Analysis Report AdobeARM.exe

Overview

General Information

Sample Name: AdobeARM.exe
Analysis ID: 352178
MD5: b8b96354dd88484208f17101f6704f7c
SHA1: 68815c39f47a0b8f766d9191e7ac55d3199d1c96
SHA256: ad25d9f873a80f454ce2acbb75246463070e216c89b042ee87b9a6204dd146c0

Most interesting Screenshot:

Detection

Score: 7
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0108E904 lstrcmpA,lstrcmpA,CryptQueryObject,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CryptDecodeObject,LocalAlloc,CryptDecodeObject,CryptMsgClose, 0_2_0108E904
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010A92BD __EH_prolog3_GS,CryptProtectData,LocalFree, 0_2_010A92BD
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010A943B __EH_prolog3_GS,CryptUnprotectData,LocalFree,LocalFree, 0_2_010A943B
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0108E461 __EH_prolog3,lstrlenW,CryptQueryObject,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CertFindCertificateInStore,CertGetNameStringW,LocalAlloc,CertGetNameStringW,lstrlenW,lstrlenW,lstrcmpW,lstrcmpW,LocalFree,CertFindCertificateInStore,CertGetNameStringW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalFree,CertCloseStore, 0_2_0108E461
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0108E7DB lstrcmpA,CryptDecodeObject,LocalAlloc,CryptDecodeObject,LocalFree, 0_2_0108E7DB

Compliance:

barindex
Uses 32bit PE files
Source: AdobeARM.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE / OLE file has a valid certificate
Source: AdobeARM.exe Static PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: AdobeARM.exe Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARM.pdb source: AdobeARM.exe
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010AF88F __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 0_2_010AF88F
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0108F13C GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0108F13C
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010B1B88 GetModuleHandleW,GetProcAddress,FindFirstFileW, 0_2_010B1B88
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010B1A40 SetLastError,FindFirstFileW,GetLastError, 0_2_010B1A40
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_01061ECD __EH_prolog3_GS,GetLastError,FindFirstFileW,CreateDirectoryW,GetLastError,FindClose,FindClose,GetLastError,GetLastError,GetLastError, 0_2_01061ECD
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010AC825 __EH_prolog3_GS,GetTempPathW,GetLastError,DeleteUrlCacheEntryW,URLDownloadToFileW, 0_2_010AC825
Source: AdobeARM.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AdobeARM.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AdobeARM.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AdobeARM.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AdobeARM.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AdobeARM.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AdobeARM.exe String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AdobeARM.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AdobeARM.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AdobeARM.exe String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AdobeARM.exe String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AdobeARM.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AdobeARM.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: AdobeARM.exe String found in binary or memory: http://ocsp.digicert.com0H
Source: AdobeARM.exe String found in binary or memory: http://ocsp.digicert.com0I
Source: AdobeARM.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: AdobeARM.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: AdobeARM.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AdobeARM.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0109AF4A __EH_prolog3,CreateEnvironmentBlock,GetLastError,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,CloseHandle, 0_2_0109AF4A
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0109AE63 __EH_prolog3_GS,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,ExitWindowsEx,GetLastError, 0_2_0109AE63
Creates files inside the system directory
Source: C:\Users\user\Desktop\AdobeARM.exe File created: C:\Windows\Temp\17231.txt Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\AdobeARM.exe File deleted: C:\Windows\Temp\17231.txt Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010A032C 0_2_010A032C
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_01079B38 0_2_01079B38
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010E635C 0_2_010E635C
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0108DD6F 0_2_0108DD6F
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0110659A 0_2_0110659A
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010E1DE8 0_2_010E1DE8
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010A1C32 0_2_010A1C32
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0107BFD8 0_2_0107BFD8
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_011066BA 0_2_011066BA
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: String function: 01062829 appears 372 times
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: String function: 010C8C18 appears 109 times
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: String function: 010C8C4C appears 45 times
PE file contains strange resources
Source: AdobeARM.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: AdobeARM.exe, 00000000.00000002.605829217.0000000000FF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameOLEACCRC.DLLj% vs AdobeARM.exe
Uses 32bit PE files
Source: AdobeARM.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: clean7.winEXE@1/3@0/0
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010735AC __EH_prolog3,GetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree,LocalFree, 0_2_010735AC
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0109AE63 __EH_prolog3_GS,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,ExitWindowsEx,GetLastError, 0_2_0109AE63
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0109B3B0 __EH_prolog3_GS,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,OpenProcess,OpenProcessToken,CloseHandle,GetLastError,CloseHandle,Process32NextW,DuplicateTokenEx,GetLastError,CloseHandle,CloseHandle,GetLastError, 0_2_0109B3B0
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010A53EE __EH_prolog3,CoInitialize,CoCreateInstance,CoTaskMemFree,CoUninitialize,GetFileAttributesW, 0_2_010A53EE
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010628D2 LoadResource,LockResource,SizeofResource, 0_2_010628D2
Source: C:\Users\user\Desktop\AdobeARM.exe File created: C:\Users\user\AppData\Local\Adobe\ARM Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe File created: C:\Windows\Temp\17231.txt Jump to behavior
Source: AdobeARM.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AdobeARM.exe File read: C:\Windows\Temp\ArmReport.ini Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: AdobeARM.exe String found in binary or memory: /InstallOnDemand:
Source: AdobeARM.exe String found in binary or memory: ?inStream->Look not SZ_OKLzmaDec_DecodeToDic not SZ_OKstate or status are not validinStream->Skip not SZ_OKExtract Files ERROR_DATAInFile_OpenW failed with archive path: can not open output filecan not write output file: can not close output fileExtract7zArchiveFromMsiContainer.. archive name: IDS_ACTION_EXTRACTINGMOD failed: SELECT * FROM `Binary` WHERE `Name`='%s'MDOV failed: MVE failed: MVF failed: File: archive file: Failed to delete existing archive: %s%dCreate file failed:ExtractFilesFrom7zArchive...Failed to get current working directory.CreateDirectory() failedFailed to change cwdExtractor.exe;64bit extractor succeededExecute 64bit extractor failed with exit code: Failed to change cwd.Failed to extract filesFiles extracted successfully at: AdobeARM.exeAdobe AcrobatAdobe ReaderAdobe Acrobat UpdaterAdobe Reader Updater1.8.0.0AdobeARMHelper.exeAdobeARM.msiAdobeARMArmManifest3.msithsnYaVieBodahttps://armmf.adobe.com/arm-manifests/win/http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windowshttp://www.adobe.com/support/downloads/product.jsp?product=10&platform=WindowsSOFTWARE\Adobe\Adobe ARM\1.0\ARMSOFTWARE\Adobe\Adobe ARM\1.0\ARM\CleanupSOFTWARE\Adobe\Adobe ARM\ProductsiLogLeveliDebugArmiCanExitSoftware\Microsoft\Windows\CurrentVersion\Policies\SystemtUpgradeCacheiStartTimeDaysRemainingForceErrorReaderAcrobat7AD7-/DL/ArmUpdate/ArmElevate/ProcessResult/ProcessOnDemandResult/ErrorMissingProduct/dUI/mUI/MODE:1/MODE:2/MODE:3/MODE:4/ArmPrefs/BackFromArmUpdate/FixPDF/FixRegistryOwnership/RegisterFileTypesOwnership/CollectFiles/UninstallARM/ShowInstallInProgressUI/InstallOnDemand/CloseApplications/ArmCleanup/RUM/IsUpdateAvailable/DownloadIDS_TITLE_NOT_UPDATEDAdobe Updater logging started.Adobe ARM skipping analytics and arm update - another instance is in usearm updatenew instanceInitSessionWithProduct failed.exit instanceexiting while UI thread is alive, will kill UIWaiting for Server to exitError exiting while in action! One of the threads may not be released properlyLaunched in the SYSTEM context, no UI will be availableCommand Line: Global\UpdateInstallInProcessEventinstall in progress UI already exists, exitingOnDemand success before restart, will not pingcannot continue - another instance is in useEmpty CloseAppsListRegisterFileTypesOwnership...IDS_REGISTER_FILETYPES_ERRORError InitReaderOrAcrobat" /FOLDER:" /LANG:ShellExecute failedIDS_ERROR_DIALOG_DETAIL[ERRORCODE]
Source: AdobeARM.exe String found in binary or memory: |/LANG:/VERSION:/PRODUCT:FOLDER:"ArmUpdateExe:"/MANIFEST:"7ZMSIEXE/USER:/InstallOnDemand:/ARGS:@@@@
Source: AdobeARM.exe String found in binary or memory: DAN=[X]-installation
Source: AdobeARM.exe String found in binary or memory: NOR=[X]-installasjon
Source: AdobeARM.exe String found in binary or memory: SVE=[X]-installation
Source: C:\Users\user\Desktop\AdobeARM.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe File written: C:\Windows\Temp\ArmReport.ini Jump to behavior
Source: AdobeARM.exe Static PE information: certificate valid
Source: AdobeARM.exe Static file information: File size 1557200 > 1048576
Source: AdobeARM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AdobeARM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AdobeARM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AdobeARM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AdobeARM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AdobeARM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: AdobeARM.exe Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: AdobeARM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARM.pdb source: AdobeARM.exe
Source: AdobeARM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AdobeARM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AdobeARM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AdobeARM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AdobeARM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_01086846 __EH_prolog3_GS,_strlen,SHGetFolderPathW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_strlen,GetACP, 0_2_01086846
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010C8BE1 push ecx; ret 0_2_010C8BF4
Source: C:\Users\user\Desktop\AdobeARM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\AdobeARM.exe TID: 6844 Thread sleep count: 290 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe TID: 6844 Thread sleep count: 289 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe TID: 6844 Thread sleep count: 222 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe TID: 6844 Thread sleep time: -111000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\AdobeARM.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\AdobeARM.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010AF88F __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 0_2_010AF88F
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0108F13C GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0108F13C
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010B1B88 GetModuleHandleW,GetProcAddress,FindFirstFileW, 0_2_010B1B88
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010B1A40 SetLastError,FindFirstFileW,GetLastError, 0_2_010B1A40
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_01061ECD __EH_prolog3_GS,GetLastError,FindFirstFileW,CreateDirectoryW,GetLastError,FindClose,FindClose,GetLastError,GetLastError,GetLastError, 0_2_01061ECD
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010A3FCD __EH_prolog3,GetModuleHandleW,GetProcAddress,GetSystemInfo, 0_2_010A3FCD

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010E433E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_010E433E
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010AE34F OutputDebugStringA,GetLastError, 0_2_010AE34F
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_01086846 __EH_prolog3_GS,_strlen,SHGetFolderPathW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_strlen,GetACP, 0_2_01086846
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010FB87B mov eax, dword ptr fs:[00000030h] 0_2_010FB87B
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010FB8BF mov eax, dword ptr fs:[00000030h] 0_2_010FB8BF
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010F3437 mov eax, dword ptr fs:[00000030h] 0_2_010F3437
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0108F7A9 GetProcessHeap,__Init_thread_footer,__Init_thread_footer, 0_2_0108F7A9
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010E433E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_010E433E
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010C8DF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_010C8DF0
Source: AdobeARM.exe, 00000000.00000000.229435734.0000000001116000.00000002.00020000.sdmp Binary or memory string: ExitMaximize&Click to activateShell_NotifyIcon failedShell_TrayWndTrayNotifyWndpW
Source: AdobeARM.exe Binary or memory string: Shell_TrayWnd
Source: AdobeARM.exe, 00000000.00000002.608451607.0000000003590000.00000002.00000001.sdmp Binary or memory string: Progman
Source: AdobeARM.exe, 00000000.00000002.608451607.0000000003590000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: AdobeARM.exe Binary or memory string: BExitMaximize&Click to activateShell_NotifyIcon failedShell_TrayWndTrayNotifyWndpWEH
Source: AdobeARM.exe, 00000000.00000002.608451607.0000000003590000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: AdobeARM.exe, 00000000.00000002.608451607.0000000003590000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_0107ACEC cpuid 0_2_0107ACEC
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_01101136
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_0110098F
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0110130B
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: EnumSystemLocalesW, 0_2_01100D1D
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: GetLocaleInfoW, 0_2_010FA578
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: EnumSystemLocalesW, 0_2_01100C37
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: EnumSystemLocalesW, 0_2_01100C82
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: EnumSystemLocalesW, 0_2_010F9FBF
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\AdobeARM.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010C93AD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_010C93AD
Source: C:\Users\user\Desktop\AdobeARM.exe Code function: 0_2_010FB359 _free,_free,_free,GetTimeZoneInformation,_free, 0_2_010FB359
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 352178 Sample: AdobeARM.exe Startdate: 11/02/2021 Architecture: WINDOWS Score: 7 4 AdobeARM.exe 27 2->4         started       
No contacted IP infos