File name:

AdobeARM.exe

Full analysis: https://app.any.run/tasks/74f89515-1597-4ccc-a8c0-bcc4922ab415
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 11, 2024, 09:10:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
expiro
sinkhole
m0yv
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

07C86F780D8FB9226F0FAA9C8ACCB046

SHA1:

108FE77F67C38D2EFABF07242E83CF49BA0A9BE0

SHA256:

1516E4915E9764C346DC625CA7A88D01E754E44AE5D2E3B3730502F4F609C15A

SSDEEP:

98304:uXc4fwkVDbSihPboyIUDFNJA4EqFM3p4sKce9STUOJG71:J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EXPIRO has been detected (SURICATA)

      • AdobeARM.exe (PID: 5152)

    • Connects to the CnC server

      • AdobeARM.exe (PID: 5152)

    • M0YV has been detected (YARA)

      • AdobeARM.exe (PID: 5152)

    • Request for a sinkholed resource

      • AdobeARM.exe (PID: 5152)

    • Expiro has been found (SURICATA)

      • AdobeARM.exe (PID: 5152)

    • M0YV mutex has been found

      • AdobeARM.exe (PID: 5152)

    • Actions looks like stealing of personal data

      • AdobeARM.exe (PID: 5152)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • AdobeARM.exe (PID: 5152)

    • Checks Windows Trust Settings

      • AdobeARM.exe (PID: 5152)
      • AdobeARM.exe (PID: 3164)
      • armsvc.exe (PID: 6248)
      • AdobeARM.exe (PID: 7016)

    • Reads security settings of Internet Explorer

      • AdobeARM.exe (PID: 5152)
      • AdobeARM.exe (PID: 3164)
      • AdobeARMHelper.exe (PID: 6980)
      • armsvc.exe (PID: 6248)

    • Process drops legitimate windows executable

      • AdobeARM.exe (PID: 5152)

    • Executable content was dropped or overwritten

      • AdobeARM.exe (PID: 5152)
      • AdobeARM.exe (PID: 3164)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 2824)

    • Executes as Windows Service

      • armsvc.exe (PID: 6248)

    • The process checks if it is being run in the virtual environment

      • msiexec.exe (PID: 2824)

    • Application launched itself

      • AdobeARM.exe (PID: 7016)

  • INFO

    • Reads the computer name

      • AdobeARM.exe (PID: 5152)
      • msiexec.exe (PID: 2824)
      • armsvc.exe (PID: 6248)
      • AdobeARM.exe (PID: 3164)
      • msiexec.exe (PID: 2820)
      • AdobeARMHelper.exe (PID: 6980)
      • AdobeARM.exe (PID: 7016)
      • msiexec.exe (PID: 6408)

    • Reads the machine GUID from the registry

      • AdobeARM.exe (PID: 5152)
      • AdobeARM.exe (PID: 3164)
      • armsvc.exe (PID: 6248)
      • AdobeARM.exe (PID: 7016)

    • Reads the software policy settings

      • AdobeARM.exe (PID: 5152)
      • AdobeARM.exe (PID: 3164)
      • armsvc.exe (PID: 6248)
      • AdobeARM.exe (PID: 7016)

    • Creates files in the program directory

      • AdobeARM.exe (PID: 5152)
      • AdobeARM.exe (PID: 3164)

    • Creates files or folders in the user directory

      • AdobeARM.exe (PID: 5152)

    • Create files in a temporary directory

      • AdobeARM.exe (PID: 5152)
      • AdobeARM.exe (PID: 3164)

    • Checks proxy server information

      • AdobeARM.exe (PID: 5152)
      • AdobeARM.exe (PID: 3164)

    • Checks supported languages

      • AdobeARM.exe (PID: 5152)
      • msiexec.exe (PID: 2824)
      • msiexec.exe (PID: 2820)
      • armsvc.exe (PID: 6248)
      • AdobeARM.exe (PID: 5172)
      • AdobeARM.exe (PID: 3164)
      • acrobat_sl.exe (PID: 1020)
      • AdobeARM.exe (PID: 7016)
      • AdobeARM.exe (PID: 5720)
      • msiexec.exe (PID: 6408)
      • AdobeARMHelper.exe (PID: 6980)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2824)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2824)

    • The process uses the downloaded file

      • AdobeARM.exe (PID: 3164)
      • AdobeARMHelper.exe (PID: 6980)
      • armsvc.exe (PID: 6248)

    • Process checks computer location settings

      • AdobeARM.exe (PID: 3164)

    • Application launched itself

      • Acrobat.exe (PID: 2612)
      • AcroCEF.exe (PID: 4576)
      • msiexec.exe (PID: 2824)

    • Reads Environment values

      • msiexec.exe (PID: 6408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:31 17:10:28+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.24
CodeSize: 751104
InitializedDataSize: 822272
UninitializedDataSize: -
EntryPoint: 0x6a9a0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.824.460.1091
ProductVersionNumber: 1.824.460.1091
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Adobe Inc.
FileDescription: Adobe Reader and Acrobat Manager
FileVersion: 1.824.460.1091
InternalName: AdobeARM.exe
LegalCopyright: Copyright © 2023 Adobe Inc. All rights reserved.
OriginalFileName: AdobeARM.exe
ProductName: Adobe Reader and Acrobat Manager
ProductVersion: 1.824.460.1091
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
21
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #EXPIRO adobearm.exe svchost.exe msiexec.exe msiexec.exe no specs armsvc.exe no specs adobearm.exe no specs adobearm.exe acrobat_sl.exe no specs acrobat.exe no specs acrocef.exe no specs acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs adobearmhelper.exe no specs adobearm.exe no specs adobearm.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1020"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat_sl.exe" C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeAdobeARM.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat SpeedLauncher
Exit code:
0
Version:
22.3.20310.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrobat_sl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1556"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1 /l /slModeC:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeAcrobat.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2136"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2188 --field-trial-handle=1600,i,8314028170825905600,14663908150706573492,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2612"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" /l /slModeC:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeacrobat_sl.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2820C:\Windows\syswow64\MsiExec.exe -Embedding 65CDA3C25D8A5DCD7F00B6C51554ED42 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2824C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3164/Skip /BackFromArmUpdateC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
AdobeARMHelper.exe
User:
admin
Company:
Adobe Inc.
Integrity Level:
MEDIUM
Description:
Adobe Reader and Acrobat Manager
Exit code:
0
Version:
1.824.460.1091
Modules
Images
c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll
3984"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1588 --field-trial-handle=1600,i,8314028170825905600,14663908150706573492,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4576"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --slModeC:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeacrobat_sl.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
19 857
Read events
19 690
Write events
138
Delete events
29

Modification events

(PID) Process:(5152) AdobeARM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Operation:delete valueName:iNotify
Value:
(PID) Process:(5152) AdobeARM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5152) AdobeARM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5152) AdobeARM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5152) AdobeARM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Operation:delete valueName:tLastError_AdobeARM
Value:
(PID) Process:(5152) AdobeARM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:tTimeWaitedFilesInUse_AdobeARM
Value:
417665946thsnYa01000000D08C9DDF0115D1118C7A00C04FC297EB0100000042CB6C300049C042863C8A748EF9A2B2000000002800000045006E0063007200790070007400650064002000620079002000410064006F00620065002E00000010660000000100002000000039240301F967604DC07BE44034E0BF340589DF64E279DA96B923CD9E76F83734000000000E8000000002000020000000EC616B6A2CB9286E920580D7FEE393811EABE4199731AB40480EF12A934D47CA10000000CA4041CEEBB0AE6FC72F86F9584A703040000000B9A2381E7BF51064CA0073F5A83F599BE6EE26CC0C0795E0E4552A0709852D83211BD648F981C76369995704075309055BC8173B492248AD1B335F1747C3B47E
(PID) Process:(5152) AdobeARM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:tLastT_AdobeARM
Value:
417665946thsnYa01000000D08C9DDF0115D1118C7A00C04FC297EB0100000042CB6C300049C042863C8A748EF9A2B2000000002800000045006E0063007200790070007400650064002000620079002000410064006F00620065002E00000010660000000100002000000008F8F61400FC80F2B65E2DCFC3422DCD9A34CF6B61190A4DD53D6B5B4C5C1BE9000000000E800000000200002000000037E0B555D8CCC50F37C6FBA23A33C54C2B63E7D80AF9E60DDCB2216B018EDA50200000000D82CC86634A02699C4A6EC1189F99A43549D06A31246280E700D565ACFED10E40000000535585DDA29718EA2A89D9739D0525501F0D3FDBEDFACF5C164D1654C021BB529648BEFCEFA2EDCBEC397EEBEC48DE32C420C84538EDA458DC3A99343BE8CB38
(PID) Process:(2824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(2824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\12ff98.rbs
Value:
31130666
(PID) Process:(2824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\12ff98.rbsLow
Value:
Executable files
46
Suspicious files
73
Text files
19
Unknown types
17

Dropped files

PID
Process
Filename
Type
5152AdobeARM.exeC:\Users\admin\AppData\Local\Temp\ArmUI.initext
MD5:CD12A965DA4FB66E7F8A07E3F421196C
SHA256:790B06745F32E0F56A7AF24C871FFCE225BA05EBF0D8F8A71A00C727C97DCF09
5152AdobeARM.exeC:\Windows\Temp\ArmReport.initext
MD5:C4DBB5797C48D30597D78B6277E06350
SHA256:0AAF07A70C53FB0918539B8CDDE43645CE1E88BC100D899B0718352971F06BCA
5152AdobeARM.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:73002FE446416D3DA49E2FE667F9C1C4
SHA256:BDF69432A6773903FC8B49699CBBED58C21DCB34A2BEDE3862649DD5FD23B02D
5152AdobeARM.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeexecutable
MD5:D067F4F352CCD33EC41671D77B2461B3
SHA256:238E259058C187B027DCC011914A37166F94CA151E720D0740A428F08C68D199
5152AdobeARM.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeexecutable
MD5:C29EF13168BC9A4EC65F731BE2D8574A
SHA256:5E8F52D8C36913C89206793B549650634EF10901BD8FB4DBA3623858B4FE4F5A
5152AdobeARM.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:B51936B471D4B14321087CA2E2CFA6D2
SHA256:355F76CEBE37E4D4C8EB2B53516601C8761FEBAB93062C1E17524DF1223AD891
5152AdobeARM.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:42A5466BED1FF861739C6ECB5299D4DD
SHA256:E66D4723C7A2EF40A64DF50D567240F9F7D88291F25B6471B8C33FD3ABF9C444
5152AdobeARM.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:20C9751EB48A15BAFD463B6107C1F186
SHA256:9E87623A3D229CBF9924676B1493AE33AB2AD6DF61C99CEA0A40200EC6050F1D
5152AdobeARM.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_54359052731E413C60F1C59EABAD4E05der
MD5:ADB5EB62ED27B7EE43DC40CE580E87AE
SHA256:C855959471768320DB069F20E7B79C724CAB0639BC3AE36C8FC2F90A30732563
5152AdobeARM.exeC:\Users\admin\AppData\Local\Temp\TmpE130.tmpder
MD5:590F0B893183A18322BB52632A7540EB
SHA256:66D5C55EB3662A2084BA3BDBACDE986FB4BC52C4A5F23B4590BFA08A3EE13788
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
41
DNS requests
27
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5152
AdobeARM.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/uwqiidgmr
unknown
5152
AdobeARM.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/wnvdiieja
unknown
5152
AdobeARM.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/unfhrinmmyssvkov
unknown
5152
AdobeARM.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/vdgtumkwuhxwfopn
unknown
5152
AdobeARM.exe
POST
172.234.222.138:80
http://przvgke.biz/qgjavxw
unknown
5152
AdobeARM.exe
POST
172.234.222.138:80
http://przvgke.biz/giqsykq
unknown
5152
AdobeARM.exe
POST
200
18.141.10.107:80
http://knjghuig.biz/wul
unknown
1492
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
7128
svchost.exe
52.183.220.149:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
52.183.220.149:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6824
svchost.exe
88.221.168.141:443
armmf.adobe.com
AKAMAI-AS
DE
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5152
AdobeARM.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
malicious
5152
AdobeARM.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 52.183.220.149
  • 4.231.128.59
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
armmf.adobe.com
  • 88.221.168.141
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
pywolwnvd.biz
  • 54.244.188.177
unknown
ssbzmoy.biz
  • 18.141.10.107
unknown
cvgrf.biz
  • 54.244.188.177
malicious
npukfztj.biz
  • 44.221.84.105
unknown
przvgke.biz
  • 172.234.222.138
  • 172.234.222.143
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AdobeARM.exe