InDesign_Set-Up.exe
This report is generated from a file or URL submitted to this webservice on March 27th 2019 20:55:29 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Queries firmware table information (may be used to fingerprint/evade)
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Possibly tries to evade analysis by sleeping many times
Possibly tries to implement anti-virtualization techniques
The input sample contains a known anti-VM trick - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 9 domains and 10 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
Anti-Detection/Stealthyness
-
Queries firmware table information (may be used to fingerprint/evade)
- details
-
"InDesign_Set-Up.exe" at 00007876-00000580-00000105-13014024299
"InDesign_Set-Up.exe" at 00007876-00000580-00000105-13014242719
"InDesign_Set-Up.exe" at 00007876-00000580-00000105-17961898375
"InDesign_Set-Up.exe" at 00007876-00000580-00000105-17962127546 - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries firmware table information (may be used to fingerprint/evade)
-
Environment Awareness
-
The input sample contains a known anti-VM trick
- details
- Found VM detection artifact "CPUID trick" in "7bbc9e83a633d35c42c3f77714ec65f4200f0ab51031ba8cbafc43a4a1d14298.bin" (Offset: 436504)
- source
- Binary File
- relevance
- 5/10
-
The input sample contains a known anti-VM trick
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "107.23.89.178": ...
File SHA256: 512034cdde6f18313a05034bef46dd2b4c335ef390bb2a9077fb1e147e3e98d3 (AV positives: 6/71 scanned on 03/09/2019 02:14:44)
File SHA256: 1dc470115b429f370735fbf898e8b03c323f440384cdfe222187c82db7e2a929 (AV positives: 1/65 scanned on 03/01/2019 04:05:49)
File SHA256: d93b2a9eee1b75719e87b5fd7a89628b221d1cf335a85422f3eb9174e2a7b3ad (AV positives: 4/65 scanned on 03/01/2019 01:35:38)
File SHA256: 4af7d8e3e811079873d41b5738dfcf566d67285fc56528f1279b6f35cf702da2 (AV positives: 1/64 scanned on 03/01/2019 01:46:19)
File SHA256: 6d1a08ee1bcc85bc378919c278224032460c6edc98b211194d82f837e5ff999b (AV positives: 16/65 scanned on 02/28/2019 09:18:56)
File SHA256: 138411a5862623afb0c3594b293188a356779412edbc13f58401a36d01bb1e24 (Date: 12/10/2018 22:44:28)
Found malicious artifacts related to "72.167.18.239": ...
URL: http://ip-72-167-18-239.ip.secureserver.net/ (AV positives: 1/65 scanned on 10/08/2015 05:41:48)
URL: http://p3plpkivs-v03.any.prod.phx3.secureserver.net/ (AV positives: 1/65 scanned on 09/21/2015 20:55:14)
URL: http://ocsp.godaddy.com/ (AV positives: 1/53 scanned on 07/02/2014 17:47:16)
File SHA256: ace15a225dbd9ab9041e1e98b52ed02ab8a6c2c4ac1f4513aba5dc7872d62c2a (AV positives: 25/65 scanned on 03/12/2019 21:53:08)
File SHA256: 7227b6bad6c3a728c4d0ec6f0917c9fc0188cafa5326d478acb471ded0ee7495 (AV positives: 23/66 scanned on 02/24/2019 01:54:34)
File SHA256: bb49ac475a535604f3e439c79d41b514df80320f9eb505fdfed2d6d2cba41c43 (AV positives: 21/66 scanned on 02/20/2019 21:19:18)
File SHA256: d1327a1953543d30abc176ecf192f971fbf5afc7d212079f34a4d9cfdfc79fae (AV positives: 21/71 scanned on 02/15/2019 22:47:09)
File SHA256: 865712a625307d4712c66e285596d4843ce263249ce2cbecdbb623eec4a48b04 (AV positives: 14/71 scanned on 02/14/2019 00:57:02)
File SHA256: 64315e2b6d195a4ce7266a56f3ad8eddcae97bc6b0cc8011d68bb0013a18106c (Date: 08/01/2018 17:18:07)
File SHA256: 62c9bd71a6ed0ec6ea00a864d6ea88c57666128450b61d3b6db89c3bbcbfcf19 (Date: 08/01/2018 17:14:57)
File SHA256: 5de721c0b0e2211f581b2a0d20dcc17db61ac413f223e40a3b10fa003038289d (Date: 08/01/2018 17:06:21)
File SHA256: f01a5a98cd6834c10018eb7cc4887f18e18d53b39c6fbdaef77eb6506385c8c0 (Date: 06/12/2018 19:30:09)
File SHA256: 8f283b399d1eb88b37cdcd3717ddc07f21308245179b4414974acb3715a30126 (Date: 06/06/2018 00:22:32)
Found malicious artifacts related to "34.195.22.135": ...
File SHA256: a329aa758752006f5c9182c3e538554c110029fdf7f336d3eb23946699da8002 (AV positives: 12/63 scanned on 03/03/2019 07:18:51)
File SHA256: c7e07a96e3e90feebdb5639f21d1ff1994c6e2b246169abac289a76e1f6ed305 (Date: 03/02/2019 22:43:36)
File SHA256: 006c0c1fd5f700040f2cb66d00d01734f95137361c395077acbff484cdcd963c (Date: 02/16/2019 06:09:16)
File SHA256: 51360f0d8e17ab023217641ba55a8d514279ed9b5df228ccc4d520ce4beac3b7 (Date: 02/03/2019 10:58:14) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "107.23.89.178": ...
File SHA256: 512034cdde6f18313a05034bef46dd2b4c335ef390bb2a9077fb1e147e3e98d3 (AV positives: 6/71 scanned on 03/09/2019 02:14:44)
File SHA256: 1dc470115b429f370735fbf898e8b03c323f440384cdfe222187c82db7e2a929 (AV positives: 1/65 scanned on 03/01/2019 04:05:49)
File SHA256: d93b2a9eee1b75719e87b5fd7a89628b221d1cf335a85422f3eb9174e2a7b3ad (AV positives: 4/65 scanned on 03/01/2019 01:35:38)
File SHA256: 4af7d8e3e811079873d41b5738dfcf566d67285fc56528f1279b6f35cf702da2 (AV positives: 1/64 scanned on 03/01/2019 01:46:19)
File SHA256: 6d1a08ee1bcc85bc378919c278224032460c6edc98b211194d82f837e5ff999b (AV positives: 16/65 scanned on 02/28/2019 09:18:56)
File SHA256: 138411a5862623afb0c3594b293188a356779412edbc13f58401a36d01bb1e24 (Date: 12/10/2018 22:44:28)
Found malicious artifacts related to "72.167.18.239": ...
URL: http://ip-72-167-18-239.ip.secureserver.net/ (AV positives: 1/65 scanned on 10/08/2015 05:41:48)
URL: http://p3plpkivs-v03.any.prod.phx3.secureserver.net/ (AV positives: 1/65 scanned on 09/21/2015 20:55:14)
URL: http://ocsp.godaddy.com/ (AV positives: 1/53 scanned on 07/02/2014 17:47:16)
File SHA256: ace15a225dbd9ab9041e1e98b52ed02ab8a6c2c4ac1f4513aba5dc7872d62c2a (AV positives: 25/65 scanned on 03/12/2019 21:53:08)
File SHA256: 7227b6bad6c3a728c4d0ec6f0917c9fc0188cafa5326d478acb471ded0ee7495 (AV positives: 23/66 scanned on 02/24/2019 01:54:34)
File SHA256: bb49ac475a535604f3e439c79d41b514df80320f9eb505fdfed2d6d2cba41c43 (AV positives: 21/66 scanned on 02/20/2019 21:19:18)
File SHA256: d1327a1953543d30abc176ecf192f971fbf5afc7d212079f34a4d9cfdfc79fae (AV positives: 21/71 scanned on 02/15/2019 22:47:09)
File SHA256: 865712a625307d4712c66e285596d4843ce263249ce2cbecdbb623eec4a48b04 (AV positives: 14/71 scanned on 02/14/2019 00:57:02)
File SHA256: 64315e2b6d195a4ce7266a56f3ad8eddcae97bc6b0cc8011d68bb0013a18106c (Date: 08/01/2018 17:18:07)
File SHA256: 62c9bd71a6ed0ec6ea00a864d6ea88c57666128450b61d3b6db89c3bbcbfcf19 (Date: 08/01/2018 17:14:57)
File SHA256: 5de721c0b0e2211f581b2a0d20dcc17db61ac413f223e40a3b10fa003038289d (Date: 08/01/2018 17:06:21)
File SHA256: f01a5a98cd6834c10018eb7cc4887f18e18d53b39c6fbdaef77eb6506385c8c0 (Date: 06/12/2018 19:30:09)
File SHA256: 8f283b399d1eb88b37cdcd3717ddc07f21308245179b4414974acb3715a30126 (Date: 06/06/2018 00:22:32)
Found malicious artifacts related to "34.195.22.135": ...
File SHA256: a329aa758752006f5c9182c3e538554c110029fdf7f336d3eb23946699da8002 (AV positives: 12/63 scanned on 03/03/2019 07:18:51)
File SHA256: c7e07a96e3e90feebdb5639f21d1ff1994c6e2b246169abac289a76e1f6ed305 (Date: 03/02/2019 22:43:36)
File SHA256: 006c0c1fd5f700040f2cb66d00d01734f95137361c395077acbff484cdcd963c (Date: 02/16/2019 06:09:16)
File SHA256: 51360f0d8e17ab023217641ba55a8d514279ed9b5df228ccc4d520ce4beac3b7 (Date: 02/03/2019 10:58:14) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "InDesign_Set-Up.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Checks for a resource fork (ADS) file
-
Suspicious Indicators 29
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "InDesign_Set-Up.exe" is protecting 8192 bytes with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
- UPX1 with unusual entropies 7.89465955783
- source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
"7bbc9e83a633d35c42c3f77714ec65f4200f0ab51031ba8cbafc43a4a1d14298.bin" has a section named "UPX0"
"7bbc9e83a633d35c42c3f77714ec65f4200f0ab51031ba8cbafc43a4a1d14298.bin" has a section named "UPX1" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "{"directXVersion":"11","displays":[{"gpuDirectXVersion":"unknown","gpuDriverDate":"1/14/2019","gpuDriverDateIntl":"2019/01/14","gpuDriverVersion":"5.2.24.0","gpuModelName":"VirtualBox Graphics Adapter","heightInPixels":"611","vRAMInMB":"13.5","widthInPixels":"" (Indicator: "virtualbox"), "VBoxDisp" (Indicator: "vbox"), "VBoxDisp.dll" (Indicator: "vbox")
- source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Opened the service control manager
- details
-
"InDesign_Set-Up.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"InDesign_Set-Up.exe" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads configuration files
- details
- "InDesign_Set-Up.exe" read file "%USERPROFILE%\win.ini"
- source
- API Call
- relevance
- 4/10
-
Opened the service control manager
-
Installation/Persistance
-
Monitors specific registry key for changes
- details
-
"InDesign_Set-Up.exe" monitors "\REGISTRY\USER\S-1-5-21-2092356043-4041700817-663127204-1001\Software\Microsoft\SystemCertificates\Root" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\USER\S-1-5-21-2092356043-4041700817-663127204-1001\Software\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\USER\S-1-5-21-2092356043-4041700817-663127204-1001\Software\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\USER\S-1-5-21-2092356043-4041700817-663127204-1001\Software\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\USER\S-1-5-21-2092356043-4041700817-663127204-1001\Software\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\USER\S-1-5-21-2092356043-4041700817-663127204-1001\Software\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\USER\S-1-5-21-2092356043-4041700817-663127204-1001\Software\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 1)
"InDesign_Set-Up.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople" (Filter: 5; Subtree: 1) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "InDesign_Set-Up.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Monitors specific registry key for changes
-
Network Related
-
Detected increased number of ARP broadcast requests (network device lookup)
- details
- Attempt to find devices in networks: "192.168.240.17/32, 192.168.240.25/32, 192.168.240.38/32, 192.168.240.229/32, ..."
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1046 (Show technique in the MITRE ATT&CK™ matrix)
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 52.200.103.144 on port 443 is sent without HTTP header
TCP traffic to 52.73.87.138 on port 443 is sent without HTTP header
TCP traffic to 34.237.151.5 on port 443 is sent without HTTP header
TCP traffic to 52.71.35.35 on port 443 is sent without HTTP header
TCP traffic to 52.85.116.201 on port 443 is sent without HTTP header
TCP traffic to 184.26.101.86 on port 443 is sent without HTTP header
TCP traffic to 107.23.89.178 on port 443 is sent without HTTP header
TCP traffic to 35.173.18.179 on port 443 is sent without HTTP header
TCP traffic to 72.167.18.239 on port 80 is sent without HTTP header
TCP traffic to 34.195.22.135 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Detected increased number of ARP broadcast requests (network device lookup)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Adobe\OOBE\opm.db-journal" for deletion
"C:\InDesign_Set-Up.exe" marked "%TEMP%\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\errorIcon.png" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\errorIcon2x.png" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\facebook.png" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\facebook2x.png" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\google.png" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\google2x.png" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\productIcon.png" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\productIcon2x.png" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\productIcon4x.png" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\spinner.gif" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\spinner2x.gif" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\timer.png" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\timer2x.png" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\main.js" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\mainController.js" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\overlayController.js" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\utils.js" for deletion
"C:\InDesign_Set-Up.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Adobe\OOBE\opm.db-journal" with delete access
"InDesign_Set-Up.exe" opened "%TEMP%\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\errorIcon.png" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\errorIcon2x.png" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\facebook.png" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\facebook2x.png" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\google.png" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\google2x.png" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\productIcon.png" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\productIcon2x.png" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\productIcon4x.png" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\spinner.gif" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\spinner2x.gif" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\timer.png" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\timer2x.png" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\main.js" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\mainController.js" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\overlayController.js" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\utils.js" with delete access
"InDesign_Set-Up.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies Software Policy Settings
- details
-
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
- details
-
"InDesign_Set-Up.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"InDesign_Set-Up.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"InDesign_Set-Up.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"InDesign_Set-Up.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"InDesign_Set-Up.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "7bbc9e83a633d35c42c3f77714ec65f4200f0ab51031ba8cbafc43a4a1d14298.bin" claimed CRC 2147026 while the actual is CRC 2147894
- source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
- "7bbc9e83a633d35c42c3f77714ec65f4200f0ab51031ba8cbafc43a4a1d14298.bin" has an entrypoint in section "UPX1"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
VirtualProtect
GetProcAddress
VirtualAlloc
LoadLibraryA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"InDesign_Set-Up.exe" wrote bytes "fae62d77e1a632772e713277ee29327785e22d776da0327726e42d77d16d3277003d3077804b307700000000ad3751758b2d5175b641517500000000" to virtual address "0x74661000" (part of module "WSHTCPIP.DLL")
"InDesign_Set-Up.exe" wrote bytes "e7392e77e1a632772e713277ee29327785e22d776da03277906431773ad5387726e42d77d16d3277003d3077804b307700000000ad3751758b2d5175b641517500000000" to virtual address "0x74B91000" (part of module "WSHIP6.DLL")
"InDesign_Set-Up.exe" wrote bytes "c04e307720543177e0653177b53832770000000000d0c97500000000c5eac9750000000088eac97500000000e968337582283277ee29327700000000d2693375000000007dbbc9750000000009be337500000000ba18c97500000000" to virtual address "0x760F1000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"InDesign_Set-Up.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"InDesign_Set-Up.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 25
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
- Raw size of "UPX0" is zero
- source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Queries volume information
- details
-
"InDesign_Set-Up.exe" queries volume information of "%WINDIR%\Fonts\meiryo.ttc" at 00007876-00000580-0000010C-39133091627
"InDesign_Set-Up.exe" queries volume information of "C:\Windows\Fonts\tahoma.ttf" at 00007876-00000580-0000010C-39721527576
"InDesign_Set-Up.exe" queries volume information of "C:\Windows\Fonts\timesbd.ttf" at 00007876-00000580-0000010C-42290625389
"InDesign_Set-Up.exe" queries volume information of "C:\Windows\Fonts\timesbd.ttf" at 00007876-00000580-0000010C-42312426155
"InDesign_Set-Up.exe" queries volume information of "C:\Windows\Fonts\simsun.ttc" at 00007876-00000580-0000010C-42329395823
"InDesign_Set-Up.exe" queries volume information of "C:\Windows\Fonts\tahomabd.ttf" at 00007876-00000580-0000010C-43234571935
"InDesign_Set-Up.exe" queries volume information of "C:\Windows\Fonts\tahomabd.ttf" at 00007876-00000580-0000010C-43732006808
"InDesign_Set-Up.exe" queries volume information of "C:\Windows\Fonts\tahoma.ttf" at 00007876-00000580-0000010C-43781354698
"InDesign_Set-Up.exe" queries volume information of "C:\Windows\Fonts\meiryo.ttc" at 00007876-00000580-0000010C-46697738641
"InDesign_Set-Up.exe" queries volume information of "C:\Windows\Fonts\msgothic.ttc" at 00007876-00000580-0000010C-46708219906
"InDesign_Set-Up.exe" queries volume information of "C:\Windows\Fonts\msgothic.ttc" at 00007876-00000580-0000010C-46751354616
"InDesign_Set-Up.exe" queries volume information of "C:\Windows\Fonts\simsun.ttc" at 00007876-00000580-0000010C-49157949757 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\INDESIGN_SET-UP.EXE")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\INDESIGN_SET-UP.EXE")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE"; Key: "PATH"; Value: "00000000010000005800000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065005C004F0066006600690063006500310034005C000000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "SURICATA HTTP Host header invalid" (SID: 2221028, Rev: 1, Severity: 3) categorized as "Generic Protocol Command Decode"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Accesses Software Policy Settings
- details
-
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\AUTOUPDATE"; Key: "DISALLOWEDCERTLASTSYNCTIME")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\AUTOUPDATE"; Key: "DISALLOWEDCERTENCODEDCTL")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\2E4916B07F3DE90C8DDE2566FD9B9B400D89BBBA"; Key: "BLOB")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E6A3B45B062D509B3382282D196EFE97D5956CCB"; Key: "BLOB")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"InDesign_Set-Up.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
- details
-
"ocsp.godaddy.com"
"assets.adobedtm.com"
"c.evidon.com"
"dpm.demdex.net"
"ims-prod07.adobelogin.com"
"l.betrad.com"
"p.typekit.net"
"static.adobelogin.com"
"use.typekit.net" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"52.200.103.144:443"
"52.73.87.138:443"
"34.237.151.5:443"
"52.71.35.35:443"
"52.85.116.201:443"
"184.26.101.86:443"
"107.23.89.178:443"
"35.173.18.179:443"
"72.167.18.239:80"
"34.195.22.135:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "HS,-up.pdbO"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"InDesign_Set-Up.exe" created file "%TEMP%\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\main.html"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\main.js"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\mainController.js"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\overlayController.js"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\js\utils.js"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\lib\jquery.min.js"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\lib\IE8\jquery.min.js"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\lib\angular.min.js"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\lib\IE8\angular.min.js"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\lib\jquery.custom-scrollbar.min.js"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\lib\jquery.placeholder.min.js"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\main.css"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\clean.css"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\productIcon.png"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\productIcon2x.png"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\productIcon4x.png"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\ccIcon.png"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\ccIcon2x.png"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\cancelButton.png"
"InDesign_Set-Up.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{C57BC87D-A91D-40C6-8D2F-F842721C9388}\images\cancelButton2x.png" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"\Sessions\1\BaseNamedObjects\Global\{3EBE6875-9C4E-4782-8A43-275AFFFCA6FB}"
"\Sessions\1\BaseNamedObjects\Global\359dca4322b8b4a0f7f92bf448150fb"
"\Sessions\1\BaseNamedObjects\Global\17984755fe166b7170b9b5099053521c"
"\Sessions\1\BaseNamedObjects\PDApp.log"
"Local\__DDrawExclMode__"
"Global\359dca4322b8b4a0f7f92bf448150fb"
"Local\__DDrawCheckExclMode__"
"Local\InternetExplorerDOMStoreQuota"
"Local\https://adobeid-na1.services.adobe.com/"
"Global\17984755fe166b7170b9b5099053521c"
"Local\DDrawDriverObjectListMutex"
"Global\{3EBE6875-9C4E-4782-8A43-275AFFFCA6FB}"
"Local\ZonesLockedCacheCounterMutex"
"PDApp.log"
"Local\DirectSound DllMain mutex (0x00000244)"
"!IECompat!Mutex"
"Local\DDrawWindowListMutex"
"Local\MSIMGSIZECacheMutex"
"Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "sprite_1_.svg" as clean (type is "ASCII text with very long lines with no line terminators")
Antivirus vendors marked dropped file "radial-indeterminate_1_.svg" as clean (type is "ASCII text") - source
- Binary File
- relevance
- 10/10
-
GETs files from a webserver
- details
-
"GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com"
"GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com"
"GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCDSJ8q09JhTx HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com" - source
- Network Traffic
- relevance
- 5/10
-
Overview of unique CLSIDs touched in registry
- details
-
"InDesign_Set-Up.exe" touched "NetworkListManager" (Path: "HKCU\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}")
"InDesign_Set-Up.exe" touched "Network List Manager" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}")
"InDesign_Set-Up.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\TREATAS")
"InDesign_Set-Up.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
"InDesign_Set-Up.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"InDesign_Set-Up.exe" touched "WinInetBroker Class" (Path: "HKCU\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TREATAS")
"InDesign_Set-Up.exe" touched "DxDiagProvider Class" (Path: "HKCU\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\TREATAS")
"InDesign_Set-Up.exe" touched "Microsoft DirectInput8" (Path: "HKCU\CLSID\{25E609E4-B259-11CF-BFC7-444553540000}\INPROCSERVER32")
"InDesign_Set-Up.exe" touched "DirectMusicCollection" (Path: "HKCU\CLSID\{480FF4B0-28B2-11D1-BEF7-00C04FBF8FEF}\INPROCSERVER32")
"InDesign_Set-Up.exe" touched "DirectPlay8Peer Object" (Path: "HKCU\CLSID\{286F484D-375E-4458-A272-B138E2F80A6A}\INPROCSERVER32")
"InDesign_Set-Up.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"InDesign_Set-Up.exe" touched "XML DOM Document 3.0" (Path: "HKCU\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\TREATAS")
"InDesign_Set-Up.exe" touched "Task Bar Communication" (Path: "HKCU\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\TREATAS")
"InDesign_Set-Up.exe" touched "Microsoft Web Browser" (Path: "HKCU\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\TREATAS")
"InDesign_Set-Up.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"InDesign_Set-Up.exe" touched "Shell DocObject Viewer" (Path: "HKCU\CLSID\{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}\INPROCSERVER32")
"InDesign_Set-Up.exe" touched "HTML Document" (Path: "HKCU\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\TREATAS")
"InDesign_Set-Up.exe" touched "Microsoft HTML About Pluggable Protocol" (Path: "HKCU\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\TREATAS")
"InDesign_Set-Up.exe" touched "Browser Application State" (Path: "HKCU\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}\TREATAS")
"InDesign_Set-Up.exe" touched "JScript Language" (Path: "HKCU\CLSID\{16D51579-A30B-4C8B-A276-0FF4DC41E755}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Reads Windows Trust Settings
- details
- "InDesign_Set-Up.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"InDesign_Set-Up.exe" searching for class "MS_AutodialMonitor"
"InDesign_Set-Up.exe" searching for class "MS_WebCheckMonitor"
"InDesign_Set-Up.exe" searching for class "MPWClass" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=DigiCert EV Code Signing CA SHA2, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 36:9D:F9:FC:7F:B1:7A:71:80:28:AC:9E:4E:DD:FD:09:E8:D1:08:0A; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 60:EE:3F:C5:3D:4B:DF:D1:69:7A:E5:BE:AE:1C:AB:1C:0F:3A:D4:E3; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
- "InDesign_Set-Up.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"sprite_1_.svg" has type "ASCII text with very long lines with no line terminators"
"radial-indeterminate_1_.svg" has type "ASCII text"
"errorIcon.png" has type "PNG image data 16 x 16 8-bit/color RGBA non-interlaced"
"snthemes_1_.js" has type "ASCII text with very long lines with no line terminators"
"datFEB0.tmp" has type "Web Open Font Format flavor 65536 length 143016 version 0.0"
"evidon-sitenotice-tag_1_.js" has type "HTML document ASCII text with very long lines with no line terminators"
"1E11E75149C17A93653DA7DC0B8CF53F_0458F528A4805826E0A816A3BD1AE9D5" has type "data"
"PT9AP8H2.txt" has type "ASCII text"
"TVQANMNY.txt" has type "ASCII text"
"IFCDNH9U.txt" has type "ASCII text"
"en_1_.js" has type "ASCII text with very long lines with no line terminators"
"N9X9PR10.txt" has type "ASCII text with very long lines"
"spinner.gif" has type "GIF image data version 89a 64 x 64"
"ccIcon.png" has type "PNG image data 29 x 22 8-bit/color RGBA non-interlaced"
"EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D" has type "data"
"datFDB4.tmp" has type "Web Open Font Format flavor 65536 length 143804 version 0.0"
"overlayController.js" has type "ASCII text with CRLF line terminators"
"adobeid-na1.services.adobe_1_.xml" has type "ASCII text with no line terminators"
"2ZSVLHKE.txt" has type "ASCII text" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"InDesign_Set-Up.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"InDesign_Set-Up.exe" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"InDesign_Set-Up.exe" touched file "C:\Windows\System32\tzres.dll"
"InDesign_Set-Up.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"InDesign_Set-Up.exe" touched file "C:\Windows\System32\msxml3r.dll"
"InDesign_Set-Up.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"InDesign_Set-Up.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"InDesign_Set-Up.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000020.db"
"InDesign_Set-Up.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"InDesign_Set-Up.exe" touched file "C:\Windows\System32\ieframe.dll"
"InDesign_Set-Up.exe" touched file "C:\Windows\System32\rsaenh.dll"
"InDesign_Set-Up.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"InDesign_Set-Up.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"InDesign_Set-Up.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"InDesign_Set-Up.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat"
"InDesign_Set-Up.exe" touched file "C:\Windows\System32\en-US\jscript9.dll.mui"
"InDesign_Set-Up.exe" touched file "C:\Windows\Branding\Basebrd\basebrd.dll"
"InDesign_Set-Up.exe" touched file "C:\Windows\System32\en-US\dxdiagn.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "&@^d^w.fK"
Heuristic match: "`Br*c'v.CO"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "www.digicert.com1+0"
Pattern match: "crl3.digicert.com/EVCodeSigningSHA2-g1.crl07"
Pattern match: "crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://ocsp.digicert.com0H"
Pattern match: "http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0"
Pattern match: "http://ocsp.digicert.com0I"
Pattern match: "http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0"
Pattern match: "http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0@"
Pattern match: "http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0"
Pattern match: "http://www.digicert.com/ssl-cps-repository.htm0"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://s.symcd.com06"
Pattern match: "http://s.symcb.com/universal-root.crl0"
Pattern match: "https://d.symcb.com/rpa0@"
Pattern match: "http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com0"
Pattern match: "http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0"
Heuristic match: "ocsp.godaddy.com"
Heuristic match: "GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com"
Heuristic match: "GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com"
Heuristic match: "GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCDSJ8q09JhTx HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com"
Heuristic match: "assets.adobedtm.com"
Heuristic match: "c.evidon.com"
Heuristic match: "dpm.demdex.net"
Heuristic match: "ims-prod07.adobelogin.com"
Heuristic match: "l.betrad.com"
Heuristic match: "p.typekit.net"
Heuristic match: "static.adobelogin.com"
Heuristic match: "use.typekit.net"
Pattern match: "http://www.w3.org/2000/svg"
Pattern match: "https://c.evidon.com/pub/icong1.png,linkStyle:cursor:pointer;text-decoration:none;font-size:11pt;color:#de3838;,mobileLinkIcon:https://c.evidon.com/pub/icong1.png,mobileLinkStyle:cursor:pointer;text-decoration:none;font-size:11pt;color:#de3838;,mobi"
Pattern match: "wwwimages2.adobe.com/etc/beagle/public/globalnav/privacy-files',al=o+/sitenotice/,r=al+window.evidon.id,b=1,a=2,x=1,v=2,w=3,K=1,J=2,L=3,s=_evidon_consent_cookie,t=_evidon_consent_ls_,an=_evidon_suppress_notification_cookie,ae=//l.betrad.com/site/v"
Pattern match: "https://www.adobe.com/uk/privacy/cookies.html"
Pattern match: "jquery.org/license"
Pattern match: "http://angularjs.org"
Pattern match: "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab"
Pattern match: "adobe.com/mx/creativecloud/plans|8519]={id:8519,themeId"
Pattern match: "adobe.com/cz/creativecloud/plans|8528]={id:8528,themeId:529,consentDisplayType:1,division:Adobe,include"
Pattern match: "www.adobe.com/uk/genuine/landing-cc|11163]={id:11163,themeId:788,consentDisplayType:1,division:Adobe,includeSubdomains:1,dataRightsFormEmai"
Pattern match: "https://c.evidon.com/pub/icong1.png,linkStyle:cursor:pointer;text-decoration:none;font-size:11pt;color:#de3838;,mobileLinkIcon:https://c.evidon.com/pub/icong1.png,mobileLinkStyle:cursor:pointer;text-decoration"
Pattern match: "https://c.evidon.com/pub/icong1.png,linkStyle:cursor:pointer;text-decoration:none;font-size:10pt;color:#000000;,mobileLinkIcon:https://c.evidon.com/pub/icong1.png,mobileLinkStyle:cursor:pointer;text-decoration:none;font-size:10pt;color:#000000"
Pattern match: "https://c.evidon.com/pub/icong1.png,linkStyle:cursor:pointer;text-decoration:none;font-size:10pt;color:#000000;,mobileLinkIcon:https://c.evidon.com/pub/icong1.png,mobileLinkStyle:cursor:pointer;text-decor"
Pattern match: "https://wwwimages.adobe.com/content/dam/acom/en/privacy/images/opt-in-banner-background-2x.jpg"
Pattern match: "https://www.adobe.com/privacy/cookies.html"
Pattern match: "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQ"
Heuristic match: "f n.ttMETA[i].experience&&undefined!=typeof n.ttMETA[i].campaign&&-1!==n.ttMETA[i].campaign.indexOf(Homepage)&&-1!==n.ttMETA[i].campaign.indexOf(Targeted)&&(e=lhparent.getAttribute(daa-lh).replace(/dex\|default|dex\|cc/,dex|+n.ttMETA[i].experienc"
Pattern match: "assets.adobedtm.com/CO7984e0353d6d4082a190012b43147020/PR8b349c8b6c36453bad7e9a5f89d9fa3a/BL39eb8bac"
Pattern match: "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIi"
Pattern match: "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEAYg2yDkn40CSdmRd"
Pattern match: "http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D"
Pattern match: "http://jquery.com/"
Pattern match: "wwwimages2.adobe.com/etc/beagle/public/globalnav/privacy-files',al=o+/sitenotice/,r=al+window.evidon.id,b=1,a=2,x=1,v=2,w=3,K=1,J=2,L=3,s=_evidon_consent_cookie,t=_evidon_"
Pattern match: "http://assets.adobedtm.com/launch-EN919758db9a654a17bac7d184b99c4820.js"
Heuristic match: "digitalData._get(page.pageInfo.siteSection)||InApp:NGL===digitalData._get(page.pageInfo.siteSection)||echocdn.com===digitalData._get(page.pageInfo.siteSection)?digitalData._get(page.pageInfo.pageName):account.adobe.com!==digitalData._get(pag"
Pattern match: "www.stage.adobe.com!==e&&stage.ccmui.adobe.com!==e&&primary.stock.stage.adobe.com!==e&&helpx.stage.adobe.com!==e&&stage.acrobat.adobe.com!==e&&dc.stage.acrobat.com!==e&&www-con01.acrobat.adobe.com!==e&&stage.accounts.adobe.com!==e&&s"
Pattern match: "assets.adobedtm.com/extensions/EP73d0010a5a1e442fbce7d2b017628d"
Pattern match: "assets.adobedtm.com/extensions/EPae79f1c2e3134d1887b917d743ee601b/},promise-polyfill:{displayName:Promise"
Pattern match: "http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCDSJ8q09JhTx" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
-
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"InDesign_Set-Up.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "InDesign_Set-Up.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "7bbc9e83a633d35c42c3f77714ec65f4200f0ab51031ba8cbafc43a4a1d14298.bin" was detected as "UPX v1.25 (Delphi) Stub"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
InDesign_Set-Up.exe
- Filename
- InDesign_Set-Up.exe
- Size
- 2MiB (2088240 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- Architecture
- WINDOWS
- SHA256
- 7bbc9e83a633d35c42c3f77714ec65f4200f0ab51031ba8cbafc43a4a1d14298
- MD5
- 7174f560a5c056e9d12e75e880568c41
- SHA1
- 9513d68a2814c43aa63f7afdc48c2d28d548578c
- ssdeep
- 49152:PKLDheBtVQTpvx5f7JrlMdGymjJiPxXd7:CL9eB+pp6dGyoiPxt7
- imphash
- e58ab46f2a279ded0846d81bf0fa21f7
- authentihash
- 09821ac620dde50f3a20df553ee024d999bf911c0232fc5d34780b7df2dad001
- Compiler/Packer
- UPX v1.25 (Delphi) Stub
Version Info
- LegalCopyright
- 2015-2018 Adobe. All rights reserved.
- InternalName
- Adobe Installer
- FileVersion
- 4.8.0.410
- CompanyName
- Adobe Inc.
- ProductName
- Adobe Installer
- ProductVersion
- 4.8.0.410
- FileDescription
- Adobe Installer
- OriginalFilename
- Adobe Installer
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 42.1% (.EXE) UPX compressed Win32 Executable
- 41.4% (.EXE) Win32 EXE Yoda's Crypter
- 7.0% (.EXE) Win32 Executable (generic)
- 3.1% (.EXE) OS/2 Executable (generic)
- 3.1% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .C Files (converted from .NET IL) compiled with CVTCIL.EXE 17.00 (Visual Studio 2012) (build: 65501)
- 8 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 23506)
- 1 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 23506)
- 1 .C Files compiled with CL.EXE 15.00 (Visual Studio 2008) (build: 30729)
- 3 .LIB Files generated with LIB.EXE 11.00 (Visual Studio 2012) (build: 65501)
- 9 .C Files compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 65501)
- 136 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 23907)
- 39 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 23907)
- 25 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 23907)
- 1 .OBJ Files linked with ALIASOBJ.EXE 11.00 (Internal OLDNAMES.LIB Tool) (build: 41118)
- 4 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 23013)
- File appears to contain raw COFF/OMF content
- File is the product of a medium codebase (11 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (8.3KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Adobe Systems Incorporated, OU=AAM 256, O=Adobe Systems Incorporated, L=San Jose, ST=California, C=US, SERIALNUMBER=2748129, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization | CN=DigiCert EV Code Signing CA SHA2, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 6b922a8397e632fe5348da267275b4f |
09/12/2017 00:00:00 09/04/2019 12:00:00 |
F6:C7:04:49:69:67:8A:07:9C:D7:F6:71:7E:BF:E1:44 36:9D:F9:FC:7F:B1:7A:71:80:28:AC:9E:4E:DD:FD:09:E8:D1:08:0A |
CN=DigiCert EV Code Signing CA SHA2, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 3f1b4e15f3a82f1149678b3d7d8475c |
04/18/2012 12:00:00 04/18/2027 12:00:00 |
1D:CB:A7:8C:6C:8A:0D:9B:72:CF:E9:21:10:3F:B2:6D 60:EE:3F:C5:3D:4B:DF:D1:69:7A:E5:BE:AE:1C:AB:1C:0F:3A:D4:E3 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- InDesign_Set-Up.exe (PID: 580)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
assets.adobedtm.com
OSINT |
23.41.19.143
TTL: 29 |
NOM-IQ Ltd dba Com Laude | United States |
c.evidon.com
OSINT |
104.103.9.200
TTL: 530 |
- | United States |
dpm.demdex.net
OSINT |
52.215.56.157
TTL: 706 |
NOM-IQ Ltd dba Com Laude | United States |
ims-prod07.adobelogin.com
OSINT |
52.20.188.218
TTL: 156 |
NOM-IQ Ltd dba Com Laude | United States |
l.betrad.com
OSINT |
52.21.120.172
TTL: 10681 |
- | United States |
ocsp.godaddy.com
OSINT |
72.167.18.239
TTL: 421 |
LIQUIDNET LTD.
Organization: Go Daddy Operating Company, LLC Name Server: A1-245.AKAM.NET Creation Date: Tue, 02 Mar 1999 00:00:00 GMT |
United States |
p.typekit.net
OSINT |
23.9.32.102
TTL: 50 |
NOM-IQ Ltd dba Com Laude
Organization: Adobe Systems Incorporated Name Server: NS-1367.AWSDNS-42.ORG Creation Date: Mon, 02 Aug 2010 00:00:00 GMT |
United States |
static.adobelogin.com
OSINT |
13.249.68.66
TTL: 53 |
NOM-IQ Ltd dba Com Laude | United States |
use.typekit.net
OSINT |
23.54.161.90
TTL: 37 |
NOM-IQ Ltd dba Com Laude
Organization: Adobe Systems Incorporated Name Server: NS-1367.AWSDNS-42.ORG Creation Date: Mon, 02 Aug 2010 00:00:00 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
52.200.103.144 |
443
TCP |
indesign_set-up.exe PID: 580 |
United States |
52.73.87.138 |
443
TCP |
indesign_set-up.exe PID: 580 |
United States |
34.237.151.5 |
443
TCP |
indesign_set-up.exe PID: 580 |
United States |
52.71.35.35 |
443
TCP |
indesign_set-up.exe PID: 580 |
United States |
52.85.116.201 |
443
TCP |
indesign_set-up.exe PID: 580 |
United States |
184.26.101.86 |
443
TCP |
indesign_set-up.exe PID: 580 |
United States |
107.23.89.178 |
443
TCP |
indesign_set-up.exe PID: 580 |
United States |
35.173.18.179 |
443
TCP |
indesign_set-up.exe PID: 580 |
United States |
72.167.18.239 |
80
TCP |
indesign_set-up.exe PID: 580 |
United States |
34.195.22.135 |
443
TCP |
indesign_set-up.exe PID: 580 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
72.167.18.239:80 (ocsp.godaddy.com) | GET | ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D | GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com More Details |
72.167.18.239:80 (ocsp.godaddy.com) | GET | ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com More Details |
72.167.18.239:80 (ocsp.godaddy.com) | GET | ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCDSJ8q09JhTx | GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCDSJ8q09JhTx HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> local:5357 (TCP) | Generic Protocol Command Decode | SURICATA HTTP Host header invalid | 2221028 |
Extracted Strings
Extracted Files
Displaying 20 extracted file(s). The remaining 99 file(s) are available in the full version and XML/JSON reports.
-
Informative 20
-
-
2ZSVLHKE.txt
- Size
- 182B (182 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 4f8371a64bd978a542859d3bbc9fbf81
- SHA1
- dda3bc4769b1c587bcdcd0c4b7016b65b5080176
- SHA256
- 0f640cd716aa4807e5ff9642ec48dd2812bfc523a4b74b6668d5be4dc0d207df
-
79IW6BSE.txt
- Size
- 94B (94 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 0b105a8f50b0f4a90b89119eb67b3a92
- SHA1
- 13d9b77d6ebf58b80b0498f38db4eb80df89d4cf
- SHA256
- d6e3807a4265a01a115794ecec444393bf4950ed9e5c8ed7aa82aa91eb621854
-
C0QKXJPW.txt
- Size
- 198B (198 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 719240cd3c012a8d75c094f8bc1ff108
- SHA1
- b81535c200a632d32978ff086199f345d8efd903
- SHA256
- c9254955a1d3a9a832d3fbbc6b25e771100c8d25d18004127421583e701b5b6f
-
DXR935MS.txt
- Size
- 199B (199 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- a4420a6bf81f9ac2738137f29d08d32e
- SHA1
- 901674f667b6f24cdd6c910b2cd347b5ed5d3912
- SHA256
- f5641f1e1d713156ef187b1d74c6c5ffa1f2d57fce8fdb515c623efe512babfb
-
EBZV7NMM.txt
- Size
- 189B (189 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 8b457962dbb1898804caf4a9190b1c2f
- SHA1
- 85e82464099d5e00b681579b784c5c12f1ddece8
- SHA256
- 10cf8ee029d9c2188d265efb9af4a28bb2634f9c189c774f6356a97eaf165aac
-
FSCYU7BD.txt
- Size
- 691B (691 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 3d9a55e426c8f250d7d7807ff8e0cc37
- SHA1
- f94cf87187abdb341309884f73358e0da649fc71
- SHA256
- 013ab4821d4934e6dd84c5e13af77d7d862259f02854554bb493bbe792ce5b7d
-
GGWNOKR9.txt
- Size
- 199B (199 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- fedff4ba193dc5a196aab28f7c2ff371
- SHA1
- 85586386ecf3006ead0845c5d666d2f39a4252bb
- SHA256
- 19a280e0157d6f22f68995f112613fadf9e3eabbe294a4770ef73a7a9a88073b
-
IFCDNH9U.txt
- Size
- 89B (89 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 02b8a68c0fc8706498093eef8bfea1a8
- SHA1
- cd30f8e627dcd57940449bebc798e1dc6cf88fdf
- SHA256
- 1b62818f55b3cb27049fb9ccaf3eae1b4d5a065506f6e8afe8496fabc7e8f7da
-
KV9ZTXB8.txt
- Size
- 670B (670 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- d71d322d432ec219bc93063de2965469
- SHA1
- e7f8c830296796134718f6a95a8c17883a2c8400
- SHA256
- 4db37dff9761f33f14c222c25bd6d5d10df7be0a2bee2d00e9de7bc434de0524
-
N9X9PR10.txt
- Size
- 691B (691 bytes)
- Type
- text
- Description
- ASCII text, with very long lines
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 3d9a55e426c8f250d7d7807ff8e0cc37
- SHA1
- f94cf87187abdb341309884f73358e0da649fc71
- SHA256
- 013ab4821d4934e6dd84c5e13af77d7d862259f02854554bb493bbe792ce5b7d
-
NR0ETR4F.txt
- Size
- 199B (199 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 6a32cb557f80549375cf8b6314aa9554
- SHA1
- a943c1120ac6a575288c82181b2d768580f783df
- SHA256
- 15fdb488000ca58e1a64d3f4ff39913bdd126a92c81034bd1c5ab29f37152097
-
OQ2D8XWK.txt
- Size
- 669B (669 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 1cc598fd454ee5bc0392ad1a1c7fd4a6
- SHA1
- 2fd5baeed7f1e004b79b337e29963c63c053b425
- SHA256
- 70fc1edfa219c34c8100a50ea7aff4a97a40d13fe3091945b59b4c6361253263
-
OWNHB2WN.txt
- Size
- 80B (80 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 0a78db3246ff74b15cd607934807573c
- SHA1
- 7a25058563fda1827c1557e978638177169ba3b3
- SHA256
- 38ef40de8a0e4882a77e41cfebdd0bba0d8ea499f058dda314f15d567819e8f0
-
PT9AP8H2.txt
- Size
- 169B (169 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 088bd341abf7c69480e1ccc70e77236b
- SHA1
- 99f34ce6422e3a04ddc77f676cefea76ae3d1cb3
- SHA256
- d5c9efdd7233a3a2cc59f9bc001f03a7f9d6b8f038a646a01ea010592cbe0e45
-
SKLB5DMT.txt
- Size
- 669B (669 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 0e2b3414c08e7fe5510832ae16688e0e
- SHA1
- 28a9e95a5ec5d3a0167ef49f485795110ff8cc61
- SHA256
- d3a933583a7236b8ddc1cbddc551b7499df75071fb43cbedb4450d1a5b42e314
-
SUW6V6M3.txt
- Size
- 678B (678 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- e56e696a70a37fca25b4603ddc956f29
- SHA1
- 477dfdbe0ab711da8c40d26e11dc8a9b6ad6067b
- SHA256
- e27bca6653b54c016a167781f65cb8a38d21b47e14f820691c5fe505995eedae
-
TVQANMNY.txt
- Size
- 674B (674 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- e34a404fe7431ca355d9aa39479398f0
- SHA1
- bad39e3a7440a8669ca1c2f526521d08fe170364
- SHA256
- 47a55336a92d78601044d010667eb8729825d7ca3e4c90cd99b30775028aa0c2
-
UNCCM6DA.txt
- Size
- 182B (182 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- 1116ab70d7f9c8623d7fd185356e3895
- SHA1
- 806dc72ba2c924ab8f7fdd266aa802feb460c565
- SHA256
- 0361dcb3ad9f70b361439656bebe24b43ced053caf324f2d63f0f839739d761b
-
VG0DZL4M.txt
- Size
- 197B (197 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- bfa8419a111d111a7c1e72805be6b08f
- SHA1
- 3af5c95b7d449c252447d2653bab24a760c0dcc8
- SHA256
- b358a0d3e86a49b24836518f80619657cd511d1f47e4a5f4c905f66137b21c21
-
VPIJBOF0.txt
- Size
- 198B (198 bytes)
- Runtime Process
- InDesign_Set-Up.exe (PID: 580)
- MD5
- d0ebeec3b34fb4ad56fd22cc7a1e4a30
- SHA1
- b4cf5dec3b7deb0239d407caa73a252da8abf9a7
- SHA256
- ea44a1e3b955c650d3e65d9dd1d5f6b794250155e62042fe9ead0cfacbad54b3
-
Notifications
-
Runtime
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-26" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-47" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "api-9" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Some low-level data is hidden, as this is only a slim report