todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/packages/ADC/ Photo.scr shop/圆4/ Adobe Photoshop CC 2018 64 Bit/products/ACR/ CameraRawRIBSCoExistPackage.zip todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/resources/content/ info.zip todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/products/ACR/ info.zip todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/products/ACR/ Photo.scr todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/packages/ info.zip todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/resources/ AdobePIM.dll todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/products/ info.zip todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/products/ Photo.scr todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/packages/ Photo.scr todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/resources/ info.zip
todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/resources/ Photo.scr todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/ Set-up.exe todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/resources/ UpdateRedirector.dat B.//todo WEB/ photoshop/圆4/ Adobe Photoshop CC 2018 64 Bit/ info.zip MZ.!.L.!Th is program cannot be run in DO S mode. Filename: ASP_v2_0_P.exe, Detection: malicious, Browse.Filename: kkTsu5q9ua.exe, Detection: malicious, Browse.Filename: 2.0-painter.exe, Detection: malicious, Browse.Filename: vHQYvz88iw.exe, Detection: malicious, Browse.Antivirus: ReversingLabs, Detection: 0%.Antivirus: Metadefender, Detection: 0%, Browse.Antivirus: Virustotal, Detection: 2%, Browse.Remotely Track Device Without Authorization
May try to detect the Windows Explorer process (often used for injection)
Uses code obfuscation techniques (call, push, ret)Ĭode function: 0_3_023CE7 15 push es i retĬode function: 0_3_023CCC 0C push ea x retĬode function: 0_3_023CCE 6D push cs retfĬode function: 0_3_023CC5 D6 push es iretdīinary may include packed or encrypted code PE file contains sections with non-standard names Static PE information: section wh ere entry point is p ointing to. rsrc:W Įntry point lies outside standard sections Key value queried: HKEY_LOCAL _MACHINE\S OFTWARE\Cl asses\WOW6 432Node\CL SID\\InProcS erver32Įxecutable creates window controls seldom found in malwareĭetected unpacking (changes PE section rights) Uses an in-process (OLE) Automation server Key opened: HKEY_CURRE NT_USER\So ftware\Pol icies\Micr osoft\Wind ows\Safer\ CodeIdenti fiers Key opened: HKEY_CURRE NT_USER\So ftware\Bor land\Delph i\Locales
Parts of this applications are using Borland Delphi (Probably coded in Delphi) exeįile created: C:\Users\u ser~1\AppD ata\Local\ Temp\vgm_p layer.dll Source: C:\Users\u ser\Deskto p\adobe.sn r.patch.v2. MPRESS1 ZL IB complex ity 1.0003 091277Ĭlassification label: mal60.evad temporary files text) which is very likely to contain packed code (zlib compression ratio < 0.011) Sample file is different than original file name gathered from version info Static PE information: Resource n ame: RT_IC ON type: G LS_BINARY_ LSB_FIRST