Malware analysis armsvc.exe Malicious activity | ANY.RUN

Add for printing

File name:	armsvc.exe
Full analysis:	https://app.any.run/tasks/3a245cbc-985a-43ab-89c5-6a3e2ebdcfcb
Verdict:	Malicious activity
Analysis date:	June 08, 2025, 09:17:33
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	m0yv
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	7DCB1B7A6DBCCBB6509A0D6CEFA96098
SHA1:	A7378CD7D66FB6949E19C2AFB2908371A1F544F2
SHA256:	D37E0CCD8FF91C1C2BEDDF4A0F07132952EAE84C96FDE913A078E765282A05C2
SSDEEP:	49152:WbC3/PFFNAHOOH0+x7nrQ28Y8TMon07QaudgnPJIPOrwbfiUb/:W6PFFKuOU+hrJ5+07IQJImrwb1b/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- M0YV mutex has been found
  - armsvc.exe (PID: 7792)
- M0YV has been detected (YARA)
  - armsvc.exe (PID: 7792)
SUSPICIOUS
- Executable content was dropped or overwritten
  - armsvc.exe (PID: 7792)
- Process drops legitimate windows executable
  - armsvc.exe (PID: 7792)
INFO
- Creates files or folders in the user directory
  - armsvc.exe (PID: 7792)
- Checks supported languages
  - armsvc.exe (PID: 7792)
- The sample compiled with english language support
  - armsvc.exe (PID: 7792)
- Reads the computer name
  - armsvc.exe (PID: 7792)
- Checks proxy server information
  - armsvc.exe (PID: 7792)
  - slui.exe (PID: 736)
- Reads the software policy settings
  - slui.exe (PID: 6816)
  - slui.exe (PID: 736)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:12:19 05:36:34+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.24
CodeSize:	104960
InitializedDataSize:	62464
UninitializedDataSize:	-
EntryPoint:	0x8500
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.824.460.1108
ProductVersionNumber:	1.824.460.1108
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Adobe Inc.
FileDescription:	Acrobat Update Service
FileVersion:	1.824.460.1108
InternalName:	armsvc.exe
LegalCopyright:	Copyright © 2023 Adobe Inc. All rights reserved.
OriginalFileName:	armsvc.exe
ProductName:	Acrobat Update Service
ProductVersion:	1.824.460.1108

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

131

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

736

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2196

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

6816

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

6940

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

7792

"C:\Users\admin\AppData\Local\Temp\armsvc.exe"

C:\Users\admin\AppData\Local\Temp\armsvc.exe

explorer.exe

User:

admin

Company:

Adobe Inc.

Integrity Level:

MEDIUM

Description:

Acrobat Update Service

Version:

1.824.460.1108

Modules

Images
c:\users\admin\appdata\local\temp\armsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

2 383

Read events

2 383

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7792	armsvc.exe	C:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.bin		binary
		MD5:19012E0C2E3E1B69AFBA8046CF8C5465	SHA256:6DA02A1C0A77DA6F8D39A1B6E3507C1F9451F0911A9361496C482BA146E2EF46
7792	armsvc.exe	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe		executable
		MD5:5921BD4394A277E9ACE79A0C0A70A2BF	SHA256:CCE198580578BBD64F45144DCF37B35DFD19FF19E32D6D1D697B403BF667E682
7792	armsvc.exe	C:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exe		executable
		MD5:4F2D81B214CD2A34483BD503417DB0F9	SHA256:32A54BDEC01BA2669E1714EDCD8190F0DEFDC8A7D1332023D71C2A6F5EB02396
7792	armsvc.exe	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe		executable
		MD5:CB26EF794FD5BF2461F090F9993D912C	SHA256:7AE756B10EE5637CCA8F9BDF6190DC0F4C2602DA8C6DA72BFDD2CFF7269A7512
7792	armsvc.exe	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe		executable
		MD5:5680738A98F0D5A68AB929D58B6FEF9A	SHA256:FBE8C278C70EDAA710540B4A9C18CEDAF99BC4ACE5C25C9B42224D29D485F09F
7792	armsvc.exe	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe		executable
		MD5:D81231B81EA38F197A54A726B21AEABF	SHA256:B250473B1346ABC4BBD2C1DEA9150776A362220BA41CF90C76CBD97D3050E21C
7792	armsvc.exe	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe		executable
		MD5:A8D80DB14415A40CC7C2B3E3FB1973F9	SHA256:FE4F40D0973C933566244E1BD95106BD5517D3E08E34485BAC807856F9AC95C0
7792	armsvc.exe	C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe		executable
		MD5:411C9AFC7A9DCC27A7BA3FCD9707ADDC	SHA256:B398DF3D6F8BCAD4713C950FCF2CD4E2696F66111951DC512E418C25DBCFBF7A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7556	svchost.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.222.86.92:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7556	svchost.exe	GET	200	23.222.86.92:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7792	armsvc.exe	POST	200	3.229.117.57:80	http://npukfztj.biz/jtpvf	unknown	—	—	malicious
7792	armsvc.exe	POST	200	172.233.219.78:80	http://przvgke.biz/lsgqdjbqxavj	unknown	—	—	—
7792	armsvc.exe	POST	302	192.64.119.165:80	http://anpmnmxo.biz/xwefqlefignvhx	unknown	—	—	—
7792	armsvc.exe	POST	200	18.234.103.197:80	http://knjghuig.biz/b	unknown	—	—	malicious
7792	armsvc.exe	GET	439	91.195.240.19:80	http://www.anpmnmxo.biz/xwefqlefignvhx	unknown	—	—	—
7792	armsvc.exe	POST	—	82.112.184.197:80	http://lpuegx.biz/ffkckqmgf	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1180	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7556	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7556	svchost.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	23.222.86.92:80	www.microsoft.com	AKAMAI-AS	NZ	whitelisted
7556	svchost.exe	23.222.86.92:80	www.microsoft.com	AKAMAI-AS	NZ	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7792	armsvc.exe	18.234.103.197:80	ssbzmoy.biz	AMAZON-AES	US	malicious

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	23.53.40.178	whitelisted
www.microsoft.com	23.222.86.92	whitelisted
pywolwnvd.biz	—	malicious
ssbzmoy.biz	18.234.103.197	unknown
cvgrf.biz	—	malicious
npukfztj.biz	3.229.117.57	malicious
przvgke.biz	172.233.219.78	unknown
zlenh.biz	—	unknown

Threats

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
—	—	Misc activity	ET INFO Namecheap URL Forward

Add for printing

No debug info

General Info

armsvc.exe

7DCB1B7A6DBCCBB6509A0D6CEFA96098

A7378CD7D66FB6949E19C2AFB2908371A1F544F2

D37E0CCD8FF91C1C2BEDDF4A0F07132952EAE84C96FDE913A078E765282A05C2

49152:WbC3/PFFNAHOOH0+x7nrQ28Y8TMon07QaudgnPJIPOrwbfiUb/:W6PFFKuOU+hrJ5+07IQJImrwb1b/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

M0YV mutex has been found

M0YV has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

INFO

Creates files or folders in the user directory

Checks supported languages

The sample compiled with english language support

Reads the computer name

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings