Manalyze report for f42a201044931eee29a309600b72d456

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-May-21 01:49:53
CompanyName	Adobe Systems Incorporated
FileDescription	Adobe Setup
FileVersion	`6.0.0.0`
InternalName	PostInstall
LegalCopyright	© 1990-2022 Adobe Systems Inc
OriginalFilename	setup.exe
PrivateBuild	November 9, 2022
ProductName	Setup
ProductVersion	`6.0.0.0`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: %Temp%`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to SHA256` `Uses constants related to AES`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Possibly launches other programs: ShellExecuteW CreateProcessW` `Can create temporary files: CreateFileW GetTempPathW` `Functions related to the privilege level: CheckTokenMembership` `Enumerates local disk drives: GetDriveTypeW` `Can take screenshots: CreateCompatibleDC GetDC`
Suspicious	The PE header may have been manually modified.	`The resource timestamps differ from the PE header: 2029-Nov-11 14:19:48`
Suspicious	The file contains overlay data.	`773296 bytes of data starting at offset 0x3ec00.` `Overlay data amounts for 75.054% of the executable.`
Malicious	The program tries to mislead users about its origins.	`The PE pretends to be from Adobe but is not signed!`
Malicious	VirusTotal score: 12/72 (Scanned on 2023-10-28 20:45:29)	`Bkav: W32.Common.6F37E9A7` `Skyhigh: BehavesLike.Win64.Sdbot.fm` `Cynet: Malicious (score: 100)` `Gridinsoft: Malware.Win64.Patcher.cc` `Microsoft: HackTool:Win32/crack` `McAfee: Artemis!F42A20104493` `DeepInstinct: MALICIOUS` `Cylance: unsafe` `Panda: PUP/Crack` `Rising: Hacktool.Crack!8.38F (CLOUD)` `Fortinet: W32/PossibleThreat` `CrowdStrike: win/malicious_confidence_60% (D)`

Hashes

MD5	`f42a201044931eee29a309600b72d456`
SHA1	`a38c49acdb7c3e0775f2d6dc8b8ea8bd7f32f732`
SHA256	`55e5131f01e0b4db477326c27139ab59c61f33cceb5de503e874197d23d37ad0`
SHA3	`25c8149eea2f6e79a5601c4932646cdb43350a063812d498c56565448ee6c40f`
SSDeep	`12288:T8HjWTxA6M8erwyFeGA8HjWTxA6M8erwyFeGA8HjWTxA6M8erwyFeGA8HjWTxA6H:gK1D9Y7K1D9Y7K1D9Y7K1D9Yg`
Imports Hash	`6d9c27ca5008bc63e9fbc102659734db`

DOS Header

e_magic	`MZ`
e_cblp	`0x60`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x60`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2018-May-21 01:49:53
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`10.0`
SizeOfCode	`0x1f000`
SizeOfInitializedData	`0x23e00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000001F550 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x46000`
SizeOfHeaders	`0x400`
Checksum	`0x49681`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`939f570a6a9f3be33f4aaf1ccb8ba68d`
SHA1	`fc59057579dce8f6d5d337c033bf329731dfbe20`
SHA256	`f1a6999f3ffb8e38ffad3d11f2ca538dbe3f9fd056d5e1a90092c142ed37b0e1`
SHA3	`90797a7ae3d4e1728a36213f554b85e495af0f342ff1e0c3be89b6d6cf19b6fb`
VirtualSize	`0x1ef7c`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1f000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.41783`

.rdata

MD5	`03402cb8d4049593f4c995d5a1cbdbb1`
SHA1	`66c596d4119af20733589586d9ac0d46c2048568`
SHA256	`083d85ea01724f4b314ade9275c3cfda9595b3897170ff57a2ad27a7e92b9353`
SHA3	`a2c72ac87183d2c4393a686640cb5f4c248ee9a94328d338e7c8d127d5957029`
VirtualSize	`0x6412`
VirtualAddress	`0x20000`
SizeOfRawData	`0x6600`
PointerToRawData	`0x1f400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.16995`

.data

MD5	`b27f02267c6cbae5248297a8e29950e9`
SHA1	`b2bf4097184ad0cc407f8926eb073ed0aa97b4c7`
SHA256	`05887cd7e586e526e515e79092ac85424c0b967ac5aa6be9c918dc2389aec362`
SHA3	`f9faa3b3e5d58ba2b96c924471c470005da0c72cd2d573c556e0fb343ad54bc6`
VirtualSize	`0x5178`
VirtualAddress	`0x27000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x25a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.81146`

.pdata

MD5	`e36cfdfc9c197049da6d906ff996c311`
SHA1	`8e5118b59b402ddbfe541978c238d4ea1bcd3da7`
SHA256	`804db8052da63747ac097c7913bc262a6ae035a2c1d5c995d53c7ce7ede70c64`
SHA3	`715e904dca495f255244de3e25b5652bb9078ab65d12ed2abe39c55d18bbff8d`
VirtualSize	`0x1be4`
VirtualAddress	`0x2d000`
SizeOfRawData	`0x1c00`
PointerToRawData	`0x26600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.23845`

.rsrc

MD5	`f7dfb81e748e21f9cab7b13ede05ee58`
SHA1	`ac6edf085225d70bcde0419fc4c0df8c90d0966a`
SHA256	`81bec57c9fbefb7e2d2ca7a2f9b6326b4a2dfff898babf24329fb773fb587f39`
SHA3	`7303958a20332b4bc1ff0069a268ca4e69d2676bec3a51691dc9afcef9216af5`
VirtualSize	`0x15f97`
VirtualAddress	`0x2f000`
SizeOfRawData	`0x16000`
PointerToRawData	`0x28200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.62747`

.reloc

MD5	`af96955a1f323a95719e9e9027e3b906`
SHA1	`5c88c3ad09d2bc8a30554565282abeecad260995`
SHA256	`e50a0426fda0dc36ffc15e8985bf102c115a635b27b7aaa85f5316e82bff882c`
SHA3	`db8b86688a4908524c6bcb539b403933211c55068d34d317df3be53d4acd2ac3`
VirtualSize	`0x888`
VirtualAddress	`0x45000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x3e200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.63496`

Imports

COMCTL32.dll	`#17`
SHELL32.dll	`ShellExecuteW` `SHBrowseForFolderW` `ShellExecuteExW` `SHGetPathFromIDListW` `SHGetFileInfoW` `SHGetSpecialFolderPathW` `SHGetMalloc`
GDI32.dll	`CreateCompatibleDC` `CreateFontIndirectW` `DeleteObject` `DeleteDC` `GetCurrentObject` `StretchBlt` `GetDeviceCaps` `CreateCompatibleBitmap` `SelectObject` `SetStretchBltMode` `GetObjectW`
ADVAPI32.dll	`FreeSid` `AllocateAndInitializeSid` `CheckTokenMembership`
USER32.dll	`GetSystemMenu` `EnableMenuItem` `EnableWindow` `MessageBeep` `LoadIconW` `LoadImageW` `SetWindowsHookExW` `PtInRect` `CallNextHookEx` `DefWindowProcW` `CallWindowProcW` `DrawIconEx` `DialogBoxIndirectParamW` `GetWindow` `ClientToScreen` `GetDC` `DrawTextW` `SystemParametersInfoW` `SetFocus` `UnhookWindowsHookEx` `GetWindowLongPtrW` `SetWindowLongPtrW` `GetSystemMetrics` `GetClientRect` `GetDlgItem` `IsWindow` `CreateWindowExA` `MessageBoxA` `DestroyWindow` `GetSysColor` `SetWindowTextW` `GetWindowTextLengthW` `GetWindowTextW` `wsprintfA` `GetClassNameA` `GetWindowLongW` `GetMenu` `GetWindowDC` `ReleaseDC` `CopyImage` `GetParent` `ScreenToClient` `CreateWindowExW` `GetDesktopWindow` `wvsprintfW` `SetWindowPos` `SetTimer` `GetMessageW` `DispatchMessageW` `GetWindowRect` `CharUpperW` `SendMessageW` `ShowWindow` `BringWindowToTop` `wsprintfW` `MessageBoxW` `EndDialog` `SetWindowLongW` `GetKeyState` `KillTimer`
ole32.dll	`CreateStreamOnHGlobal` `CoInitialize` `CoCreateInstance`
OLEAUT32.dll	`SysFreeString` `VariantClear` `SysAllocStringLen` `OleLoadPicture` `SysAllocString`
KERNEL32.dll	`ReadFile` `SetFileTime` `SetEndOfFile` `VirtualAlloc` `VirtualFree` `GetFileInformationByHandle` `WaitForMultipleObjects` `SetFilePointer` `GetFileSize` `LeaveCriticalSection` `EnterCriticalSection` `DeleteCriticalSection` `FormatMessageW` `lstrcpyW` `LocalFree` `IsBadReadPtr` `GetSystemDirectoryW` `GetCurrentThreadId` `SuspendThread` `TerminateThread` `InitializeCriticalSection` `ResetEvent` `SetEvent` `CreateEventW` `GetVersionExW` `GetModuleFileNameW` `GetCurrentProcess` `SetProcessWorkingSetSize` `SetEnvironmentVariableW` `GetDriveTypeW` `CreateFileW` `LoadLibraryA` `SetThreadLocale` `GetSystemTimeAsFileTime` `ExpandEnvironmentStringsW` `CompareFileTime` `WideCharToMultiByte` `GetTempPathW` `GetCurrentDirectoryW` `GetEnvironmentVariableW` `lstrcmpiW` `GetLocaleInfoW` `MultiByteToWideChar` `GetUserDefaultUILanguage` `GetSystemDefaultUILanguage` `GetSystemDefaultLCID` `lstrcmpiA` `GlobalAlloc` `GlobalFree` `MulDiv` `FindResourceExA` `SizeofResource` `LoadResource` `LockResource` `GetProcAddress` `GetModuleHandleW` `FindFirstFileW` `lstrcmpW` `DeleteFileW` `FindNextFileW` `FindClose` `RemoveDirectoryW` `GetStdHandle` `WriteFile` `lstrlenA` `CreateDirectoryW` `GetFileAttributesW` `SetCurrentDirectoryW` `GetLocalTime` `SystemTimeToFileTime` `CreateThread` `GetExitCodeThread` `Sleep` `SetFileAttributesW` `GetDiskFreeSpaceExW` `SetLastError` `GetCommandLineW` `GetStartupInfoW` `GetTickCount` `lstrlenW` `ExitProcess` `lstrcatW` `AddVectoredExceptionHandler` `RemoveVectoredExceptionHandler` `CloseHandle` `WaitForSingleObject` `GetExitCodeProcess` `GetQueuedCompletionStatus` `ResumeThread` `SetInformationJobObject` `CreateIoCompletionPort` `AssignProcessToJobObject` `CreateJobObjectW` `GetLastError` `CreateProcessW` `GetStartupInfoA`
msvcrt.dll	`free` `__set_app_type` `??3@YAXPEAX@Z` `_purecall` `??2@YAPEAX_K@Z` `_wtol` `__CxxFrameHandler` `memset` `memmove` `memcpy` `_wcsnicmp` `memcmp` `strncpy` `wcsncpy` `wcsncmp` `strncmp` `?_set_new_handler@@YAP6AH_K@ZP6AH0@Z@Z` `_beginthreadex` `_CxxThrowException` `wcsstr` `_fmode` `realloc` `malloc` `__dllonexit` `_onexit` `??1type_info@@UEAA@XZ` `__C_specific_handler` `_XcptFilter` `_c_exit` `_exit` `_cexit` `exit` `_acmdln` `__getmainargs` `_initterm` `__setusermatherr` `_commode` `?terminate@@YAXXZ`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0xa8c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.63008`
Detected Filetype	PNG graphic file
MD5	`51d4520d0056dd78ab6030f864ec38dd`
SHA1	`3abad058263f068ef1138e7b7f4f1e4f19c3e2bc`
SHA256	`e7696d6f343d7fce61790194f4cdbae5352802f91dc77abe11df52ff9667b694`
SHA3	`7ada1217fa1603e2c53a1104d7f0f6f505eb01db6ed4adbbc210549c0de2c076`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.0532`
MD5	`c86c7954917a522e19993100c1f58b4e`
SHA1	`d65521b4fcbb0cd5ddf76c935faaae20c8ee36e2`
SHA256	`9e149fad424d365c899572aa296bf7f0508541cb5a4ad5794fc18e31ac9da756`
SHA3	`b4a748be55d5e5a9a469985dc7f67bffff924728dd64f6e140d2e7bd71d05d74`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.30056`
MD5	`e659557bc290ea500fb81a0e201e9aeb`
SHA1	`9703a758c26e6d9db6ac9211bbcb896e36671614`
SHA256	`5d788c89a6bb483a45d6419797eb379ac6a19ede3e72757faa260b0c03894523`
SHA3	`3df8af9e9746238ba20f3ee531243a968694268aea90f8ef464b74c11bd44eb5`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.41941`
MD5	`c4eb869be735c32ef365cbb40d78b7b2`
SHA1	`2accdbbcb10eeae85374ce61eefbfb9fcde4d2cb`
SHA256	`d27e623bf3e84226ae260a8afe0aa2beaffb1eb82fa76611a31c5b8945f41fbd`
SHA3	`4b0a7e48fc282a6b8167f2b5043ba14551c34fc2d032b5b5fe26dadcd6c33856`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	2029-Nov-11 14:19:48
Entropy	`2.63697`
MD5	`e29d96cbe83ff4d632d10de953f7f016`
SHA1	`5d4bbb1a0127fb0725b4d5e3b5fa064ec4906581`
SHA256	`fd3e7c56697c473a437e44106bcb3ce6270f37ae480f8fac3e4d1a69ff2dbf04`
SHA3	`49920c39781ff17440cbdd1903d6c8dc8068c84a1d12f90704c0a7627571bd59`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	2029-Nov-11 14:19:48
Entropy	`2.9739`
MD5	`0ff3165a66f0dde7b91977034c7584c2`
SHA1	`6fe7e5482ec702f275f13617ddbadce6377485ac`
SHA256	`4093f18b49c4b6b1fe693c6f815860f55e3a124cc2b9897b760d056ee42c4b57`
SHA3	`86db17ab2d6f00a29b69b08aa7297469393b264fbbc57d3c993ee6ef95a010fa`

101

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.8198`
Detected Filetype	Icon file
MD5	`2f5d225901907375027390e9c257b469`
SHA1	`109cf8cbd45ef3b1a4f2b949c625a3324c1a2208`
SHA256	`ab75b2b93c4d80f70b690cda3a5aaedc4ffb18e218f2983de8df9985be2b6149`
SHA3	`b94596444edc579c53db909351df46b9c89a2dd15ed36d5f5c2dd9828210e47a`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x31c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.37174`
MD5	`5a8fbec743371f51ed797635c500fe31`
SHA1	`3147e563b345d70b92e5771fc31872a0cec3e229`
SHA256	`db35ca6def7e1990d1ea9a0f102098dd62cf12443e370c23cde259788a0f4108`
SHA3	`f2c9c4df69882d6c874cd6232e0beacd5afab99a10950c6bd686783efac0c92b`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x30b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.19301`
MD5	`d9d7e35ab54ea04956f61058b6081147`
SHA1	`4eaab43a93e26b4dc7e0ca769371dedb64c1ae12`
SHA256	`c0958598860e1b8e1d103e1690de8e231db774dc835707365b8177750b14c5c7`
SHA3	`dc325bdd0b296125068882311fdc0996fd88689e1759b22db036ff02b5b20821`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.0.0.0
ProductVersion	6.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
CompanyName	Adobe Systems Incorporated
FileDescription	Adobe Setup
FileVersion (#2)	6.0.0.0
InternalName	PostInstall
LegalCopyright	© 1990-2022 Adobe Systems Inc
OriginalFilename	setup.exe
PrivateBuild	November 9, 2022
ProductName	Setup
ProductVersion (#2)	6.0.0.0

Resource LangID	UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

f42a201044931eee29a309600b72d456

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

1

2

3

4

5

6

101

1 (#2)

1 (#3)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors