-..9.......Y...........|1.......................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc....Y.......Z..."-.............@..@..............1.......0.............@..@........................................................

                    C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_iscrypt.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.8818118453929262
                    Encrypted:false
                    SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                    MD5:A69559718AB506675E907FE49DEB71E9
                    SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                    SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                    SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:high, very likely benign file
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_isdecmp.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):29472
                    Entropy (8bit):7.042110181107409
                    Encrypted:false
                    SSDEEP:768:BD7FEAbd+EDsIOmF+OiR9rikW/F+M9OAriXiRQU:M07sIOYRiPWkWNl9WXil
                    MD5:077CB4461A2767383B317EB0C50F5F13
                    SHA1:584E64F1D162398B7F377CE55A6B5740379C4282
                    SHA-256:8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
                    SHA-512:B1FCB0265697561EF497E6A60FCEE99DC5EA0CF02B4010DA9F5ED93BCE88BDFEA6BFE823A017487B8059158464EA29636AAD8E5F9DD1E8B8A1B6EAAAB670E547
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:moderate, very likely benign file
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(....................4.. ?...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\is-BP29Q.tmp\_isetup\_setup64.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp
                    File Type:PE32+ executable (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):6144
                    Entropy (8bit):4.720366600008286
                    Encrypted:false
                    SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                    MD5:E4211D6D009757C078A9FAC7FF4F03D4
                    SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                    SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                    SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:high, very likely benign file
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.470929133092286
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 98.45%
                    • Inno Setup installer (109748/4) 1.08%
                    • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    File name:AdobePhotoshop.exe
                    File size:1894312
                    MD5:bedbec22f0ae7c2548ce8fd07bfb04ef
                    SHA1:753a2ca15710cf7ec16b59abc768a459f451e8e3
                    SHA256:797bd80d43c4ef7ab8fde178ca551ad2f9141ca3552ce42c8e96ccc95dc6d3bb
                    SHA512:d5498ddbd92e9a80b077119424d51ff4d830a60f5aee868c0d339618eaa104e448281b9ba484a8bd1f18d89ec31ba1862bd89e1e93a4508f4a797475d7e5d3b6
                    SSDEEP:24576:Z7FUDowAyrTVE3U5FTd8w8cfRenhAb9hRZaOyKMG0NDU+ExFYG6i5NwImxgYxhvc:ZBuZrEU+/cz9nZ5wDPEzY3ONdmxRbLI
                    TLSH:A1959E3BB268653FC46A463F2572933099F7AA51E41E8C1A87E014CCCFE5460DE3B69D
                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                    File Icon

                    Icon Hash:c498d8eccce49a44

                    Static PE Info

                    General

                    Entrypoint:0x4b5eec
                    Entrypoint Section:.itext
                    Digitally signed:true
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Time Stamp:0x6258476F [Thu Apr 14 16:10:23 2022 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:6
                    OS Version Minor:1
                    File Version Major:6
                    File Version Minor:1
                    Subsystem Version Major:6
                    Subsystem Version Minor:1
                    Import Hash:e569e6f445d32ba23766ad67d1e3787f

                    Authenticode Signature

                    Signature Valid:false
                    Signature Issuer:CN=Hamill.net
                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                    Error Number:-2146762487
                    Not Before, Not After
                    • 3/20/2023 7:42:06 PM 3/20/2024 8:02:06 PM
                    Subject Chain
                    • CN=Hamill.net
                    Version:3
                    Thumbprint MD5:D33C0CAD0E7BE3F644996784264BD732
                    Thumbprint SHA-1:4BDBA3CCF708FE9787D56A496E725A699CCC587A
                    Thumbprint SHA-256:BA71AEB053FBE5C0AFDC7D4381E32648A4C7D8F6A1C94296DBD8E6091EF5764F
                    Serial:1167B047543881B048A6BA84E2A7B95C

                    Entrypoint Preview

                    Instruction
                    push ebp
                    mov ebp, esp
                    add esp, FFFFFFA4h
                    push ebx
                    push esi
                    push edi
                    xor eax, eax
                    mov dword ptr [ebp-3Ch], eax
                    mov dword ptr [ebp-40h], eax
                    mov dword ptr [ebp-5Ch], eax
                    mov dword ptr [ebp-30h], eax
                    mov dword ptr [ebp-38h], eax
                    mov dword ptr [ebp-34h], eax
                    mov dword ptr [ebp-2Ch], eax
                    mov dword ptr [ebp-28h], eax
                    mov dword ptr [ebp-14h], eax
                    mov eax, 004B14B8h
                    call 00007F2E0CC92635h
                    xor eax, eax
                    push ebp
                    push 004B65E2h
                    push dword ptr fs:[eax]
                    mov dword ptr fs:[eax], esp
                    xor edx, edx
                    push ebp
                    push 004B659Eh
                    push dword ptr fs:[edx]
                    mov dword ptr fs:[edx], esp
                    mov eax, dword ptr [004BE634h]
                    call 00007F2E0CD35127h
                    call 00007F2E0CD34C7Ah
                    lea edx, dword ptr [ebp-14h]
                    xor eax, eax
                    call 00007F2E0CCA80D4h
                    mov edx, dword ptr [ebp-14h]
                    mov eax, 004C1D84h
                    call 00007F2E0CC8D227h
                    push 00000002h
                    push 00000000h
                    push 00000001h
                    mov ecx, dword ptr [004C1D84h]
                    mov dl, 01h
                    mov eax, dword ptr [004238ECh]
                    call 00007F2E0CCA9257h
                    mov dword ptr [004C1D88h], eax
                    xor edx, edx
                    push ebp
                    push 004B654Ah
                    push dword ptr fs:[edx]
                    mov dword ptr fs:[edx], esp
                    call 00007F2E0CD351AFh
                    mov dword ptr [004C1D90h], eax
                    mov eax, dword ptr [004C1D90h]
                    cmp dword ptr [eax+0Ch], 01h
                    jne 00007F2E0CD3B3CAh
                    mov eax, dword ptr [004C1D90h]
                    mov edx, 00000028h
                    call 00007F2E0CCA9B4Ch
                    mov edx, dword ptr [004C1D90h]

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x23ddc.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x1cd0e80x16c0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000xb39e40xb3a00False0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .itext0xb50000x16880x1800False0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .data0xb70000x37a40x3800False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .bss0xbb0000x6de80x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata0xc20000xfdc0x1000False0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .didata0xc30000x1a40x200False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .edata0xc40000x9a0x200False0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .tls0xc50000x180x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rdata0xc60000x5d0x200False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .rsrc0xc70000x23ddc0x23e00False0.3133302482578397data5.150053503198692IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0xc75b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                    RT_ICON0xc7a200x9b8Device independent bitmap graphic, 24 x 48 x 32, image size 2448EnglishUnited States
                    RT_ICON0xc83d80x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States
                    RT_ICON0xc95000x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States
                    RT_ICON0xcbb680x4428Device independent bitmap graphic, 64 x 128 x 32, image size 17408EnglishUnited States
                    RT_ICON0xcff900x5638Device independent bitmap graphic, 72 x 144 x 32, image size 22032EnglishUnited States
                    RT_ICON0xd55c80x9928Device independent bitmap graphic, 96 x 192 x 32, image size 39168EnglishUnited States
                    RT_ICON0xdeef00x17b5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                    RT_ICON0xe06a80x775aPNG image data, 512 x 512, 8-bit/color RGBA, non-interlacedEnglishUnited States
                    RT_STRING0xe7e040x360data
                    RT_STRING0xe81640x260data
                    RT_STRING0xe83c40x45cdata
                    RT_STRING0xe88200x40cdata
                    RT_STRING0xe8c2c0x2d4data
                    RT_STRING0xe8f000xb8data
                    RT_STRING0xe8fb80x9cdata
                    RT_STRING0xe90540x374data
                    RT_STRING0xe93c80x398data
                    RT_STRING0xe97600x368data
                    RT_STRING0xe9ac80x2a4data
                    RT_RCDATA0xe9d6c0x10data
                    RT_RCDATA0xe9d7c0x2c4data
                    RT_RCDATA0xea0400x2cdata
                    RT_GROUP_ICON0xea06c0x84dataEnglishUnited States
                    RT_VERSION0xea0f00x584dataEnglishUnited States
                    RT_MANIFEST0xea6740x765XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                    Imports

                    DLLImport
                    kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                    comctl32.dllInitCommonControls
                    version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                    user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                    oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                    netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                    advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                    Exports

                    NameOrdinalAddress
                    TMethodImplementationIntercept30x4541a8
                    __dbk_fcall_wrapper20x40d0a0
                    dbkFCallWrapperAddr10x4be63c

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:07:14:03
                    Start date:21/03/2023
                    Path:C:\Users\user\Desktop\AdobePhotoshop.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\Desktop\AdobePhotoshop.exe
                    Imagebase:0x400000
                    File size:1894312 bytes
                    MD5 hash:BEDBEC22F0AE7C2548CE8FD07BFB04EF
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:Borland Delphi
                    Reputation:low

                    General

                    Target ID:1
                    Start time:07:14:04
                    Start date:21/03/2023
                    Path:C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\is-7NLVQ.tmp\AdobePhotoshop.tmp" /SL5="$40258,909824,0,C:\Users\user\Desktop\AdobePhotoshop.exe"
                    Imagebase:0x400000
                    File size:3248832 bytes
                    MD5 hash:C35E48F7A65E98E6DDC5C270B899FF35
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:Borland Delphi
                    Reputation:low

                    Disassembly

                    No disassembly