Edit tour

Windows Analysis Report
armsvc.exe

Overview

General Information

Sample name:	armsvc.exe
Analysis ID:	1391053
MD5:	00bc114a99972c6fbc84d36f540a1df5
SHA1:	cb89ab3f1a4aaab94efe6efc8e740f287e907425
SHA256:	ef736d2f46191ca5abaff5840da8dbbdcd278e340561962ebf1daf9f20f4d126
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to delete services

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Program does not show much activity (idle)

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service

Sample is a service DLL but no service has been registered

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

armsvc.exe (PID: 7032 cmdline: C:\Users\user\Desktop\armsvc.exe MD5: 00BC114A99972C6FBC84D36F540A1DF5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Boot Survival
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: armsvc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: armsvc.exe

Static PE information: certificate valid

Source: armsvc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe

Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D812A0 FindFirstFileExW,	0_2_00D812A0
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D7449C GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D7449C
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D746A6 lstrlenW,FindFirstFileW,lstrcmpW,lstrcmpW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00D746A6

Source: armsvc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: armsvc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: armsvc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: armsvc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: armsvc.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: armsvc.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: armsvc.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: armsvc.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: armsvc.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: armsvc.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: armsvc.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: armsvc.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: armsvc.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: armsvc.exe	String found in binary or memory: http://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\armsvc.exe

Code function: 0_2_00D758F8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,

0_2_00D758F8

Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D83820	0_2_00D83820
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D7C3F2	0_2_00D7C3F2
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D83CB8	0_2_00D83CB8
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D88C3D	0_2_00D88C3D
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D875BA	0_2_00D875BA
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D876DA	0_2_00D876DA

Source: C:\Users\user\Desktop\armsvc.exe

Code function: String function: 00D782B0 appears 35 times

Source: C:\Users\user\Desktop\armsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\armsvc.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: armsvc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean6.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\armsvc.exe

Code function: 0_2_00D76BE9 GetTempPathW,GetLastError,CreateFileW,CreateFileW,GetFileSize,SetFilePointer,WriteFile,WriteFile,GetLocalTime,lstrlenW,lstrlenW,lstrlenW,lstrlenW,GetLastError,FormatMessageW,_wcsstr,WriteFile,WriteFile,FlushFileBuffers,

0_2_00D76BE9

Source: C:\Users\user\Desktop\armsvc.exe

Code function: OpenSCManagerW,GetModuleFileNameW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,

0_2_00D7585A

Source: C:\Users\user\Desktop\armsvc.exe

Code function: 0_2_00D7339C CoCreateInstance,StringFromGUID2,RegQueryInfoKeyW,RegQueryInfoKeyW,

0_2_00D7339C

Source: C:\Users\user\Desktop\armsvc.exe

Code function: 0_2_00D71BA0 __EH_prolog3_catch_GS,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

0_2_00D71BA0

Source: C:\Users\user\Desktop\armsvc.exe

Code function: 0_2_00D75A2C RegCreateKeyExW,GetTickCount64,RegSetValueExW,RegCloseKey,StartServiceCtrlDispatcherW,GetLastError,

0_2_00D75A2C

Source: C:\Users\user\Desktop\armsvc.exe

Code function: 0_2_00D75A2C RegCreateKeyExW,GetTickCount64,RegSetValueExW,RegCloseKey,StartServiceCtrlDispatcherW,GetLastError,

0_2_00D75A2C

Source: C:\Users\user\Desktop\armsvc.exe	Command line argument: Embedding	0_2_00D75E2F
Source: C:\Users\user\Desktop\armsvc.exe	Command line argument: Service	0_2_00D75E2F
Source: C:\Users\user\Desktop\armsvc.exe	Command line argument: Uninstall	0_2_00D75E2F

Source: armsvc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\armsvc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: armsvc.exe	String found in binary or memory: /InstallOnDemand
Source: armsvc.exe	String found in binary or memory: ModuleModule_RawREGISTRY.tlbCLSID\\Required Categories\Implemented CategoriesOLEAUT32.DLLRegisterTypeLibForUserAdobe Systems, IncorporatedAdobe Inc.1.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1SOFTWARE\Adobe\Adobe ARM\1.0\ARMfailed to open arm registryiLastSvcFailureiLastSvcErrorCodeiSvcErrorCountiLastSvcSuccessSetDWORDValue failed to register success timecurrent error time: *...ServiceError;PingFilesList\Adobe\ARM\1.0\TempCommand line: Service workflow failed, command line invalid (empty)User id: Service workflow failed, User Name invalid (empty)StringCb failed /InstallOnDemandOnDemand workflow/Svc adding /Svc to cmdlinemanifest path: /MANIFEST:" /MANIFEST:"" "adding armLaunchParameters.sCommandLine /USER:/UserUserNamecopying command line from SMarm update folder: adding back arm update folder to command line FOLDER:" /Svc/svc /SESSIONID:/sessionidsession idSHGetFolderPath failedStringCbCopy failed\Adobe\ARM\1.0\AdobeARMHelper.exeStringCchCat failedUnable to find: The r_s function failed!create sRandPath failed: \Adobe\ARM\1.0\Temp\TempFailed to create random folder: \AdobeARMHelper.exeFailed to copy: Service workflow failed, file not valid: ShellExecuteEx succeededShellExecuteEx failed Unable to lock for validation \Adobe\ARM\1.0\AdobeARM.exeUnable to find GetTempPath failedAddRandomFileName failedD:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)ConvertStringSecurityDescriptorToSecurityDescriptor failedCreateDirectory failed: \AdobeARM.exeUnable to open Unable to copy file not valid: /UninstallARMfailed to lock iPostponeUpdateSetDWORDValue failed to register Postpone Update{935AF1FC-04A6-4335-8A0A-A2004DBEE584}LocalServiceAdobeARMserviceServiceParametersRPCSSHandler not installedService stoppedentered IS_AVAILABLEcreate SM succeededentered ELEVATE_ARMentered UNINSTALL_ARMfinished UNINSTALL_ARMentered REGISTER_POSTPONE_UPDATEBad service requestService startedAppID\{935AF1FC-04A6-4335-8A0A-A2004DBEE584}EmbeddingServiceUninstallAPPID

Source: armsvc.exe

Static PE information: certificate valid

Source: armsvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: armsvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: armsvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: armsvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: armsvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: armsvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: armsvc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: armsvc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe

Source: armsvc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: armsvc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: armsvc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: armsvc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: armsvc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: armsvc.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D89863 push ecx; ret		0_2_00D89876
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D782F6 push ecx; ret		0_2_00D78309

Source: C:\Users\user\Desktop\armsvc.exe

Code function: 0_2_00D75A2C RegCreateKeyExW,GetTickCount64,RegSetValueExW,RegCloseKey,StartServiceCtrlDispatcherW,GetLastError,

0_2_00D75A2C

Source: C:\Users\user\Desktop\armsvc.exe

API coverage: 2.9 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D812A0 FindFirstFileExW,	0_2_00D812A0
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D7449C GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D7449C
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D746A6 lstrlenW,FindFirstFileW,lstrcmpW,lstrcmpW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00D746A6

Source: C:\Users\user\Desktop\armsvc.exe

Code function: 0_2_00D892EE VirtualQuery,GetSystemInfo,

0_2_00D892EE

Source: C:\Users\user\Desktop\armsvc.exe

Code function: 0_2_00D7D08E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D7D08E

Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D7E002 mov eax, dword ptr fs:[00000030h]		0_2_00D7E002
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D80FC8 mov eax, dword ptr fs:[00000030h]		0_2_00D80FC8

Source: C:\Users\user\Desktop\armsvc.exe

Code function: 0_2_00D76192 GetProcessHeap,__Init_thread_footer,__Init_thread_footer,

0_2_00D76192

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D7D08E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D7D08E
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D7799F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D7799F
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D784EB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D784EB
Source: C:\Users\user\Desktop\armsvc.exe	Code function: 0_2_00D78686 SetUnhandledExceptionFilter,	0_2_00D78686

Source: C:\Users\user\Desktop\armsvc.exe

Code function: 0_2_00D7830B cpuid

0_2_00D7830B

Source: C:\Users\user\Desktop\armsvc.exe

0_2_00D76BE9

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	14 Windows Service	14 Windows Service	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Service Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
armsvc.exe	0%	ReversingLabs

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1391053
Start date and time:	2024-02-12 19:43:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	armsvc.exe
Detection:	CLEAN
Classification:	clean6.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 82
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: armsvc.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.531081860475106
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	armsvc.exe
File size:	172'992 bytes
MD5:	00bc114a99972c6fbc84d36f540a1df5
SHA1:	cb89ab3f1a4aaab94efe6efc8e740f287e907425
SHA256:	ef736d2f46191ca5abaff5840da8dbbdcd278e340561962ebf1daf9f20f4d126
SHA512:	8190c6d6aee0bf1bcb90729f6d4f7ed49517c89bb5b97cccffc619519c1df759a920723b8274a320db39c814ea2330e4d2f2c856b9e19a7de5310980c6af391a
SSDEEP:	3072:Y9n0GQRjXPrGC04P4r7wG2Tv42ACRRJmRrubvrUzdl1TsdVlxl/VCV3RT:YN0GYPrGxzQ9TAomtubv6IVHlo3V
TLSH:	67F37B2172C084B3D9A3193059B4DA71697EFE301FA08ADF7394176A5E703D29E38B67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e.....3.......3.e.1...3.Rich..3........

File Icon


Icon Hash:	498a80a2a2808241

Static PE Info

General

Entrypoint:	0x408290
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65BAA4F7 [Wed Jan 31 19:52:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6c9e228643bd269d0492eb7418f0be01

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	03/11/2023 01:00:00 05/11/2025 00:59:59
Subject Chain	CN=Adobe Inc., OU=Acrobat DC, O=Adobe Inc., L=San Jose, S=ca, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	464C015DAA50884AB4DD5502E6B164B0
Thumbprint SHA-1:	96B7B1EF175BBA4BDE33A05402134289B28B5BCB
Thumbprint SHA-256:	ABC429325881B54BEC561B7B5A635E0E0AC9C94742F1324EBE5EB9AF6AE0CCC5
Serial:	0D1A340F78D7D000E089FDBAAD6522DF

Entrypoint Preview

Instruction
call 00007F46FCDA31BDh
jmp 00007F46FCDA2AFDh
int3
int3
int3
int3
int3
int3
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00409EE0h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [0042600Ch]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push ebp
mov ebp, esp
and dword ptr [00427118h], 00000000h
sub esp, 24h
or dword ptr [00426010h], 01h
push 0000000Ah
call 00007F46FCDB3B62h
test eax, eax
je 00007F46FCDA2E2Fh
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-0Ch], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x24450	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x29000	0xe98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x27a00	0x29c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a000	0x19f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x22e30	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x22ea0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x20f70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x24290	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x196ba	0x19800	01b3c608fac6e8c867894b60d5a2e100	False	0.5868661917892157	data	6.633274523109728	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0xa364	0xa400	452456a1b991498af2b7842df1657254	False	0.4387862042682927	data	4.969446445824649	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x26000	0x1e14	0xe00	b56bc87e095acd673815068eb63a2fe4	False	0.19419642857142858	DOS executable (block device driver \277DN\346@\273)	2.6738049871426	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x28000	0x34	0x200	cbcca17a48ed76d5d69caa408d77f2cb	False	0.080078125	data	0.4887475272955158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x29000	0xe98	0x1000	2d0fedcb2c8cb68507b66b34ba3d24d7	False	0.306640625	data	4.339768049769417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a000	0x19f0	0x1a00	23a0082e85beec43d0774fa032aaf175	False	0.7902644230769231	data	6.640345465658964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
REGISTRY	0x29678	0xb8	ASCII text, with CRLF line terminators	English	United States	0.7065217391304348
REGISTRY	0x29730	0x268	ASCII text, with CRLF line terminators	English	United States	0.4301948051948052
RT_ICON	0x29240	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.1639784946236559
RT_ICON	0x29528	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.3344594594594595
RT_STRING	0x29cd8	0x3e	data	English	United States	0.6612903225806451
RT_GROUP_ICON	0x29650	0x22	data	English	United States	1.0
RT_VERSION	0x29998	0x340	data	English	United States	0.44350961538461536
RT_MANIFEST	0x29d18	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	lstrcmpiW, lstrcmpW, LoadLibraryExW, WritePrivateProfileStringW, HeapFree, GetCurrentProcess, HeapSize, GetPrivateProfileStringW, GetCurrentThread, HeapReAlloc, HeapAlloc, HeapDestroy, GetProcessHeap, FormatMessageW, GetLocalTime, GetFileSize, CopyFileW, SetCurrentDirectoryW, GetSystemWindowsDirectoryW, SetDllDirectoryW, GetVolumeInformationW, OpenFileMappingW, UnmapViewOfFile, Sleep, CreateFileMappingW, MapViewOfFile, VirtualQuery, VirtualProtect, GetSystemInfo, WriteConsoleW, GetConsoleMode, GetConsoleCP, SetFilePointerEx, FreeLibrary, GetModuleHandleW, DeleteCriticalSection, LocalFree, GetProcAddress, DecodePointer, FindResourceW, LoadResource, RaiseException, CloseHandle, DeleteFileW, GetLastError, GetTickCount64, MultiByteToWideChar, lstrcmpA, GetCurrentThreadId, GetFileAttributesW, CreateFileW, LocalAlloc, FindClose, InitializeCriticalSectionEx, GetTempPathW, SetFilePointer, GetModuleFileNameW, RemoveDirectoryW, CreateDirectoryW, WriteFile, lstrlenW, FindNextFileW, FindFirstFileW, SizeofResource, ReadFile, FlushFileBuffers, GetFileSizeEx, GetStringTypeW, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, LCMapStringW, IsDebuggerPresent, OutputDebugStringW, EnterCriticalSection, LeaveCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetStdHandle, GetFileType, LoadLibraryExA
USER32.dll	LoadStringW, GetMessageW, DispatchMessageW, PostThreadMessageW, CharNextW
ADVAPI32.dll	CheckTokenMembership, GetSidSubAuthority, GetSidLengthRequired, CopySid, InitializeSid, IsValidSid, OpenProcessToken, DuplicateToken, GetLengthSid, OpenThreadToken, DeregisterEventSource, CreateServiceW, RegCloseKey, RegQueryInfoKeyW, CloseServiceHandle, OpenSCManagerW, RegDeleteKeyW, SetServiceStatus, RegCreateKeyExW, DeleteService, RegisterServiceCtrlHandlerW, ControlService, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, StartServiceCtrlDispatcherW, RegDeleteValueW, OpenServiceW, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegisterEventSourceW, ReportEventW, RegQueryValueExW
SHELL32.dll	SHGetFolderPathW, SHCreateDirectoryExW, ShellExecuteExW
ole32.dll	CoRegisterClassObject, CoInitialize, CoTaskMemAlloc, CoRevokeClassObject, CoUninitialize, CoTaskMemRealloc, CoTaskMemFree, CoCreateInstance, StringFromGUID2
OLEAUT32.dll	SysFreeString, UnRegisterTypeLib, SysAllocString, SysStringLen, VarUI4FromStr, RegisterTypeLib, LoadTypeLib

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• armsvc.exe

Click to jump to process

Memory Usage

• armsvc.exe

Click to jump to process

Target ID:	0
Start time:	19:44:15
Start date:	12/02/2024
Path:	C:\Users\user\Desktop\armsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\armsvc.exe
Imagebase:	0xd70000
File size:	172'992 bytes
MD5 hash:	00BC114A99972C6FBC84D36F540A1DF5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.1%
Total number of Nodes:	910
Total number of Limit Nodes:	4

Executed Functions

Function 00D75A2C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 55
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00D75A53
GetTickCount64.KERNEL32 ref: 00D75A5D
RegSetValueExW.KERNELBASE(?,iLastSvcSuccess,00000000,00000004,?,00000004), ref: 00D75A77
RegCloseKey.ADVAPI32(?), ref: 00D75A80
StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 00D75AA8
GetLastError.KERNEL32 ref: 00D75AB2

Strings

iLastSvcSuccess, xrefs: 00D75A6F
SOFTWARE\Adobe\Adobe ARM\1.0\ARM, xrefs: 00D75A47

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CloseCount64CreateCtrlDispatcherErrorLastServiceStartTickValue
String ID: SOFTWARE\Adobe\Adobe ARM\1.0\ARM$iLastSvcSuccess
API String ID: 930538655-1738627651
Opcode ID: a502b073a21c4772c86b1948eb3ca63cc1e6301f2927e6e99b06791e260af55a
Instruction ID: 13f32c66c392f6f26bc182403a2b165ff8d68aeba48ae926fa028038e4b75365
Opcode Fuzzy Hash: a502b073a21c4772c86b1948eb3ca63cc1e6301f2927e6e99b06791e260af55a
Instruction Fuzzy Hash: CC119EB0900749ABCB219FA1DC49EAFBBBCEB84B51F00412AE215E6111E7B06604CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D75E2F Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 81
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D770CD: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00D770E5
Part of subcall function 00D770CD: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D770F6
Part of subcall function 00D770CD: GetSystemWindowsDirectoryW.KERNEL32(?,00000104), ref: 00D77134
Part of subcall function 00D770CD: SetCurrentDirectoryW.KERNELBASE(?), ref: 00D77149
Part of subcall function 00D770CD: SetDllDirectoryW.KERNEL32(00D91398), ref: 00D77154

Part of subcall function 00D75776: LoadStringW.USER32(?,0000012C,?), ref: 00D757D3

lstrcmpW.KERNEL32(00000000,Embedding), ref: 00D75EAA
lstrcmpW.KERNEL32(00000000,Service), ref: 00D75EBA
lstrcmpW.KERNEL32(00000000,Uninstall), ref: 00D75ECA

Part of subcall function 00D75A2C: RegCreateKeyExW.KERNELBASE(80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00D75A53
Part of subcall function 00D75A2C: GetTickCount64.KERNEL32 ref: 00D75A5D
Part of subcall function 00D75A2C: RegSetValueExW.KERNELBASE(?,iLastSvcSuccess,00000000,00000004,?,00000004), ref: 00D75A77
Part of subcall function 00D75A2C: RegCloseKey.ADVAPI32(?), ref: 00D75A80
Part of subcall function 00D75A2C: StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 00D75AA8
Part of subcall function 00D75A2C: GetLastError.KERNEL32 ref: 00D75AB2

Strings

Service, xrefs: 00D75EB4
Uninstall, xrefs: 00D75EC4
Embedding, xrefs: 00D75EA4
-, xrefs: 00D75E6A

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Directorylstrcmp$AddressCloseCount64CreateCtrlCurrentDispatcherErrorHandleLastLoadModuleProcServiceStartStringSystemTickValueWindows
String ID: -$Embedding$Service$Uninstall
API String ID: 2369591557-993598441
Opcode ID: 817bc4785696144b3c0d4a30b29074ad93d4e72fe42ea8c44ef7f0420bf29782
Instruction ID: db839dd0aab0aa9e39ee341468de94530fb1b20532e3fd55d1c41ed7a4971590
Opcode Fuzzy Hash: 817bc4785696144b3c0d4a30b29074ad93d4e72fe42ea8c44ef7f0420bf29782
Instruction Fuzzy Hash: 68210171610705ABCB14AF24AC81ABF73A4DF80740B18852EF81AD7289FBF4DE049672

Uniqueness

Uniqueness Score: -1.00%

Function 00D75C8D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 80
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00D75C97
CoInitialize.OLE32(00000000), ref: 00D75CA5

Part of subcall function 00D7386B: CoRegisterClassObject.OLE32(?,?,00000004,00000001,?), ref: 00D738B6

Part of subcall function 00D75989: RegisterEventSourceW.ADVAPI32(00000000,?), ref: 00D759E5
Part of subcall function 00D75989: ReportEventW.ADVAPI32(00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00D75A02
Part of subcall function 00D75989: DeregisterEventSource.ADVAPI32(00000000), ref: 00D75A09

Part of subcall function 00D75C65: SetServiceStatus.ADVAPI32(?,?,?,00D75CCD,00000004,?,?,?,?,?,?,?,00D75ACD), ref: 00D75C83

DispatchMessageW.USER32(?), ref: 00D75CD3
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D75CE0
CoRevokeClassObject.OLE32(?,?,?,?,?,?,?,?,00D75ACD), ref: 00D75D0A
CoRevokeClassObject.OLE32(?,?,?,?,?,?,?,?,00D75ACD), ref: 00D75D44
CoUninitialize.OLE32(?,?,?,?,?,?,?,00D75ACD), ref: 00D75D57

Strings

Service started, xrefs: 00D75CB7

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ClassEventObject$MessageRegisterRevokeSource$CurrentDeregisterDispatchInitializeReportServiceStatusThreadUninitialize
String ID: Service started
API String ID: 3642141923-2259122660
Opcode ID: 9a667f573a0c37f89dbe3da0e94966ce05e30a79f38466527a1af56112dfc69f
Instruction ID: 4575f07f46973b7e953c6a19cf55d7ec33ad02f23fda1cc68147328ea7a21ac1
Opcode Fuzzy Hash: 9a667f573a0c37f89dbe3da0e94966ce05e30a79f38466527a1af56112dfc69f
Instruction Fuzzy Hash: 7A21B331610B01DBDB315B29FC0DA6A73A8EF80760318812AE84ED7328F7E0DC008B76

Uniqueness

Uniqueness Score: -1.00%

Function 00D770CD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00D770E5
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D770F6
GetSystemWindowsDirectoryW.KERNEL32(?,00000104), ref: 00D77134
SetCurrentDirectoryW.KERNELBASE(?), ref: 00D77149
SetDllDirectoryW.KERNEL32(00D91398), ref: 00D77154

Strings

SetDefaultDllDirectories, xrefs: 00D770F0
kernel32.dll, xrefs: 00D770E0

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Directory$AddressCurrentHandleModuleProcSystemWindows
String ID: SetDefaultDllDirectories$kernel32.dll
API String ID: 3628629239-2102062458
Opcode ID: 97aa5d6643db15b65e9637d62c045d769abc0431407352ad20a955fba02c603b
Instruction ID: 7061df41eee17b96c1e45555a24aaacb4c908f26764b7cbd99a3cb7d0340b571
Opcode Fuzzy Hash: 97aa5d6643db15b65e9637d62c045d769abc0431407352ad20a955fba02c603b
Instruction Fuzzy Hash: 2601A770B00318ABDB10ABB0DC5EB9E7768EB04720F544551F505E62D1EB7099088BB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D76BE9 Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 335
filestringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?), ref: 00D76C73
GetLastError.KERNEL32(?,?,?), ref: 00D76C7D

Part of subcall function 00D76B3F: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,00000000,00020019,?,?,?,?,00D76C12,?,?), ref: 00D76B72
Part of subcall function 00D76B3F: RegQueryValueExW.ADVAPI32(?,iLogLevel,00000000,00D76C12,?,?,?,?,?,00D76C12,?,?), ref: 00D76B9B
Part of subcall function 00D76B3F: RegQueryValueExW.ADVAPI32(?,iLogLevelDev,00000000,00D76C12,?,?,?,?,?,00D76C12,?,?), ref: 00D76BC2
Part of subcall function 00D76B3F: RegCloseKey.ADVAPI32(?,?,?,?,00D76C12,?,?), ref: 00D76BDE

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,?,?,?,?,?,?,?,?), ref: 00D76CDF
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,00000000,?,00000104,?,?), ref: 00D76D5A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 00D76D71
SetFilePointer.KERNEL32(00000000,00000000,00000002,?,?,?,?,?,?,?,?), ref: 00D76D8B
WriteFile.KERNEL32( ,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D76DA6
WriteFile.KERNEL32( ,?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D76DC9
GetLocalTime.KERNEL32(?,?,?), ref: 00D76DF4
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D76E5F
lstrlenW.KERNEL32(?), ref: 00D76E6A
lstrlenW.KERNEL32(?,?,?), ref: 00D76E9A
lstrlenW.KERNEL32(?,?,?,?), ref: 00D76EBE
GetLastError.KERNEL32(?,?,?), ref: 00D76F15
FormatMessageW.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,?,?), ref: 00D76F38

Strings

\AdobeArmService.log, xrefs: 00D76CA9
Error Code: , xrefs: 00D76FD8
\AdobeArmService_NotLocked.log, xrefs: 00D76D24
[%04d-%02d-%02d %02d:%02d:%02d:%04d] , xrefs: 00D76E32
ISX_SERIALNUMBER, xrefs: 00D77003
Command line: *Hidden*, xrefs: 00D77040
, xrefs: 00D76C1F, 00D76D9B, 00D76DBE, 00D77097
GetLastError(): , xrefs: 00D76F49

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: File$lstrlen$CreateErrorLastQueryValueWrite$CloseFormatLocalMessageOpenPathPointerSizeTempTime
String ID: $ Error Code: $ GetLastError(): $Command line: *Hidden*$ISX_SERIALNUMBER$[%04d-%02d-%02d %02d:%02d:%02d:%04d] $\AdobeArmService.log$\AdobeArmService_NotLocked.log
API String ID: 2931062074-2171776643
Opcode ID: 1427eeb4a7d75ff4a7ceac617c6a20653929beea857e999bc7256e5d22e00c13
Instruction ID: 06636b793a92135d7811b8ed090577bf43d8ef80edb50c664a59ba6fd167ebe1
Opcode Fuzzy Hash: 1427eeb4a7d75ff4a7ceac617c6a20653929beea857e999bc7256e5d22e00c13
Instruction Fuzzy Hash: CBC164B1640328AADB20AB60DC49FEA77BCEB44710F50C1A6B649E6191FB70DF44CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00D7585A Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 62serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00D75817: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75825
Part of subcall function 00D75817: OpenServiceW.ADVAPI32(00000000,?,00000001,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D7583B
Part of subcall function 00D75817: CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75847
Part of subcall function 00D75817: CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D7584E

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,LocalService,{935AF1FC-04A6-4335-8A0A-A2004DBEE584}), ref: 00D75889
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,LocalService,{935AF1FC-04A6-4335-8A0A-A2004DBEE584}), ref: 00D758A2
CreateServiceW.ADVAPI32(00000000,?,?,000F01FF,00000010,00000003,00000001,?,00000000,00000000,RPCSS,00000000,00000000,?,LocalService,{935AF1FC-04A6-4335-8A0A-A2004DBEE584}), ref: 00D758CC
CloseServiceHandle.ADVAPI32(00000000,?,LocalService,{935AF1FC-04A6-4335-8A0A-A2004DBEE584}), ref: 00D758D7
CloseServiceHandle.ADVAPI32(00000000,?,LocalService,{935AF1FC-04A6-4335-8A0A-A2004DBEE584}), ref: 00D758E1

Strings

{935AF1FC-04A6-4335-8A0A-A2004DBEE584}, xrefs: 00D7586D
RPCSS, xrefs: 00D758AA
LocalService, xrefs: 00D7587E

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Service$CloseHandle$Open$Manager$CreateFileModuleName
String ID: LocalService$RPCSS${935AF1FC-04A6-4335-8A0A-A2004DBEE584}
API String ID: 923156827-3576560810
Opcode ID: 94b2da9a8dbab566e672a1df91c55353f991ee9f61780a38359c6df35fa7ce5a
Instruction ID: 4a19b0f5678de7ada487e4185cd219f174027fcc7d22f9aa6caeba1151719ce9
Opcode Fuzzy Hash: 94b2da9a8dbab566e672a1df91c55353f991ee9f61780a38359c6df35fa7ce5a
Instruction Fuzzy Hash: 8E01C471311324BBD7205761AC4DEBB7B7CDF4ABA1F004429BA19D6281EBB0D904D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00D7339C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 245registrycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00D8B580,00000000,00000001,00D924A4,?), ref: 00D73415
StringFromGUID2.OLE32(?,?,00000040), ref: 00D734DA
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019), ref: 00D735A0
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019), ref: 00D73655

Strings

\Implemented Categories, xrefs: 00D73603
CLSID\, xrefs: 00D734EC, 00D735D1
\Required Categories, xrefs: 00D73523

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: InfoQuery$CreateFromInstanceString
String ID: CLSID\$\Implemented Categories$\Required Categories
API String ID: 468587507-4092563799
Opcode ID: bdd02d00480771c3436f303ac4b0dbf8e9a50f07afb72f410cbb9718b886bc3d
Instruction ID: 5f45b19a006306c1584b217178de8cebc9c7d2c88697f16317421ff2d03741e1
Opcode Fuzzy Hash: bdd02d00480771c3436f303ac4b0dbf8e9a50f07afb72f410cbb9718b886bc3d
Instruction Fuzzy Hash: 24913E75A10218AFDB25DF64CC95ADEB7B9EF05314F40859AE64DE7210EB30AE848F70

Uniqueness

Uniqueness Score: -1.00%

Function 00D71BA0 Relevance: 12.1, APIs: 8, Instructions: 135libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00D71BAA
LoadLibraryExW.KERNEL32(?,00000000,00000060,00000424,00D73220,?,00000000,REGISTRY,00000000,00D9248C,Module_Raw,?,00D9248C,Module,?), ref: 00D71BE9
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 00D71BFF
FindResourceW.KERNEL32(00000000,?,?), ref: 00D71C2A
LoadResource.KERNEL32(00000000,00000000), ref: 00D71C42
SizeofResource.KERNEL32(00000000,00000000), ref: 00D71C54

Part of subcall function 00D71225: GetLastError.KERNEL32(00D73283,?,?,00000104,00000104,?,00000022), ref: 00D71225

FreeLibrary.KERNEL32(00000000), ref: 00D71D1D

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: LibraryLoadResource$ErrorFindFreeH_prolog3_catch_LastSizeof
String ID:
API String ID: 1818814483-0
Opcode ID: a88f56c8cc1adbcc894ee798b30a688ba8d99639e2fd2e0c147c276f27c8fcad
Instruction ID: 32173c6c9b72d36a5ea24b62007dc042d2f8ce172fcfcc769109dc2b883cd4d3
Opcode Fuzzy Hash: a88f56c8cc1adbcc894ee798b30a688ba8d99639e2fd2e0c147c276f27c8fcad
Instruction Fuzzy Hash: 064193B594021D9BCB219F58CC94BEDB6B4EF48310F14C1AAF60DA7251EB308E858F79

Uniqueness

Uniqueness Score: -1.00%

Function 00D746A6 Relevance: 12.1, APIs: 8, Instructions: 110filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00D746C6
FindFirstFileW.KERNEL32(?,?,00000000,?,00000208), ref: 00D74748
lstrcmpW.KERNEL32(?,00D9166C,00000000,?,00000208,?,00000208), ref: 00D747B2
lstrcmpW.KERNEL32(?,00D91670,?,00000208,?,00000208), ref: 00D747C6
DeleteFileW.KERNEL32(?,00000000,?,00000208,?,00000208), ref: 00D747E6
FindNextFileW.KERNEL32(00000000,00000010,?,00000208,?,00000208), ref: 00D747F2
FindClose.KERNEL32(00000000,?,00000208), ref: 00D74801
RemoveDirectoryW.KERNEL32(?,?,00000208), ref: 00D74808

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: FileFind$lstrcmp$CloseDeleteDirectoryFirstNextRemovelstrlen
String ID:
API String ID: 1706569912-0
Opcode ID: efedc4e8a95abda94416da0811fcac7c1a6d94213458ec9d2b0aad2e282df0a0
Instruction ID: c8feb0bf01c243c61bfbdff70f9dc6d7cdf0e8d6312881d5d81311a5133d38b9
Opcode Fuzzy Hash: efedc4e8a95abda94416da0811fcac7c1a6d94213458ec9d2b0aad2e282df0a0
Instruction Fuzzy Hash: 9231C4312143549BD325DB60DC89FAB77ACEF41310F54852EB589C2190FB31D908C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 00D758F8 Relevance: 10.6, APIs: 7, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00D75817: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75825
Part of subcall function 00D75817: OpenServiceW.ADVAPI32(00000000,?,00000001,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D7583B
Part of subcall function 00D75817: CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75847
Part of subcall function 00D75817: CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D7584E

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,00D7563E), ref: 00D7591F
OpenServiceW.ADVAPI32(00000000,?,00010020,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75938
CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75945
ControlService.ADVAPI32(00000000,00000001,?,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75956
DeleteService.ADVAPI32(00000000,?,?,00000000,?,?,?,?,00D7563E), ref: 00D7595D
CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75966
CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,?,?,?,?,00D7563E), ref: 00D7596D

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Service$CloseHandle$Open$Manager$ControlDelete
String ID:
API String ID: 1030361227-0
Opcode ID: 5a2d25ab340421a8614f61ca96464752dfc9fa466eefe937393e45534e4f28ba
Instruction ID: cdb153ce54da3d1db1f441cb6695ccb4984330f00d826117890e04c1d17b166d
Opcode Fuzzy Hash: 5a2d25ab340421a8614f61ca96464752dfc9fa466eefe937393e45534e4f28ba
Instruction Fuzzy Hash: C2019631610705EBC7206B75AC89B7B77BC9B49B61F04442AFA1AD2245EBB4DC049B72

Uniqueness

Uniqueness Score: -1.00%

Function 00D83CB8 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1451COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D83E33

Strings

1#SNAN, xrefs: 00D84FCA
1#IND, xrefs: 00D84FC3
1#QNAN, xrefs: 00D84FD1
1#INF, xrefs: 00D84FEE

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a2d0fbcb27844a65ae3d7a2e8a87bd5182aa92002200286a47f99f17eaeeb90a
Instruction ID: dfb2006df1374b17dcc32571d5a134c37d056e35ff57daa3dd583aa5260e92b6
Opcode Fuzzy Hash: a2d0fbcb27844a65ae3d7a2e8a87bd5182aa92002200286a47f99f17eaeeb90a
Instruction Fuzzy Hash: B1C23C71E046298FDB25EF28DD407EAB7B9EB48315F1441EAD84DE7240E774AE818F60

Uniqueness

Uniqueness Score: -1.00%

Function 00D7799F Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00D77ABE,00D8B650,00000017), ref: 00D779A4
UnhandledExceptionFilter.KERNEL32(00D8B650,?,00D77ABE,00D8B650,00000017), ref: 00D779AD
GetCurrentProcess.KERNEL32(C0000409,?,00D77ABE,00D8B650,00000017), ref: 00D779B8
TerminateProcess.KERNEL32(00000000,?,00D77ABE,00D8B650,00000017), ref: 00D779BF

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 766d3c652e4983f65dbc226c8182694aa3627c37163e859e5de5ee7b7bcc90db
Instruction ID: ba1b069c1b692191e185041d6f221fa881521aaa35bd72eccb94565b46f08519
Opcode Fuzzy Hash: 766d3c652e4983f65dbc226c8182694aa3627c37163e859e5de5ee7b7bcc90db
Instruction Fuzzy Hash: 7ED01232820308AFCA002BE0EC1CA893F28EB092A2F084402FB0ECA222CB3144408B71

Uniqueness

Uniqueness Score: -1.00%

Function 00D7D08E Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00D7D186
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D7D190
UnhandledExceptionFilter.KERNEL32(?), ref: 00D7D19D

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b87ac1c9ab6468303ba8ada819701d8dfe2873c2a1dda3f0078ff2ed6ed6d910
Instruction ID: 4438383bcbffa9de658c010e031578954afa01d4e69ab1ea955ef2ff797f4380
Opcode Fuzzy Hash: b87ac1c9ab6468303ba8ada819701d8dfe2873c2a1dda3f0078ff2ed6ed6d910
Instruction Fuzzy Hash: AB31C675901329ABCB21DF24D98978DB7B4BF08310F5081DAE80CA6251EB709B858F64

Uniqueness

Uniqueness Score: -1.00%

Function 00D76192 Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00D76AB9,?,?,00000000,00D76424,00000054,00D76736,?,00D92634,00000002,00000020,00000220,0000009C,00D768C6), ref: 00D761BE
__Init_thread_footer.LIBCMT ref: 00D761E5

Part of subcall function 00D77F0C: EnterCriticalSection.KERNEL32(00D970F8,00D97DFC,?,00D7625C,00D97DFC,00D8A690,?,?,00D76AB9,?,?,00000000,00D76424,00000054,00D76736,?), ref: 00D77F16
Part of subcall function 00D77F0C: LeaveCriticalSection.KERNEL32(00D970F8,?,00D7625C,00D97DFC,00D8A690,?,?,00D76AB9,?,?,00000000,00D76424,00000054,00D76736,?,00D92634), ref: 00D77F49
Part of subcall function 00D77F0C: RtlWakeAllConditionVariable.NTDLL ref: 00D77FC0

__Init_thread_footer.LIBCMT ref: 00D76257

Part of subcall function 00D77F56: EnterCriticalSection.KERNEL32(00D970F8,00D97DD0,00D97DFC,?,00D76209,00D97DFC,?,?,00D76AB9,?,?,00000000,00D76424,00000054,00D76736,?), ref: 00D77F61
Part of subcall function 00D77F56: LeaveCriticalSection.KERNEL32(00D970F8,?,00D76209,00D97DFC,?,?,00D76AB9,?,?,00000000,00D76424,00000054,00D76736,?,00D92634,00000002), ref: 00D77F9E

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionHeapProcessVariableWake
String ID:
API String ID: 3269001908-0
Opcode ID: 5c838d7bf9ccd4623f34a2937f3ace054f570f2c1d3b02aaf108d49fa5b6e4b3
Instruction ID: 2e606c3b3ffffcd58dbac0d0e46bb6c90dd5eb40607f22b9a6179d526bd388bc
Opcode Fuzzy Hash: 5c838d7bf9ccd4623f34a2937f3ace054f570f2c1d3b02aaf108d49fa5b6e4b3
Instruction Fuzzy Hash: DE11367162C701DBC7219B28FE46A7937A0EF81325F15461BE028C67A2FB389444CB7A

Uniqueness

Uniqueness Score: -1.00%

Function 00D7449C Relevance: 4.6, APIs: 3, Instructions: 50fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00D744C2
FindFirstFileW.KERNEL32(?,?), ref: 00D744E7
FindClose.KERNEL32(00000000,?,?), ref: 00D744F3

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 8e53e402c99834a9f1656ef1a583d4a657e9c269b2256278b860cda3610d6bc5
Instruction ID: fff29491c6abd73ecc120eb5eaaa1248aa9c17fd883eb620062e9bfaabe55ea6
Opcode Fuzzy Hash: 8e53e402c99834a9f1656ef1a583d4a657e9c269b2256278b860cda3610d6bc5
Instruction Fuzzy Hash: 7901F272914B105BC2259B78AC4EBAA73988B45330F148717F86CC62D1FB749A0447FA

Uniqueness

Uniqueness Score: -1.00%

Function 00D7E002 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00D7E001,?,?,?,?,?,00D7B95E), ref: 00D7E024
TerminateProcess.KERNEL32(00000000,?,00D7E001,?,?,?,?,?,00D7B95E), ref: 00D7E02B
ExitProcess.KERNEL32 ref: 00D7E03D

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ec617093b114519806468da3ccded60ad14d5b813df1979d121d128ffbaf92b9
Instruction ID: d620034ed0125f5c8d8b4bb74d44a57affdb0b30010cbd33ee6b5739ad106235
Opcode Fuzzy Hash: ec617093b114519806468da3ccded60ad14d5b813df1979d121d128ffbaf92b9
Instruction Fuzzy Hash: FAE04631010208AFCF212B24DC09A5C3B28EF0A3A1B088415F908CA232DB79DC82CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D83820 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43523a755396bc38392e9fa0146aa66d1f5e58df25a9b02c46e2182827a6da6a
Instruction ID: b55720f6268479bfcb2e10bccdd6273fae046be68c01033ba215184d58f6d395
Opcode Fuzzy Hash: 43523a755396bc38392e9fa0146aa66d1f5e58df25a9b02c46e2182827a6da6a
Instruction Fuzzy Hash: 52F13D71E012199FDF14DFA9C8906AEB7F1FF88714F198269D819A7345D731AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D88C3D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D88C38,?,?,00000008,?,?,00D888D0,00000000), ref: 00D88E6A

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7a4625988315afe33a47d997a28a9d9dc841baa853fe7b974f6380381ca6cd06
Instruction ID: 246075e1927976cdd36d9189b8606a24323b8fa133022d124023da82422d3359
Opcode Fuzzy Hash: 7a4625988315afe33a47d997a28a9d9dc841baa853fe7b974f6380381ca6cd06
Instruction Fuzzy Hash: CCB17931210608DFD729DF28C486B647BE0FF44364F698658E9DACF2A1C736E982DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D7830B Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D78321

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: f93db9c331ff5b90b26c7bc0cb614b20d3220a66f7a7b4269f6806b6c64583d4
Instruction ID: 3bd9b36b1a01b5788838878ff64b6b5dcaa4efc166edc6d02479aa526f5e5ebc
Opcode Fuzzy Hash: f93db9c331ff5b90b26c7bc0cb614b20d3220a66f7a7b4269f6806b6c64583d4
Instruction Fuzzy Hash: 73515CB19147058BDB24CF59D8857AAB7F1FB44314F28C86AD809EB391E7B4D940DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D812A0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f677249e94cc51474fcfbb0e63bad1f49669db7f9b558e4b28c2b888b9a8725
Instruction ID: 6ca9a58dd7c37b83ac51493305265e3657f6c2d753e2ab340988ec319bdd32de
Opcode Fuzzy Hash: 7f677249e94cc51474fcfbb0e63bad1f49669db7f9b558e4b28c2b888b9a8725
Instruction Fuzzy Hash: D931C676900219AFCB24EF69CC89EBB77BDEB85310F148159F905D7240EA30DD458B74

Uniqueness

Uniqueness Score: -1.00%

Function 00D78686 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000086A0,00D78105), ref: 00D7868B

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 661ac5589d20a276aa37d7ee9201a23052207be1bb68b0b8689409b35e38f6df
Instruction ID: a4a0e62dd43c31751d84a07e184d7d9d55de50521a3caf8737defefa37f3836c
Opcode Fuzzy Hash: 661ac5589d20a276aa37d7ee9201a23052207be1bb68b0b8689409b35e38f6df
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00D7C3F2 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

0, xrefs: 00D7C58A

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b4e2cd12594e9f4696c94a7a2dbd950f1a6317c423aa962353a14e0c2fa210
Instruction ID: 21c65e7af5d5d23592b990426a931e1275ce2a19beee40b13edd23c9caba5227
Opcode Fuzzy Hash: 34b4e2cd12594e9f4696c94a7a2dbd950f1a6317c423aa962353a14e0c2fa210
Instruction Fuzzy Hash: D46135706206045EDF389A2884A17BE73A5EB41708F6CF41EE48EDB291F722FE458775

Uniqueness

Uniqueness Score: -1.00%

Function 00D876DA Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfdb2c150a130199bb2763fc94032b8cb7e36c9c4686adad3387b9d4884fb1d
Instruction ID: 1e6503360c6e929517d6b01c3e78f69d255005d2982e742c5734b978d623dceb
Opcode Fuzzy Hash: 5dfdb2c150a130199bb2763fc94032b8cb7e36c9c4686adad3387b9d4884fb1d
Instruction Fuzzy Hash: 1C21B373F205395B7B0CC47ECC532BDB6E1C78C601745823AE8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00D875BA Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17771aef928e582da7ca4a25510d441c6adf016f52e087318d03136b150194c
Instruction ID: 35b40f7240bc69b6af360118b9cc09cb7a6a76ec6fe66444ed92814c0e97cc69
Opcode Fuzzy Hash: d17771aef928e582da7ca4a25510d441c6adf016f52e087318d03136b150194c
Instruction Fuzzy Hash: 2811A323F30C255B675C816D8C172BAA1D2EBD825071F533BD826EB284E8A4DE13D2A0

Uniqueness

Uniqueness Score: -1.00%

Function 00D80FC8 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16b7fb2d00ecf7b7eab8a9ca70f313f71ef4b01b14971436b12114f4d8065c6
Instruction ID: 169a24a1f2cbdbdba3f006bd7621d9f89c7801be11410f0dec644f4d61c1d936
Opcode Fuzzy Hash: b16b7fb2d00ecf7b7eab8a9ca70f313f71ef4b01b14971436b12114f4d8065c6
Instruction Fuzzy Hash: FBE08C32911228EBCB24EBCDC90498AFBECFB48B50B154096F601E3110C670EE04C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00D751F0 Relevance: 66.8, APIs: 21, Strings: 17, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,?), ref: 00D75253

Strings

StringCbCopy failed, xrefs: 00D75329
ConvertStringSecurityDescriptorToSecurityDescriptor failed, xrefs: 00D75388
failed to lock , xrefs: 00D75544
GetTempPath failed, xrefs: 00D752FE
\AdobeARM.exe, xrefs: 00D753C2
Unable to copy , xrefs: 00D75442
Unable to find , xrefs: 00D752D5
CreateDirectory failed: , xrefs: 00D753B8
ShellExecuteEx failed , xrefs: 00D7552D
file not valid: , xrefs: 00D754A2
\Adobe\ARM\1.0\AdobeARM.exe, xrefs: 00D752A4
Unable to open , xrefs: 00D7541A
AddRandomFileName failed, xrefs: 00D75349
StringCchCat failed, xrefs: 00D753DF
D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY), xrefs: 00D75366
ShellExecuteEx succeeded, xrefs: 00D7550E
SHGetFolderPath failed, xrefs: 00D75264

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: FolderPath
String ID: AddRandomFileName failed$ConvertStringSecurityDescriptorToSecurityDescriptor failed$CreateDirectory failed: $D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)$GetTempPath failed$SHGetFolderPath failed$ShellExecuteEx failed $ShellExecuteEx succeeded$StringCbCopy failed$StringCchCat failed$Unable to copy $Unable to find $Unable to open $\AdobeARM.exe$\Adobe\ARM\1.0\AdobeARM.exe$failed to lock $file not valid:
API String ID: 1514166925-3774063176
Opcode ID: e16ffd624c35085842b19d87ae16d99bd1fd1d0f6dca439031b34a38c56f4a24
Instruction ID: ef3cbe5a6327948b4da85d545efc207caee0039735d81a2555389d0e3a582333
Opcode Fuzzy Hash: e16ffd624c35085842b19d87ae16d99bd1fd1d0f6dca439031b34a38c56f4a24
Instruction Fuzzy Hash: 1F91EAB560071DABDB109B20EC98FEB73BDEB44714F10C2A6B50AE6245FB749E448B71

Uniqueness

Uniqueness Score: -1.00%

Function 00D74E21 Relevance: 49.3, APIs: 12, Strings: 16, Instructions: 283
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D74E2B

Part of subcall function 00D76644: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00D76669

SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,?,?,00000A70,00D74B6B,?,00000000,00000000), ref: 00D74E77
GetLastError.KERNEL32(?,?,00000A70,00D74B6B,?,00000000,00000000), ref: 00D74E82
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000A70,00D74B6B,?,00000000,00000000), ref: 00D75106
GetLastError.KERNEL32(?,?,?,?,00000A70,00D74B6B,?,00000000,00000000), ref: 00D7510E
ShellExecuteExW.SHELL32(?), ref: 00D7519A

Part of subcall function 00D74823: __EH_prolog3_GS.LIBCMT ref: 00D7482D
Part of subcall function 00D74823: SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,?,?,?), ref: 00D748F4

CloseHandle.KERNEL32(00000000,?,?,?,?,00000A70,00D74B6B,?,00000000,00000000), ref: 00D751E4

Strings

\AdobeARMHelper.exe, xrefs: 00D75048, 00D7505E
StringCbCopy failed, xrefs: 00D74EBD
create sRandPath failed: , xrefs: 00D750CD
Service workflow failed, file not valid: , xrefs: 00D75140
Failed to create random folder: , xrefs: 00D750E8
Temp, xrefs: 00D74FF8
ShellExecuteEx failed , xrefs: 00D751C3
The r_s function failed!, xrefs: 00D74F3F
\Adobe\ARM\1.0\AdobeARMHelper.exe, xrefs: 00D74EC7
Unable to find: , xrefs: 00D74F0E
\Adobe\ARM\1.0\Temp\, xrefs: 00D74FE8
Failed to copy: , xrefs: 00D7508D
StringCchCat failed, xrefs: 00D74EE8
Unable to lock for validation , xrefs: 00D751D2
ShellExecuteEx succeeded, xrefs: 00D751AA
SHGetFolderPath failed, xrefs: 00D74E8F

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: FolderPath$ErrorH_prolog3_Last$CloseCreateExecuteFileHandleShell
String ID: Failed to copy: $Failed to create random folder: $SHGetFolderPath failed$Service workflow failed, file not valid: $ShellExecuteEx failed $ShellExecuteEx succeeded$StringCbCopy failed$StringCchCat failed$Temp$The r_s function failed!$Unable to find: $Unable to lock for validation $\AdobeARMHelper.exe$\Adobe\ARM\1.0\AdobeARMHelper.exe$\Adobe\ARM\1.0\Temp\$create sRandPath failed:
API String ID: 2628836480-1612773964
Opcode ID: 088ff05f9aa8e9e147c38bdb5b3f4da7fe2872754464bbaf8e1cd62f8d01d43d
Instruction ID: fd8f267cf58e3fb161e03a5dbc0e2bc16c52dbffade2cc81c517e1594034b5d6
Opcode Fuzzy Hash: 088ff05f9aa8e9e147c38bdb5b3f4da7fe2872754464bbaf8e1cd62f8d01d43d
Instruction Fuzzy Hash: AC91E6B5A00319ABDB21A720DC85FEA727DEB44310F50C5A6F50EE6285FB709E448B72

Uniqueness

Uniqueness Score: -1.00%

Function 00D74928 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D76644: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00D76669

Part of subcall function 00D776C4: OpenFileMappingW.KERNEL32(00000004,00000000,?,00000000), ref: 00D7770E
Part of subcall function 00D776C4: GetLastError.KERNEL32(?,Could not open file mapping object.,?,?,ReadSharedMemory(): ), ref: 00D77743

Part of subcall function 00D77640: OpenFileMappingW.KERNEL32(000F001F,00000000,?), ref: 00D77682
Part of subcall function 00D77640: GetLastError.KERNEL32 ref: 00D7768C

Part of subcall function 00D74298: RegDeleteValueW.ADVAPI32(?,iLastSvcFailure,?,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D7432A
Part of subcall function 00D74298: RegDeleteValueW.ADVAPI32(?,iLastSvcErrorCode,?,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D74336
Part of subcall function 00D74298: RegDeleteValueW.ADVAPI32(?,iSvcErrorCount,?,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D74342
Part of subcall function 00D74298: GetTickCount64.KERNEL32 ref: 00D74348
Part of subcall function 00D74298: RegSetValueExW.ADVAPI32(?,iLastSvcSuccess,00000000,00000004,?,00000004,?,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D74367

Part of subcall function 00D74298: RegSetValueExW.ADVAPI32(?,iLastSvcFailure,00000000,00000004,?,00000004,?,?,?,?,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D743FE
Part of subcall function 00D74298: RegSetValueExW.ADVAPI32(?,iLastSvcErrorCode,00000000,00000004,?,00000004,?,?,?,?,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D7441F
Part of subcall function 00D74298: RegSetValueExW.ADVAPI32(?,iSvcErrorCount,00000000,00000004,?,00000004,?,?,?,?,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D74471

_wcsstr.LIBVCRUNTIME ref: 00D74A1A
_wcsstr.LIBVCRUNTIME ref: 00D74BD2

Strings

manifest path: , xrefs: 00D74A91, 00D74C41
/MANIFEST:", xrefs: 00D74A9D
/sessionid, xrefs: 00D74D0C
Command line: , xrefs: 00D749C9
StringCb failed , xrefs: 00D74A61
session id, xrefs: 00D74D4B
arm update folder: , xrefs: 00D74BBA
/User, xrefs: 00D74B32
adding armLaunchParameters.sCommandLine, xrefs: 00D74B12
FOLDER:", xrefs: 00D74BDE
UserName, xrefs: 00D74B54
/Svc, xrefs: 00D74CA0
/MANIFEST:", xrefs: 00D74AB3, 00D74C4D, 00D74C58
adding back arm update folder to command line, xrefs: 00D74BF4
/svc, xrefs: 00D74CB6
OnDemand workflow, xrefs: 00D74A30
Service workflow failed, command line invalid (empty), xrefs: 00D74D71
/USER:, xrefs: 00D74B1C, 00D74CC0
copying command line from SM, xrefs: 00D74B8D
/InstallOnDemand, xrefs: 00D74A14
Service workflow failed, User Name invalid (empty), xrefs: 00D74D65
ServiceError, xrefs: 00D74D9D
adding /Svc to cmdline, xrefs: 00D74A59
User id: , xrefs: 00D749F2
/SESSIONID:, xrefs: 00D74CF6

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Value$Delete$ErrorFileLastMappingOpen_wcsstr$Count64FolderPathTick
String ID: /MANIFEST:"$ /SESSIONID:$ /Svc$ /USER:$ FOLDER:"$/InstallOnDemand$/MANIFEST:"$/User$/sessionid$/svc$Command line: $OnDemand workflow$Service workflow failed, User Name invalid (empty)$Service workflow failed, command line invalid (empty)$ServiceError$StringCb failed $User id: $UserName$adding /Svc to cmdline$adding armLaunchParameters.sCommandLine$adding back arm update folder to command line$arm update folder: $copying command line from SM$manifest path: $session id
API String ID: 4023135689-1331359219
Opcode ID: 2539729d66789ab696d1d25340899da32d73aee20b835c858f50b82fc86a8501
Instruction ID: cc05494c15eedb62a016a904df656c9462fe817491e5c625fc0299805fec569a
Opcode Fuzzy Hash: 2539729d66789ab696d1d25340899da32d73aee20b835c858f50b82fc86a8501
Instruction Fuzzy Hash: B4C1A475A10229A6DB15E660CD42AEB73ADEB50340F50C0A9A54EE6285FF30EF45CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00D72499 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 235
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00D724A0
CoTaskMemAlloc.OLE32(00000000,0000006C,00D7278C,00000000,00000000,00000000,00000000), ref: 00D724EF
_wcsstr.LIBVCRUNTIME ref: 00D72558
CharNextW.USER32(?,?,00000000,00000001,0000006C,00D7278C,00000000,00000000,00000000,00000000), ref: 00D72569
CharNextW.USER32(00000000,?,?,00000000,00000001,0000006C,00D7278C,00000000,00000000,00000000,00000000), ref: 00D72572
CharNextW.USER32(00000000,?,?,00000000,00000001,0000006C,00D7278C,00000000,00000000,00000000,00000000), ref: 00D7257B
CharNextW.USER32(00000000,?,?,00000000,00000001,0000006C,00D7278C,00000000,00000000,00000000,00000000), ref: 00D72584
CharNextW.USER32(?,?,00000000,00000001,0000006C,00D7278C,00000000,00000000,00000000,00000000), ref: 00D725BD
CharNextW.USER32(?,?,00000000,00000001,0000006C,00D7278C,00000000,00000000,00000000,00000000), ref: 00D725CF
CharNextW.USER32(00000000,}},?,00000000,00000001,0000006C,00D7278C,00000000,00000000,00000000,00000000), ref: 00D7263F
lstrcmpiW.KERNEL32(?,?,?,?,00D71D16,00000000,?), ref: 00D726A3
CharNextW.USER32(?,00000000,00000000,?,?,00D71D16,00000000,?), ref: 00D726E2
CharNextW.USER32(?,00000000,00000001,0000006C,00D7278C,00000000,00000000,00000000,00000000), ref: 00D72701
CoTaskMemFree.OLE32(?,0000006C,00D7278C,00000000,00000000,00000000,00000000), ref: 00D72741

Strings

HKCR, xrefs: 00D72552
', xrefs: 00D72534
}}, xrefs: 00D72618
HKCU{Software{Classes, xrefs: 00D7258A
%, xrefs: 00D7253B

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CharNext$Task$AllocFreeH_prolog3__wcsstrlstrcmpi
String ID: }}$%$'$HKCR$HKCU{Software{Classes
API String ID: 3264001215-792530599
Opcode ID: 68f8294ed785eaca75b41aa02bcd2765ddfb9f5736457d093355ae38e7e2c3f1
Instruction ID: f8087044faae651b2b30859fda47e80f0cdb84d56a77529f95e32a77998b8ba2
Opcode Fuzzy Hash: 68f8294ed785eaca75b41aa02bcd2765ddfb9f5736457d093355ae38e7e2c3f1
Instruction Fuzzy Hash: 82917A749003859BDF249FA8C9556BDBBF5EF14310F28852EE489EB2A5F7309945CB30

Uniqueness

Uniqueness Score: -1.00%

Function 00D74298 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D76BE9: GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?), ref: 00D76C73
Part of subcall function 00D76BE9: GetLastError.KERNEL32(?,?,?), ref: 00D76C7D

Part of subcall function 00D715F0: GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,00000000,?,?,?,00D717F5,?,00000000,?,00000000,00000000,?), ref: 00D71612
Part of subcall function 00D715F0: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00D71622

RegDeleteValueW.ADVAPI32(?,iLastSvcFailure,?,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D7432A
RegDeleteValueW.ADVAPI32(?,iLastSvcErrorCode,?,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D74336
RegDeleteValueW.ADVAPI32(?,iSvcErrorCount,?,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D74342
GetTickCount64.KERNEL32 ref: 00D74348
RegSetValueExW.ADVAPI32(?,iLastSvcSuccess,00000000,00000004,?,00000004,?,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D74367

Part of subcall function 00D76BE9: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,?,?,?,?,?,?,?,?), ref: 00D76CDF
Part of subcall function 00D76BE9: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,00000000,?,00000104,?,?), ref: 00D76D5A
Part of subcall function 00D76BE9: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 00D76D71
Part of subcall function 00D76BE9: SetFilePointer.KERNEL32(00000000,00000000,00000002,?,?,?,?,?,?,?,?), ref: 00D76D8B
Part of subcall function 00D76BE9: WriteFile.KERNEL32( ,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D76DA6
Part of subcall function 00D76BE9: WriteFile.KERNEL32( ,?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D76DC9
Part of subcall function 00D76BE9: GetLocalTime.KERNEL32(?,?,?), ref: 00D76DF4

Part of subcall function 00D71531: RegCloseKey.ADVAPI32(?,00000000,00D72E2C,00000000,67855110,?,00000000,00000000,?,00D8A426,000000FF,?,00D7286D,?,00000000,00000000), ref: 00D7153C

Strings

iLastSvcErrorCode, xrefs: 00D74330, 00D74414
iLastSvcFailure, xrefs: 00D74324, 00D743F3
iLastSvcSuccess, xrefs: 00D74361
iSvcErrorCount, xrefs: 00D7433C, 00D74432, 00D74466
failed to open arm registry, xrefs: 00D742FD
SetDWORDValue failed to register success time, xrefs: 00D7437B
SOFTWARE\Adobe\Adobe ARM\1.0\ARM, xrefs: 00D742D2
current error time: , xrefs: 00D743CB

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: File$Value$Delete$CreateWrite$AddressCloseCount64ErrorHandleLastLocalModulePathPointerProcSizeTempTickTime
String ID: SOFTWARE\Adobe\Adobe ARM\1.0\ARM$SetDWORDValue failed to register success time$current error time: $failed to open arm registry$iLastSvcErrorCode$iLastSvcFailure$iLastSvcSuccess$iSvcErrorCount
API String ID: 3763661452-565512643
Opcode ID: 1d21140a3c557301831b5ce04a687c10fb9df6186a7b78e15e7fddc9fa56c048
Instruction ID: 874fdbfd4ce8377a401930b9c0d588b4831a9a58eca5598fdd4edc01aea0a27b
Opcode Fuzzy Hash: 1d21140a3c557301831b5ce04a687c10fb9df6186a7b78e15e7fddc9fa56c048
Instruction Fuzzy Hash: CD514F75940229AEDB21ABA4DC89EEEB77CEB45710F00419AB10DA2151EB709E89CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00D73C3E Relevance: 24.3, APIs: 14, Strings: 2, Instructions: 274
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32 ref: 00D73C52

Part of subcall function 00D73B59: SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00D73BB0
Part of subcall function 00D73B59: SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00D73C27

LocalAlloc.KERNEL32(00000040,00000002,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 00D73CF7

Part of subcall function 00D73F95: lstrcmpA.KERNEL32(1.3.6.1.4.1.311.2.1.12,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D73FC3

LocalFree.KERNEL32(00000000), ref: 00D73EF5
LocalFree.KERNEL32(?), ref: 00D73F06
LocalFree.KERNEL32(00000000), ref: 00D73F17
LocalFree.KERNEL32(00000000), ref: 00D73F22
LocalFree.KERNEL32(00000400), ref: 00D73F31
LocalFree.KERNEL32(?), ref: 00D73F6F

Strings

Adobe Inc., xrefs: 00D73E01, 00D73E3E
Adobe Systems, Incorporated, xrefs: 00D73DF6, 00D73E20

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Local$Free$FilePointer$Alloclstrcmplstrlen
String ID: Adobe Inc.$Adobe Systems, Incorporated
API String ID: 2142072499-2494280197
Opcode ID: 0f19452c7785a23aff49ef794b9559890b1ac5d6d2f758008dcf79a242e2725b
Instruction ID: 48b6b348cdadd79e7ef85338824e4e4c79457292cd5c60bc6eb4de110522d7d5
Opcode Fuzzy Hash: 0f19452c7785a23aff49ef794b9559890b1ac5d6d2f758008dcf79a242e2725b
Instruction Fuzzy Hash: C4A14E71644301AFD7218F24CC49B5BBBE8AF48B55F08462EF949E6290EB71DE04DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D77E67 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 58
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00D970F8,00000FA0,?,?,00D77E45), ref: 00D77E73
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00D77E45), ref: 00D77E7E
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00D77E45), ref: 00D77E8F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D77EA1
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D77EAF
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00D77E45), ref: 00D77ED2
___scrt_fastfail.LIBCMT ref: 00D77EE3
DeleteCriticalSection.KERNEL32(00D970F8,00000007,?,?,00D77E45), ref: 00D77EF5
CloseHandle.KERNEL32(00000000,?,?,00D77E45), ref: 00D77F05

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D77E79
kernel32.dll, xrefs: 00D77E8A
SleepConditionVariableCS, xrefs: 00D77E9B
WakeAllConditionVariable, xrefs: 00D77EA7

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3578986977-3242537097
Opcode ID: 729a0abeb1bfeb57180aeda2dcad8ea6c2ed9eca8e69f1e1c12e9bf5fc8fc71e
Instruction ID: 725a8f8578bee706e33487f1ee30165bfcc314df18980f0f3f2931022342c44d
Opcode Fuzzy Hash: 729a0abeb1bfeb57180aeda2dcad8ea6c2ed9eca8e69f1e1c12e9bf5fc8fc71e
Instruction Fuzzy Hash: DE018875B693136FDB215B75ED1EA663A68DB41B21B044853FD09EA3A0FB70CC048771

Uniqueness

Uniqueness Score: -1.00%

Function 00D77514 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA),00000001,?,00000000), ref: 00D7754A
GetLastError.KERNEL32 ref: 00D77555

Part of subcall function 00D77340: Sleep.KERNEL32(0000000A,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F,00000000), ref: 00D773F6
Part of subcall function 00D77340: GetLocalTime.KERNEL32(?), ref: 00D77403
Part of subcall function 00D77340: FormatMessageW.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000), ref: 00D7747E

CreateFileMappingW.KERNEL32(000000FF,0000000C,00000004,00000000,00001E78,?), ref: 00D775A6
GetLastError.KERNEL32 ref: 00D775B1
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00001E78), ref: 00D775D3
GetLastError.KERNEL32 ref: 00D775E0

Strings

could not create file mapping object, xrefs: 00D775B7
failed, xrefs: 00D7755C
Status ConvertStringSecurityDescriptorToSecurityDescriptor, xrefs: 00D77561
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA), xrefs: 00D77545
Could not map view of file., xrefs: 00D775E6
CreateSharedMemory(), xrefs: 00D775BD

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ErrorLast$DescriptorFileSecurity$ConvertCreateFormatLocalMappingMessageSleepStringTimeView
String ID: Could not map view of file.$CreateSharedMemory()$D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA)$Status ConvertStringSecurityDescriptorToSecurityDescriptor$could not create file mapping object$failed
API String ID: 1285132015-1192201272
Opcode ID: 4f89577ea32a47b9b05ed52e6e43753141e7387269d56140f4a96c0fe0597703
Instruction ID: 8da45238c6528dd8fcbcf9ad3fd41a40993644d4ff0cffd6e5b41f2f80cb57de
Opcode Fuzzy Hash: 4f89577ea32a47b9b05ed52e6e43753141e7387269d56140f4a96c0fe0597703
Instruction Fuzzy Hash: 973198B25553187FD720EB709C89FFBB7ACDB04764F10896AB519D2291FA309E448B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D82CAD Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 00D82CF1

Part of subcall function 00D8283C: _free.LIBCMT ref: 00D82859
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D8286B
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D8287D
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D8288F
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D828A1
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D828B3
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D828C5
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D828D7
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D828E9
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D828FB
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D8290D
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D8291F
Part of subcall function 00D8283C: _free.LIBCMT ref: 00D82931

_free.LIBCMT ref: 00D82CE6

Part of subcall function 00D7F042: HeapFree.KERNEL32(00000000,00000000,?,00D829CD,?,00000000,?,?,?,00D829F4,?,00000007,?,?,00D82E44,?), ref: 00D7F058
Part of subcall function 00D7F042: GetLastError.KERNEL32(?,?,00D829CD,?,00000000,?,?,?,00D829F4,?,00000007,?,?,00D82E44,?,?), ref: 00D7F06A

_free.LIBCMT ref: 00D82D08
_free.LIBCMT ref: 00D82D1D
_free.LIBCMT ref: 00D82D28
_free.LIBCMT ref: 00D82D4A
_free.LIBCMT ref: 00D82D5D
_free.LIBCMT ref: 00D82D6B
_free.LIBCMT ref: 00D82D76
_free.LIBCMT ref: 00D82DAE
_free.LIBCMT ref: 00D82DB5
_free.LIBCMT ref: 00D82DD2
_free.LIBCMT ref: 00D82DEA

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 385841310ea2dc40eb23ad77d07af6b5ec5e2bad5d58b2a5cd8c7ed9f009e46c
Instruction ID: 9ef97585ff405d57ab340760b3d4f685ea348b88543f5752aefc24eb02d29f45
Opcode Fuzzy Hash: 385841310ea2dc40eb23ad77d07af6b5ec5e2bad5d58b2a5cd8c7ed9f009e46c
Instruction Fuzzy Hash: CF3148716046059FEB31BB38D845B7A7BE9EF01350F188829E459D7292EA79EC80CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D77340 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 127sleeptimewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D715F0: GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,00000000,?,?,?,00D717F5,?,00000000,?,00000000,00000000,?), ref: 00D71612
Part of subcall function 00D715F0: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00D71622

Part of subcall function 00D71689: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00D716A7

Sleep.KERNEL32(0000000A,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F,00000000), ref: 00D773F6
GetLocalTime.KERNEL32(?), ref: 00D77403
FormatMessageW.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000), ref: 00D7747E

Strings

iLogLevel, xrefs: 00D773AA
%s (Error code: %d; Error msg: %s), xrefs: 00D77492
ReleaseSharedMemory(), xrefs: 00D77491, 00D774A3
cServiceLog, xrefs: 00D774E4
SOFTWARE\Adobe\Adobe ARM\1.0\ARM, xrefs: 00D7735F
[%04d-%02d-%02d %02d:%02d:%02d:%04d], xrefs: 00D77441
Could not open file mapping object, xrefs: 00D774C5
-:- , xrefs: 00D774B5

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: AddressFormatHandleLocalMessageModuleProcQuerySleepTimeValue
String ID: -:- $%s (Error code: %d; Error msg: %s)$Could not open file mapping object$ReleaseSharedMemory()$SOFTWARE\Adobe\Adobe ARM\1.0\ARM$[%04d-%02d-%02d %02d:%02d:%02d:%04d]$cServiceLog$iLogLevel
API String ID: 3061991790-3686076387
Opcode ID: e5cff5c25447a566f77ffc866cbcd085400cbc145a727267ff137bcc15f56d36
Instruction ID: 1b1fbf885f2e3a31fcbe7b87c3cb7f1df03c57992f81ed16003a520f204948bd
Opcode Fuzzy Hash: e5cff5c25447a566f77ffc866cbcd085400cbc145a727267ff137bcc15f56d36
Instruction Fuzzy Hash: 0D4160B1901228AACB249B54CC45FEEB77CEB48714F4085EABA09A2141FA709F84CF74

Uniqueness

Uniqueness Score: -1.00%

Function 00D766CD Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 125fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D766D7

Part of subcall function 00D763F2: __EH_prolog3_GS.LIBCMT ref: 00D763F9
Part of subcall function 00D763F2: GetSidLengthRequired.ADVAPI32(?,00000054,00D76736,?,00D92634,00000002,00000020,00000220,0000009C,00D768C6,?,?,?,?,00D74E07), ref: 00D7644B
Part of subcall function 00D763F2: InitializeSid.ADVAPI32(?,?,?,?,?,?,?,00D74E07,?,?,?,?), ref: 00D7645E
Part of subcall function 00D763F2: GetSidSubAuthority.ADVAPI32(?,00000000,?,?,?,?,00D74E07,?,?,?,?), ref: 00D7647F

Part of subcall function 00D76573: GetCurrentThread.KERNEL32 ref: 00D7657C
Part of subcall function 00D76573: OpenThreadToken.ADVAPI32(00000000,0002000A,00000001,00D76748,?,?,?,00D76748), ref: 00D76591

DuplicateToken.ADVAPI32(?,00000002,?), ref: 00D76754
CheckTokenMembership.ADVAPI32(?,?,?), ref: 00D76791
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU),00000001,?), ref: 00D767C0
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000), ref: 00D767EE
WriteFile.KERNEL32(00000000,?,00000002,?,00000000), ref: 00D7680A
WriteFile.KERNEL32(00000000,[SESSION],00000000,?,00000000), ref: 00D76832
GetLastError.KERNEL32 ref: 00D7683C
CloseHandle.KERNEL32(00000000), ref: 00D76847

Strings

[SESSION], xrefs: 00D7681B, 00D76821, 00D76830
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU), xrefs: 00D767B5

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: FileToken$DescriptorH_prolog3_SecurityThreadWrite$AuthorityCheckCloseConvertCreateCurrentDuplicateErrorHandleInitializeLastLengthMembershipOpenRequiredString
String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)$[SESSION]
API String ID: 1817579604-2837497842
Opcode ID: d6356b89cc5a8434faaffa972e4a8d651e5a61b27e9c895eb512fb59051bcc79
Instruction ID: bc38cfddbd0567b8a13d31f056ba179068d5df9119473a1f3e4b3c419f3e3752
Opcode Fuzzy Hash: d6356b89cc5a8434faaffa972e4a8d651e5a61b27e9c895eb512fb59051bcc79
Instruction Fuzzy Hash: 5F414070900218ABDB20DB65CC49FDEBBB8EB55710F54809AA549E7292FB708A45CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00D776C4 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 113fileCOMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNEL32(00000004,00000000,?,00000000), ref: 00D7770E
GetLastError.KERNEL32(?,Could not open file mapping object.,?,?,ReadSharedMemory(): ), ref: 00D77743
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00001E78), ref: 00D77760
GetLastError.KERNEL32(?,Could not map view of file.,?,?,ReadSharedMemory(): ), ref: 00D77795
CloseHandle.KERNEL32(00000000,?,ReadSharedMemory(): ), ref: 00D777A2
UnmapViewOfFile.KERNEL32(00000000), ref: 00D777D6
CloseHandle.KERNEL32(00000000), ref: 00D777DD

Strings

Could not open file mapping object., xrefs: 00D77738
Could not map view of file., xrefs: 00D7778A
ReadSharedMemory(): , xrefs: 00D7771B, 00D7776D, 00D777E4
succeeded. mapping obj name: %s, xrefs: 00D777FD

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: File$CloseErrorHandleLastView$MappingOpenUnmap
String ID: Could not map view of file.$Could not open file mapping object.$ReadSharedMemory(): $succeeded. mapping obj name: %s
API String ID: 4104906822-131793601
Opcode ID: d6792f1d5ea6de744b0552560988c4986e726afecb98b692f46cd760ad9261f7
Instruction ID: 2763e994dbf3d9f5d2a43558c26f42d639040dda4d5a173382a4f2fb37f11196
Opcode Fuzzy Hash: d6792f1d5ea6de744b0552560988c4986e726afecb98b692f46cd760ad9261f7
Instruction Fuzzy Hash: 2131A1B16103047BD714AB70CC8EEAB77ADEB84714F108969B16AD2282FFB4DA448770

Uniqueness

Uniqueness Score: -1.00%

Function 00D76884 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000355,?,?,?,?,00D74E07,?,?,?,?), ref: 00D76897
GetFileAttributesW.KERNEL32(?,?,?,?,?,00D74E07,?,?,?,?), ref: 00D768B1
lstrlenW.KERNEL32(00000000,?,00000000,?,?,?,?,00D74E07,?,?,?,?), ref: 00D76901
_wcsstr.LIBVCRUNTIME ref: 00D76917

Strings

PingFilesList, xrefs: 00D7698E, 00D769B9
SESSION, xrefs: 00D76993, 00D769BE

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: lstrlen$AttributesFile_wcsstr
String ID: PingFilesList$SESSION
API String ID: 2094175825-1744757727
Opcode ID: ca8b67b5eb59aff45caa7a20af83a5ab78a516f0b2cc28a313212db73dcf0131
Instruction ID: 9d69f47ba9a3eff0d54f52e9f1f6df2bd08cda99cbc2c0c90be3333dc85e1f8e
Opcode Fuzzy Hash: ca8b67b5eb59aff45caa7a20af83a5ab78a516f0b2cc28a313212db73dcf0131
Instruction Fuzzy Hash: C531E872700605BFDF155B649C4AB7E76A9DF44720F14812AF609E6291FBB0CE009B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D728AD Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 407stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D71DF6: CharNextW.USER32(00000000,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E2B
Part of subcall function 00D71DF6: CharNextW.USER32(00000000,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E4A
Part of subcall function 00D71DF6: CharNextW.USER32(00000027,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E60
Part of subcall function 00D71DF6: CharNextW.USER32(00000027,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E6B
Part of subcall function 00D71DF6: CharNextW.USER32(?,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71EC8

lstrcmpiW.KERNEL32 ref: 00D72921
lstrcmpiW.KERNEL32(00000000,ForceRemove), ref: 00D72932

Strings

NoRemove, xrefs: 00D72A0A
ForceRemove, xrefs: 00D72929
Delete, xrefs: 00D72911
Val, xrefs: 00D72A38

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CharNext$lstrcmpi
String ID: Delete$ForceRemove$NoRemove$Val
API String ID: 3586774192-1781481701
Opcode ID: f6469559eb70ec857bcb791163248d1fa6abd227ab6716d70e95e31a47df46d9
Instruction ID: 8a46355a0662f85a98c335db98a1366e91614b29c94cb88b44ef57b7921acb2d
Opcode Fuzzy Hash: f6469559eb70ec857bcb791163248d1fa6abd227ab6716d70e95e31a47df46d9
Instruction Fuzzy Hash: AEE18731D01265ABCF35ABA48C99ABEB2B4EF54710F0481AAE90DA7151F7348F85CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A501 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00D7A5FC
type_info::operator==.LIBVCRUNTIME ref: 00D7A623
___TypeMatch.LIBVCRUNTIME ref: 00D7A72F
IsInExceptionSpec.LIBVCRUNTIME ref: 00D7A80A
_UnwindNestedFrames.LIBCMT ref: 00D7A891
CallUnexpected.LIBVCRUNTIME ref: 00D7A8AC

Strings

csm, xrefs: 00D7A65A
csm, xrefs: 00D7A53C
csm, xrefs: 00D7A5A9

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 95b348655e04a9a5678c313e7bd916e36792f9f181368e81a52b5d03ad58c638
Instruction ID: 542a83e7203f8aeeb9d18b7b23d414848552065a2a1920ec3f9ac4b1cb3354a5
Opcode Fuzzy Hash: 95b348655e04a9a5678c313e7bd916e36792f9f181368e81a52b5d03ad58c638
Instruction Fuzzy Hash: 76C13E71800219DFCF19DF98C8819AEBBB5FF94310F58815AE8196B212E735D952CBB3

Uniqueness

Uniqueness Score: -1.00%

Function 00D736CF Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 120registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D73228: GetModuleFileNameW.KERNEL32(?,?,00000104,00000104,?,00000022), ref: 00D73274

SysStringLen.OLEAUT32(?), ref: 00D73751
CharNextW.USER32(?), ref: 00D73790
GetModuleHandleW.KERNEL32(OLEAUT32.DLL), ref: 00D737E7
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00D737F7
RegisterTypeLib.OLEAUT32 ref: 00D7381E
SysFreeString.OLEAUT32(?), ref: 00D73828
SysFreeString.OLEAUT32(?), ref: 00D7384E

Strings

RegisterTypeLibForUser, xrefs: 00D737F1
OLEAUT32.DLL, xrefs: 00D737E2

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: String$FreeModule$AddressCharFileHandleNameNextProcRegisterType
String ID: OLEAUT32.DLL$RegisterTypeLibForUser
API String ID: 2807994621-2666564778
Opcode ID: a6ba2db729d9dbacce57aa7c90f5d5fe75f6a9abbd6c1fd2046b05916492d4b4
Instruction ID: ac1d29a3e0349064f21ed4dcf48fdfe9f0f8d223dc5cbaf071bca71e5f1f31b9
Opcode Fuzzy Hash: a6ba2db729d9dbacce57aa7c90f5d5fe75f6a9abbd6c1fd2046b05916492d4b4
Instruction Fuzzy Hash: AB417671A003299BCB219B65DC8CA9E7BB4EF55320F0445A6E40DE3261EB709E84CF70

Uniqueness

Uniqueness Score: -1.00%

Function 00D7145D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,00000000,?,00D72DA0,?), ref: 00D71478
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00D71488
RegDeleteKeyW.ADVAPI32(?,00000000), ref: 00D714B5
GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,00000000,?,00D72DA0,?), ref: 00D714D1
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D714E1
RegDeleteKeyW.ADVAPI32(?,00000000), ref: 00D71525

Strings

RegDeleteKeyTransactedW, xrefs: 00D71482
Advapi32.dll, xrefs: 00D71473, 00D714CC
RegDeleteKeyExW, xrefs: 00D714DB

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 588496660-1053001802
Opcode ID: 4338569e96a907a99f7aab1a4df720adf86b7c42b4715ae2371a48f5c0fb8807
Instruction ID: 59351485faedb582fe09f6259224a746545797072689ae1561d2f80fd59becbe
Opcode Fuzzy Hash: 4338569e96a907a99f7aab1a4df720adf86b7c42b4715ae2371a48f5c0fb8807
Instruction Fuzzy Hash: F2218079615301AFCB211B68DC08F6A7BA8EB44765F198216F84AD2360EB75D850DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D71F50 Relevance: 15.3, APIs: 10, Instructions: 328registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D71DF6: CharNextW.USER32(00000000,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E2B
Part of subcall function 00D71DF6: CharNextW.USER32(00000000,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E4A
Part of subcall function 00D71DF6: CharNextW.USER32(00000027,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E60
Part of subcall function 00D71DF6: CharNextW.USER32(00000027,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E6B
Part of subcall function 00D71DF6: CharNextW.USER32(?,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71EC8

lstrcmpiW.KERNEL32(?,00D910A4,?,67855110,00000000,00000000,?,?,?,00D8A3B6,000000FF,?,00D72BF6,?,00000000,00000000), ref: 00D71FCD
lstrcmpiW.KERNEL32(?,00D910A8,?,00D72BF6,?,00000000,00000000,00000000,?,00000000,0002001F), ref: 00D71FE7
CharNextW.USER32(00000000,?,?,00D72BF6,?,00000000,00000000,00000000,?,00000000,0002001F), ref: 00D72106
CharNextW.USER32(00000000,?,00D72BF6,?,00000000,00000000,00000000,?,00000000,0002001F), ref: 00D72122
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,00000000,?,?,00D72BF6,?,00000000,00000000,00000000,?,00000000,0002001F), ref: 00D72178
VarUI4FromStr.OLEAUT32(?,00000000,00000000,?), ref: 00D721BB
RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 00D7232D
RegSetValueExW.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,?,?,00D72BF6,?,00000000,00000000,00000000,?,00000000,0002001F), ref: 00D72373

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CharNext$Value$lstrcmpi$From
String ID:
API String ID: 252513887-0
Opcode ID: dc42a228890b04d56de7f2c859dc0dd0757e0bffdc36ebdd1aefa63fe91e1ec6
Instruction ID: cbc5de860c527decf46c27a31356f4c8dcb129399092611ff3cbe097db2b0b2c
Opcode Fuzzy Hash: dc42a228890b04d56de7f2c859dc0dd0757e0bffdc36ebdd1aefa63fe91e1ec6
Instruction Fuzzy Hash: ACC1B271D002689ADB359B64CC89AFDB7B8EB18310F1580AAE70DE7251F7349E94CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D7F611 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D7F627

Part of subcall function 00D7F042: HeapFree.KERNEL32(00000000,00000000,?,00D829CD,?,00000000,?,?,?,00D829F4,?,00000007,?,?,00D82E44,?), ref: 00D7F058
Part of subcall function 00D7F042: GetLastError.KERNEL32(?,?,00D829CD,?,00000000,?,?,?,00D829F4,?,00000007,?,?,00D82E44,?,?), ref: 00D7F06A

_free.LIBCMT ref: 00D7F633
_free.LIBCMT ref: 00D7F63E
_free.LIBCMT ref: 00D7F649
_free.LIBCMT ref: 00D7F654
_free.LIBCMT ref: 00D7F65F
_free.LIBCMT ref: 00D7F66A
_free.LIBCMT ref: 00D7F675
_free.LIBCMT ref: 00D7F680
_free.LIBCMT ref: 00D7F68E

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0cd6a513f710d73bedafc88dce041d35d1144168b6da00f505cbb05c804f3572
Instruction ID: 6fce5941b0d2ca37fb0730cb3338def2e87e82ec774413de5ea23d366c060f82
Opcode Fuzzy Hash: 0cd6a513f710d73bedafc88dce041d35d1144168b6da00f505cbb05c804f3572
Instruction Fuzzy Hash: A921AD76900108BFCB51EFA4C841DDE7BB9FF08340F018165F5599B222EB75EA44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D75AD1 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 85threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(00000012,00000000,00000000,00000003), ref: 00D75B21

Part of subcall function 00D751F0: SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,?), ref: 00D75253

Part of subcall function 00D76BE9: GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?), ref: 00D76C73
Part of subcall function 00D76BE9: GetLastError.KERNEL32(?,?,?), ref: 00D76C7D

Strings

entered REGISTER_POSTPONE_UPDATE, xrefs: 00D75B70
finished UNINSTALL_ARM, xrefs: 00D75B9F
create SM succeeded, xrefs: 00D75BD3
entered IS_AVAILABLE, xrefs: 00D75B31
entered UNINSTALL_ARM, xrefs: 00D75B8C
Bad service request, xrefs: 00D75B56
entered ELEVATE_ARM, xrefs: 00D75BB7

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Path$ErrorFolderLastMessagePostTempThread
String ID: Bad service request$create SM succeeded$entered ELEVATE_ARM$entered IS_AVAILABLE$entered REGISTER_POSTPONE_UPDATE$entered UNINSTALL_ARM$finished UNINSTALL_ARM
API String ID: 1264251457-3659575770
Opcode ID: 9f07c9f48212c69aa13da0df0910a6ff90037fc7a9de807631951f399081e8b3
Instruction ID: a4240240e32e7c760e1a700c7276c3c0b295b17f23f12d0ff121dcbb6922cc9b
Opcode Fuzzy Hash: 9f07c9f48212c69aa13da0df0910a6ff90037fc7a9de807631951f399081e8b3
Instruction Fuzzy Hash: 83219D3138CF0666EB2926783D17B3D1201D782720F6CC21AB24DA96DEFDD2D910927B

Uniqueness

Uniqueness Score: -1.00%

Function 00D7561B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 81registryCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D75628

Part of subcall function 00D758F8: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,00D7563E), ref: 00D7591F
Part of subcall function 00D758F8: OpenServiceW.ADVAPI32(00000000,?,00010020,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75938
Part of subcall function 00D758F8: CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75945

Part of subcall function 00D715F0: GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,00000000,?,?,?,00D717F5,?,00000000,?,00000000,00000000,?), ref: 00D71612
Part of subcall function 00D715F0: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00D71622

CoUninitialize.OLE32(?,?,?,00000067,00000001,00000000), ref: 00D756F6
RegDeleteValueW.ADVAPI32(?,LocalService,?,{935AF1FC-04A6-4335-8A0A-A2004DBEE584},0002001F,80000000,AppID,0002001F,?,00000067,00000001,00000000), ref: 00D756AA

Part of subcall function 00D71531: RegCloseKey.ADVAPI32(?,00000000,00D72E2C,00000000,67855110,?,00000000,00000000,?,00D8A426,000000FF,?,00D7286D,?,00000000,00000000), ref: 00D7153C

Strings

AdobeARMservice, xrefs: 00D756B6
{935AF1FC-04A6-4335-8A0A-A2004DBEE584}, xrefs: 00D75688, 00D75692
AppID, xrefs: 00D75657
ServiceParameters, xrefs: 00D756C5
LocalService, xrefs: 00D756A1, 00D756A6, 00D756B5

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CloseHandleOpenService$AddressDeleteInitializeManagerModuleProcUninitializeValue
String ID: AdobeARMservice$AppID$LocalService$ServiceParameters${935AF1FC-04A6-4335-8A0A-A2004DBEE584}
API String ID: 1063889971-485261821
Opcode ID: cad9273ec4701834936700576fb4cb79ea286645baf5ef7f99b7eae5ff3f1cab
Instruction ID: 8f382c519ffe40c25a41b5cc0c6dce5796990fb722234bb70ff078d9afebf592
Opcode Fuzzy Hash: cad9273ec4701834936700576fb4cb79ea286645baf5ef7f99b7eae5ff3f1cab
Instruction Fuzzy Hash: DA218135E00319ABCB14ABA8DCD69BEB775EF44350F508129F90AB7292EB705D05CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D76B3F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,00000000,00020019,?,?,?,?,00D76C12,?,?), ref: 00D76B72
RegQueryValueExW.ADVAPI32(?,iLogLevel,00000000,00D76C12,?,?,?,?,?,00D76C12,?,?), ref: 00D76B9B
RegQueryValueExW.ADVAPI32(?,iLogLevelDev,00000000,00D76C12,?,?,?,?,?,00D76C12,?,?), ref: 00D76BC2
RegCloseKey.ADVAPI32(?,?,?,?,00D76C12,?,?), ref: 00D76BDE

Strings

iLogLevelDev, xrefs: 00D76BBA
iLogLevel, xrefs: 00D76B93
SOFTWARE\Adobe\Adobe ARM\1.0\ARM, xrefs: 00D76B58

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: SOFTWARE\Adobe\Adobe ARM\1.0\ARM$iLogLevel$iLogLevelDev
API String ID: 1586453840-187695373
Opcode ID: a59adf8968350c56aa8779e886469a1ffa899bf84bd273e11d4996e1764f9394
Instruction ID: fef3d7a1ed0150d8b852ae195758d1b1d16be1bd9c7a2dcb1f14831dbfb5a3f0
Opcode Fuzzy Hash: a59adf8968350c56aa8779e886469a1ffa899bf84bd273e11d4996e1764f9394
Instruction Fuzzy Hash: F511F6B1A01219FECB208F92DC89EEFBBB8FB45754F10406AE515E2210E3708A04CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D73228 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000104,?,00000022), ref: 00D73274

Part of subcall function 00D71225: GetLastError.KERNEL32(00D73283,?,?,00000104,00000104,?,00000022), ref: 00D71225

Strings

.tlb, xrefs: 00D732EB

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: .tlb
API String ID: 2776309574-1487266626
Opcode ID: d84a7d16ecfb78f40152ab91bae3c9b7090d75994e8ed44942faaafa11f71a62
Instruction ID: 6029ec0ceec0d3efb902bf553ac08dc26372f093bdfc8144b33f276828942aac
Opcode Fuzzy Hash: d84a7d16ecfb78f40152ab91bae3c9b7090d75994e8ed44942faaafa11f71a62
Instruction Fuzzy Hash: CF41A77561132A9FCB20DFA4C884BAE73B8EB44364F1484A9E949DB200FB74DF459B74

Uniqueness

Uniqueness Score: -1.00%

Function 00D79EE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D79F17
___except_validate_context_record.LIBVCRUNTIME ref: 00D79F1F
_ValidateLocalCookies.LIBCMT ref: 00D79FA8
__IsNonwritableInCurrentImage.LIBCMT ref: 00D79FD3
_ValidateLocalCookies.LIBCMT ref: 00D7A028

Strings

csm, xrefs: 00D79FBD

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d3421a07c49396680ed6a800cfd5a2ca47ccb208a6d6b25d9c9eae7e694dd25b
Instruction ID: 626b868f3270142e840401a285dd56e3ecd174bbfce42ba6e2fac33f558d0e78
Opcode Fuzzy Hash: d3421a07c49396680ed6a800cfd5a2ca47ccb208a6d6b25d9c9eae7e694dd25b
Instruction Fuzzy Hash: 89416035A00219ABCF10EF68C894A9EFBB5EF45324F18C156F8199B396E731D905CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D769E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,00D768F6,?,00000000,?,?,?,?,00D74E07,?,?,?,?), ref: 00D769E9
GetFileAttributesW.KERNEL32(?,?,00D768F6,?,00000000,?,?,?,?,00D74E07,?,?,?,?), ref: 00D769FC
GetPrivateProfileStringW.KERNEL32(SESSION,PingFilesList,00000000,?,00000082,?), ref: 00D76A56
lstrlenW.KERNEL32(?), ref: 00D76A8B

Strings

PingFilesList, xrefs: 00D76A4C
SESSION, xrefs: 00D76A51

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: lstrlen$AttributesFilePrivateProfileString
String ID: PingFilesList$SESSION
API String ID: 2113809289-1744757727
Opcode ID: fcece2fb9f5872966c822adf68ad1818b383ccf73e295a41d87554cdfde5152e
Instruction ID: abe6a572a2301ca3654e72b2050c3763450ced4231d10b614da73f4044d3c622
Opcode Fuzzy Hash: fcece2fb9f5872966c822adf68ad1818b383ccf73e295a41d87554cdfde5152e
Instruction Fuzzy Hash: DF21C372600702AFEB205678DC5AF6AB758EB14761F24C526F50AE61C1FB71DD008A70

Uniqueness

Uniqueness Score: -1.00%

Function 00D80A3C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 00D80AA7
api-ms-, xrefs: 00D80A93

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: a0398ff2112c71c24cbfa8dee3cc0795b1cfe523ff9c155dcf1a0783e7c11020
Instruction ID: 415526c24538a76d37280a48dd80f6352e2cdb1eb415738fe6eebd9c70ebdb9c
Opcode Fuzzy Hash: a0398ff2112c71c24cbfa8dee3cc0795b1cfe523ff9c155dcf1a0783e7c11020
Instruction Fuzzy Hash: 5821D571A01720BBDB75AB249C44A1B3B68EF117A0F290111ED55E7291E630DD08C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 00D829DB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D829A3: _free.LIBCMT ref: 00D829C8

_free.LIBCMT ref: 00D82A29

Part of subcall function 00D7F042: HeapFree.KERNEL32(00000000,00000000,?,00D829CD,?,00000000,?,?,?,00D829F4,?,00000007,?,?,00D82E44,?), ref: 00D7F058
Part of subcall function 00D7F042: GetLastError.KERNEL32(?,?,00D829CD,?,00000000,?,?,?,00D829F4,?,00000007,?,?,00D82E44,?,?), ref: 00D7F06A

_free.LIBCMT ref: 00D82A34
_free.LIBCMT ref: 00D82A3F
_free.LIBCMT ref: 00D82A93
_free.LIBCMT ref: 00D82A9E
_free.LIBCMT ref: 00D82AA9
_free.LIBCMT ref: 00D82AB4

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6886470fe762aee0a748bf181d577b0e89481f39f471acf89238a49428b01756
Instruction ID: 098d3cd1fbcd41c3afcae7529f49a3590f43d15f46bf40a35f65292e26a895fa
Opcode Fuzzy Hash: 6886470fe762aee0a748bf181d577b0e89481f39f471acf89238a49428b01756
Instruction Fuzzy Hash: C511EF71681B04AAD530BBB0CC47FEB77DCDF05700F408825B29E66153EA69B9058B75

Uniqueness

Uniqueness Score: -1.00%

Function 00D85E7E Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,?,00000000), ref: 00D85EC6
__fassign.LIBCMT ref: 00D860A5
__fassign.LIBCMT ref: 00D860C2
WriteFile.KERNEL32(?,00000016,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D8610A
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D8614A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D861F6

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: cd0d096c40113659efcc65e720e37c605f3db94aad03ee99352e553ec739e486
Instruction ID: b37b56414edde257163ffa3d00b550d295afe81a64c2c984cada90b3471aa460
Opcode Fuzzy Hash: cd0d096c40113659efcc65e720e37c605f3db94aad03ee99352e553ec739e486
Instruction Fuzzy Hash: 5CD19675D002589FCF15DFA8C8849EDBBB5FF48324F28416AE855FB342D631AA06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D740BE Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 148memorystringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(00000000,1.2.840.113549.1.9.6,00000000,00000000,?,00000002,00000000,?,?,?,?,?,00000000), ref: 00D740F6
lstrcmpA.KERNEL32(00000000,1.3.6.1.4.1.311.3.3.1), ref: 00D7410F
LocalAlloc.KERNEL32(00000040,?), ref: 00D741A7
LocalAlloc.KERNEL32(00000040,?), ref: 00D74209

Strings

1.2.840.113549.1.9.6, xrefs: 00D740EE
1.3.6.1.4.1.311.3.3.1, xrefs: 00D74107

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: AllocLocallstrcmp
String ID: 1.2.840.113549.1.9.6$1.3.6.1.4.1.311.3.3.1
API String ID: 622657963-1286475088
Opcode ID: 372882a71d4791922dc8205ac61c5bfc276d6f5342fe8ba2b235dd7e88e2ae58
Instruction ID: 792438d8f63126219e69dddc11cba25107d0975d8a5c89d19ecfb734674067d4
Opcode Fuzzy Hash: 372882a71d4791922dc8205ac61c5bfc276d6f5342fe8ba2b235dd7e88e2ae58
Instruction Fuzzy Hash: DE514B74A00219AFDB11CF99C849EAEBBB8FF09744B04805AFA09E7261D7719D50DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D71DF6 Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

CharNextW.USER32(00000000,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E2B
CharNextW.USER32(00000000,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E4A
CharNextW.USER32(00000027,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E60
CharNextW.USER32(00000027,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71E6B
CharNextW.USER32(?,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71EC8
CharNextW.USER32(00000000,00000000,?,00000000,00000000,00D71D16,00000000,?), ref: 00D71EDD

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 1f0f3b9b585079dfb5a3f9ddfecd3b45c7a8b59410068aead298972951117404
Instruction ID: 3ca31caf7dac26d7eadac5b713c49ec277786e638a20fccdd5e9a3ad6fa09e7d
Opcode Fuzzy Hash: 1f0f3b9b585079dfb5a3f9ddfecd3b45c7a8b59410068aead298972951117404
Instruction Fuzzy Hash: 5041B13AB102129BCB249F7DC88467EB7B5EF58311798866AE94AC7354F7308D41C730

Uniqueness

Uniqueness Score: -1.00%

Function 00D745E3 Relevance: 9.1, APIs: 6, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00D74602
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00D74636
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00D74655
GetLastError.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00D7465F
CloseHandle.KERNEL32(00000000,?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00D74688
GetLastError.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00D74697

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandleReadWrite
String ID:
API String ID: 349636761-0
Opcode ID: de6aa8f30247def4312d9801a46b4d333a90cc1f037fbd84a680d0b1d523cf72
Instruction ID: 71f53a16d520e6a957be7b3cd5402f00d929c7496db3c9dc2b2687f5ced727e1
Opcode Fuzzy Hash: de6aa8f30247def4312d9801a46b4d333a90cc1f037fbd84a680d0b1d523cf72
Instruction Fuzzy Hash: CB21A275A11314BBD7219BA49C49BDE7FBCEF45B61F248055F508E6280F7718A448BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A1CA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D7A1C1,00D798FC,00D786E4), ref: 00D7A1D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D7A1E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D7A1FF
SetLastError.KERNEL32(00000000,00D7A1C1,00D798FC,00D786E4), ref: 00D7A251

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3f910122a05b4d6824b625959bb8cf2a823b711d5487922de1cad6e53aa4d0f2
Instruction ID: 0da63f06feb515d0ec2b41d88690c1d2c4f24f8e89eb7e90b602836bb1c92653
Opcode Fuzzy Hash: 3f910122a05b4d6824b625959bb8cf2a823b711d5487922de1cad6e53aa4d0f2
Instruction Fuzzy Hash: C50128325093165EA6102B786C8971F2B54EF453B9B24D22BF52C851F2FF228C005279

Uniqueness

Uniqueness Score: -1.00%

Function 00D72E6F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00D70000,?,00000104), ref: 00D72EFF
GetModuleHandleW.KERNEL32(00000000), ref: 00D72F3A

Strings

REGISTRY, xrefs: 00D7302C
Module, xrefs: 00D72FC7
Module_Raw, xrefs: 00D72FE3

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Module$FileHandleName
String ID: Module$Module_Raw$REGISTRY
API String ID: 4146042529-549000027
Opcode ID: a7c9f9eb0921d18413ad481a7352e3b861755f84c52c6fe38d8bb6161f680c8c
Instruction ID: 0e4e11bc104f2b0e56c0c0a778c904b3260562c5e414800785c030c5c2b4806d
Opcode Fuzzy Hash: a7c9f9eb0921d18413ad481a7352e3b861755f84c52c6fe38d8bb6161f680c8c
Instruction Fuzzy Hash: D151737AA013299ACB20DB54DC81BEEB3B8AF45750F1481A6E90DE7141FB74EE448F71

Uniqueness

Uniqueness Score: -1.00%

Function 00D73053 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00D70000,?,00000104), ref: 00D730E3
GetModuleHandleW.KERNEL32(00000000), ref: 00D7311E

Strings

REGISTRY, xrefs: 00D7320B
Module, xrefs: 00D731AB
Module_Raw, xrefs: 00D731C7

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Module$FileHandleName
String ID: Module$Module_Raw$REGISTRY
API String ID: 4146042529-549000027
Opcode ID: 6e0a10f09f9ffc1e72c7322ce39527a997831006a96b42e69dae8051f7100cf6
Instruction ID: aa659db1ecf36cb83515db6cef401d5709269e428c8cfe55e990cf399548b961
Opcode Fuzzy Hash: 6e0a10f09f9ffc1e72c7322ce39527a997831006a96b42e69dae8051f7100cf6
Instruction Fuzzy Hash: D8417F75A013299ACB20DB64DC45AEEB3B8AB45310F5085A6E90DE3540FB74EF449FB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D7154B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,?,?,?,?,00D72BBF,?,00000000), ref: 00D7156A
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00D7157A
RegCreateKeyExW.ADVAPI32(?,00D72BBF,00000000,00000000,00000000,0002001F,00000000,00000000,?,00000000,?,?,?,?,?,00D72BBF), ref: 00D715CF

Strings

RegCreateKeyTransactedW, xrefs: 00D71574
Advapi32.dll, xrefs: 00D71565

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: 31a197814ee6d88fe40ff9c131e3d585707db739b93b574b545df23a6a1f7c31
Instruction ID: 48a4d45acc17181484e675ccb4924d1f2f15e130b758a5c33b3173e72899da40
Opcode Fuzzy Hash: 31a197814ee6d88fe40ff9c131e3d585707db739b93b574b545df23a6a1f7c31
Instruction Fuzzy Hash: E51160B5610209BFDB194F54DC4AD7B777CEB44310B04822EB50AD6250FB70AE049B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D7B272 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 00D7B2C2

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: 3f548a636889935da93b18d0e9ad09709d6629671628a03e754af2c2371f04c0
Instruction ID: d03459c89cb17ece9cf87713287e9c98a4a0eacaece78f2f4007e0c76511b4b4
Opcode Fuzzy Hash: 3f548a636889935da93b18d0e9ad09709d6629671628a03e754af2c2371f04c0
Instruction Fuzzy Hash: EF119331A02721EBCB218B659C84B6E7768DF05771B198123EC99E7291F730ED0086F4

Uniqueness

Uniqueness Score: -1.00%

Function 00D715F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,00000000,?,?,?,00D717F5,?,00000000,?,00000000,00000000,?), ref: 00D71612
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00D71622
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,?,00D717F5,?,00000000,?,00000000), ref: 00D71663

Strings

RegOpenKeyTransactedW, xrefs: 00D7161C
Advapi32.dll, xrefs: 00D7160D

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1337834000-3913318428
Opcode ID: ca1ca175a0c1eee38b6ddc361a5d205aa10d9a8d011af502047bdf46e29db9d2
Instruction ID: 8b86220161944a4140fbd91ccf2b7b83f7d86ab59e38d11518cd2cd0b7510ff5
Opcode Fuzzy Hash: ca1ca175a0c1eee38b6ddc361a5d205aa10d9a8d011af502047bdf46e29db9d2
Instruction Fuzzy Hash: F1115B79610205FFDF198F58CC5AA6EBB69EF01351F18812EF90AD6250E7709E00CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D77640 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNEL32(000F001F,00000000,?), ref: 00D77682
GetLastError.KERNEL32 ref: 00D7768C

Part of subcall function 00D77340: Sleep.KERNEL32(0000000A,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F,00000000), ref: 00D773F6
Part of subcall function 00D77340: GetLocalTime.KERNEL32(?), ref: 00D77403
Part of subcall function 00D77340: FormatMessageW.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000), ref: 00D7747E

CloseHandle.KERNEL32(00000000), ref: 00D776AF

Strings

ReleaseSharedMemory(), xrefs: 00D7769E
Could not open file mapping object, xrefs: 00D77699

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CloseErrorFileFormatHandleLastLocalMappingMessageOpenSleepTime
String ID: Could not open file mapping object$ReleaseSharedMemory()
API String ID: 273005650-2109277646
Opcode ID: 3a9f47f94bf7d3827ae96949e239e8fe5bf7e857eaa0a1725386fc017cddcbd6
Instruction ID: 26c0c54b993e0f2f66ec5c9fbb7b636faee9ba872aed8da12cf78cf13ba0dcfe
Opcode Fuzzy Hash: 3a9f47f94bf7d3827ae96949e239e8fe5bf7e857eaa0a1725386fc017cddcbd6
Instruction Fuzzy Hash: 4EF0A471A143086FDB14EB749C4AB7E73A8DB04700F608965E51AD6192FA7099049B74

Uniqueness

Uniqueness Score: -1.00%

Function 00D75571 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D715F0: GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,00000000,?,?,?,00D717F5,?,00000000,?,00000000,00000000,?), ref: 00D71612
Part of subcall function 00D715F0: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00D71622

RegSetValueExW.ADVAPI32(?,iPostponeUpdate,00000000,00000004,?,00000004,80000002,SOFTWARE\Adobe\Adobe ARM\1.0\ARM,0002001F), ref: 00D755BD

Strings

iPostponeUpdate, xrefs: 00D755B5
failed to open arm registry, xrefs: 00D7559E
SetDWORDValue failed to register Postpone Update, xrefs: 00D755C7
SOFTWARE\Adobe\Adobe ARM\1.0\ARM, xrefs: 00D75582

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: AddressHandleModuleProcValue
String ID: SOFTWARE\Adobe\Adobe ARM\1.0\ARM$SetDWORDValue failed to register Postpone Update$failed to open arm registry$iPostponeUpdate
API String ID: 144840598-3027236739
Opcode ID: c95b307fe62d5e226d6a4a638fcc62afeb448b4f4f1695f417f61551906ad144
Instruction ID: 7baf79b38b39dce65959c4fd353e3b1d895f09878358671cc87ede00447fc633
Opcode Fuzzy Hash: c95b307fe62d5e226d6a4a638fcc62afeb448b4f4f1695f417f61551906ad144
Instruction Fuzzy Hash: ABF0C875900329BADF10AB949C43ABF7B78EB40740F108046B515B21C5FAB09A08C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D7E044 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00D7E039,?,?,00D7E001,?,?,?), ref: 00D7E059
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D7E06C
FreeLibrary.KERNEL32(00000000,?,?,00D7E039,?,?,00D7E001,?,?,?), ref: 00D7E08F

Strings

CorExitProcess, xrefs: 00D7E064
mscoree.dll, xrefs: 00D7E052

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d82b5fecde8e26e78dfdb79d370992a5841123434cdf4905927a7222f7980a0d
Instruction ID: cb00c902fe378b2f87a39e63f2c7b9550c1d3e62498b68687d633aeaf10bacc2
Opcode Fuzzy Hash: d82b5fecde8e26e78dfdb79d370992a5841123434cdf4905927a7222f7980a0d
Instruction Fuzzy Hash: 43F0A731910318FBCB219B51DC0DB9D7F78EB04765F044051F404E1260DB708E44DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D76573 Relevance: 7.6, APIs: 5, Instructions: 57threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D7657C
OpenThreadToken.ADVAPI32(00000000,0002000A,00000001,00D76748,?,?,?,00D76748), ref: 00D76591
GetLastError.KERNEL32(?,?,?,00D76748), ref: 00D765B6
GetCurrentProcess.KERNEL32(?,?,?,00D76748), ref: 00D765C3
OpenProcessToken.ADVAPI32(00000000,0002000A,00D76748,?,?,?,00D76748), ref: 00D765CF

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken$ErrorLast
String ID:
API String ID: 102224034-0
Opcode ID: 9af5c13088221dbbb134d4a11263a2cc0a024f61c66d653cd4791922ce3175e3
Instruction ID: 84a40aa5c6cad0a40242d6bee41ad5d946af173355ba6e851e7fad6040d7f65a
Opcode Fuzzy Hash: 9af5c13088221dbbb134d4a11263a2cc0a024f61c66d653cd4791922ce3175e3
Instruction Fuzzy Hash: 1511AD74A10215AFCB048B64D9888BFBBADEF4A361714402AE51AD3350EB34DD01EBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8293A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D82952

Part of subcall function 00D7F042: HeapFree.KERNEL32(00000000,00000000,?,00D829CD,?,00000000,?,?,?,00D829F4,?,00000007,?,?,00D82E44,?), ref: 00D7F058
Part of subcall function 00D7F042: GetLastError.KERNEL32(?,?,00D829CD,?,00000000,?,?,?,00D829F4,?,00000007,?,?,00D82E44,?,?), ref: 00D7F06A

_free.LIBCMT ref: 00D82964
_free.LIBCMT ref: 00D82976
_free.LIBCMT ref: 00D82988
_free.LIBCMT ref: 00D8299A

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e242e1be7112440155c429d55f27f96a8f60b2b53b37c007f1976466613203f0
Instruction ID: 00f6386b9bec5c19223af89a8317396f7da938ca6d5667cfc3f038e2334712db
Opcode Fuzzy Hash: e242e1be7112440155c429d55f27f96a8f60b2b53b37c007f1976466613203f0
Instruction Fuzzy Hash: B4F01232644300AB8630FBA8E485D2A77D9EB05750B688816F049D7B01D734FC804B74

Uniqueness

Uniqueness Score: -1.00%

Function 00D7E116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\armsvc.exe, xrefs: 00D7E154, 00D7E15B, 00D7E18F

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\armsvc.exe
API String ID: 0-1209870540
Opcode ID: aaab7a5b8808fd266bfe9aa94585c1cf367071da2df75fc7678c77af34e45b8e
Instruction ID: 70eefc386f91665a9060a6ca3b9b318a07fd76a773398b2c624a5cafd19b27a3
Opcode Fuzzy Hash: aaab7a5b8808fd266bfe9aa94585c1cf367071da2df75fc7678c77af34e45b8e
Instruction Fuzzy Hash: 16316271A04314ABCB219F99DC859AEBBFDEB89310B5880A6F809D7351E6709E40CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D74823 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D7482D

Part of subcall function 00D76644: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00D76669

SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,?,?,?), ref: 00D748F4

Part of subcall function 00D76884: lstrlenW.KERNEL32(?,?,00000355,?,?,?,?,00D74E07,?,?,?,?), ref: 00D76897

Strings

ServiceError, xrefs: 00D74862
\Adobe\ARM\1.0\Temp, xrefs: 00D748FE

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: FolderPath$H_prolog3_lstrlen
String ID: ServiceError$\Adobe\ARM\1.0\Temp
API String ID: 3013686552-902927735
Opcode ID: 7635a43a54801a4a130db5f9bb57fac1f554ee2bebb2fbbd3dbf319e1711375f
Instruction ID: 434f34337cb95888f8eb48061f38f6032b73afdecc44fb06d60fa60f40f22b33
Opcode Fuzzy Hash: 7635a43a54801a4a130db5f9bb57fac1f554ee2bebb2fbbd3dbf319e1711375f
Instruction Fuzzy Hash: 13218C72A103286AEB55EB60DC46FDE776CEF00300F4081A5B60DA6091FF74AB88CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D771E7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNEL32(C:\,?,00000105,?,?,?,?,00000105,?,?,?,00000000,?), ref: 00D77266
lstrlenW.KERNEL32(?,?,?,?,00000000,?), ref: 00D77288

Strings

thsnYaViMRAeBoda, xrefs: 00D77293
C:\, xrefs: 00D77261

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: InformationVolumelstrlen
String ID: C:\$thsnYaViMRAeBoda
API String ID: 2744656266-1109677043
Opcode ID: c10ce1053aa42720836f8f4e097d93359186fbfb9f8321bb158e338758c0f525
Instruction ID: e6ca6f26eaffb484d2a48170889375a50d79d722a8cb46df641e35160785d7f2
Opcode Fuzzy Hash: c10ce1053aa42720836f8f4e097d93359186fbfb9f8321bb158e338758c0f525
Instruction Fuzzy Hash: 5D1136F2A0021C6FDB109B55CC85DEFB7BDEB45314F8445AAF609E3141EA709E448B74

Uniqueness

Uniqueness Score: -1.00%

Function 00D75BF0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerW.ADVAPI32(AdobeARMservice,00D75C60), ref: 00D75C05

Strings

AdobeARMservice, xrefs: 00D75BF6
Service stopped, xrefs: 00D75C4A, 00D75C4F
Handler not installed, xrefs: 00D75C19

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CtrlHandlerRegisterService
String ID: AdobeARMservice$Handler not installed$Service stopped
API String ID: 1823773585-3215699696
Opcode ID: 617370415393b4fe969baabd3118261d8e9f328a99ef6542a65b7c21d888c832
Instruction ID: f3dbdbb6d595b5afd73f3490ffd39767570f7c94c2861ac7636cefb0f043e113
Opcode Fuzzy Hash: 617370415393b4fe969baabd3118261d8e9f328a99ef6542a65b7c21d888c832
Instruction Fuzzy Hash: B2F012716297209ED7456B24BC067AA2794EF44B10B14402BE50DE6395FBB0590047B6

Uniqueness

Uniqueness Score: -1.00%

Function 00D7FA46 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D7FACD

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a35c9fb92b00657017ea6160d75c95f4bb4e5a8991d0fcbfaaa66d4600bbfd18
Instruction ID: b0ed166650f601d8a12c89b7b62c542a3de8b5956ce481ce727600e7d93d921b
Opcode Fuzzy Hash: a35c9fb92b00657017ea6160d75c95f4bb4e5a8991d0fcbfaaa66d4600bbfd18
Instruction Fuzzy Hash: 91B114329002999FDB36CF28C8917BEBBE5EF55350F28C17AE8599B241E6349D01CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A2AA Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00D7A371
___AdjustPointer.LIBCMT ref: 00D7A394
___AdjustPointer.LIBCMT ref: 00D7A430

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f5be329699bb3f9f4c3ffe07171d8ad6135cf23980e030aaf3b66dac28f65413
Instruction ID: 5ddbc49147ea9fdf28f144d9fdd29b301784403d4befd7d29b3a1eab232f7de8
Opcode Fuzzy Hash: f5be329699bb3f9f4c3ffe07171d8ad6135cf23980e030aaf3b66dac28f65413
Instruction Fuzzy Hash: 7651C572505605AFDB298F98D881B6EB7A5EF84310F28C12DE80E472A1F771EC40D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00D73F95 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(1.3.6.1.4.1.311.2.1.12,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D73FC3
LocalAlloc.KERNEL32(00000040,?), ref: 00D74016
LocalFree.KERNEL32(00000000), ref: 00D740B1

Strings

1.3.6.1.4.1.311.2.1.12, xrefs: 00D73FBE, 00D73FF9, 00D7403B

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Local$AllocFreelstrcmp
String ID: 1.3.6.1.4.1.311.2.1.12
API String ID: 3789843827-2596186611
Opcode ID: e1b1960ac3a495ed42618d92c85065495f754474decb8ab498dae97a2c4b04b7
Instruction ID: 8a8a3bd292631e741bffdb3798e928d2bb91f742125b696c6c66b121c34de284
Opcode Fuzzy Hash: e1b1960ac3a495ed42618d92c85065495f754474decb8ab498dae97a2c4b04b7
Instruction Fuzzy Hash: EF31AE30A00215EFCB16CF98C998E69BBB9FF85B04718C199E509DB251EB72DC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D7F729 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00D7BEBF,?,?,00000000,?,00D7B95E,?,?,?), ref: 00D7F72E
_free.LIBCMT ref: 00D7F78B
_free.LIBCMT ref: 00D7F7C1
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00D7B95E,?,?,?), ref: 00D7F7CC

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 73b3b2cb79c67fdb75d397bdfbe2a71919c883d05b8efe266a2536b8a966123a
Instruction ID: b315aa7d591c1c93af1b825a48d920a3d5e1708ec7a07b1c936f6321688c45ac
Opcode Fuzzy Hash: 73b3b2cb79c67fdb75d397bdfbe2a71919c883d05b8efe266a2536b8a966123a
Instruction Fuzzy Hash: 611186322046012A96753BB9ACC6E2F2759EBC57B57288636F22DC72D1FE21CC159330

Uniqueness

Uniqueness Score: -1.00%

Function 00D7F880 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00D7D30B,00D71166), ref: 00D7F885
_free.LIBCMT ref: 00D7F8E2
_free.LIBCMT ref: 00D7F918
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,00D7D30B,00D71166), ref: 00D7F923

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e7904549bf9808641bf5939377feb626c6ed8abe04d317cfb313b69f21c851c5
Instruction ID: bdf2693b1db775759d9a441b7eb705cccd3c4c5d504cef38ec2c4c4ed303d12b
Opcode Fuzzy Hash: e7904549bf9808641bf5939377feb626c6ed8abe04d317cfb313b69f21c851c5
Instruction Fuzzy Hash: 2311A5732046006A96713BBAECC6F2E2659EBC57B57284335F12DC62E1FE21CC045331

Uniqueness

Uniqueness Score: -1.00%

Function 00D763F2 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D763F9
GetSidLengthRequired.ADVAPI32(?,00000054,00D76736,?,00D92634,00000002,00000020,00000220,0000009C,00D768C6,?,?,?,?,00D74E07), ref: 00D7644B
InitializeSid.ADVAPI32(?,?,?,?,?,?,?,00D74E07,?,?,?,?), ref: 00D7645E
GetSidSubAuthority.ADVAPI32(?,00000000,?,?,?,?,00D74E07,?,?,?,?), ref: 00D7647F

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: AuthorityH_prolog3_InitializeLengthRequired
String ID:
API String ID: 2922243755-0
Opcode ID: fbd5f77f1e8bbc291d18dbc2a987db0b92e96461d70ad28e5856cac8c75f9868
Instruction ID: ce812c3b43496ae2c54b6ccc9cd46058713e26b3e0fde632a298bf72a3881a90
Opcode Fuzzy Hash: fbd5f77f1e8bbc291d18dbc2a987db0b92e96461d70ad28e5856cac8c75f9868
Instruction Fuzzy Hash: 6A215EB09007559FCF10EFA4C85499EB7B4FF05318B54881AF59AAB241FB74E909CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D75715 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D7571C

Part of subcall function 00D758F8: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,00D7563E), ref: 00D7591F
Part of subcall function 00D758F8: OpenServiceW.ADVAPI32(00000000,?,00010020,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75938
Part of subcall function 00D758F8: CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75945

UnRegisterTypeLib.OLEAUT32(00D92478,00000001,00000000,00000000,00000001), ref: 00D75755
UnRegisterTypeLib.OLEAUT32(00D923C8,00000001,00000000,00000000,00000001), ref: 00D75764
CoUninitialize.OLE32 ref: 00D7576A

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: OpenRegisterServiceType$CloseHandleInitializeManagerUninitialize
String ID:
API String ID: 2933392908-0
Opcode ID: 380295160a53ac89385c068cadb5871beca50a0a595c39aa8baae73465a00940
Instruction ID: 76f13725372f0c85eebd082cbd837ae329c3e7f254bdc8fef4f7e9559402c00a
Opcode Fuzzy Hash: 380295160a53ac89385c068cadb5871beca50a0a595c39aa8baae73465a00940
Instruction Fuzzy Hash: ECF05471211215BFE3142B75ACCDD7F7E5DEF897B5300001AB54AD2250DF605C018BB6

Uniqueness

Uniqueness Score: -1.00%

Function 00D75817 Relevance: 6.0, APIs: 4, Instructions: 29serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75825
OpenServiceW.ADVAPI32(00000000,?,00000001,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D7583B
CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D75847
CloseServiceHandle.ADVAPI32(00000000,?,?,00000000,00D75912,?,?,00000000,?,?,?,?,00D7563E), ref: 00D7584E

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: Service$CloseHandleOpen$Manager
String ID:
API String ID: 4196757001-0
Opcode ID: 8023a9ce9d20e8cc92bf51aeba7c0e33af72d387b13c0ef3001b7f1af0e5136e
Instruction ID: da0d48879cd2fa547bb2067cee005e702e9750311d36427dff3153205eb54d97
Opcode Fuzzy Hash: 8023a9ce9d20e8cc92bf51aeba7c0e33af72d387b13c0ef3001b7f1af0e5136e
Instruction Fuzzy Hash: B9E04832311720ABD32127556C4DEBB6A7CDB8BFA2B040036FA15C5211EB948905D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00D88627 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,00000008,?,00000000,?,?,00D87219,?,00000001,?,?,?,00D86253,00000000,00000000,?), ref: 00D8863E
GetLastError.KERNEL32(?,00D87219,?,00000001,?,?,?,00D86253,00000000,00000000,?,00000000,?,?,00D867A7,00000016), ref: 00D8864A

Part of subcall function 00D88610: CloseHandle.KERNEL32(FFFFFFFE,00D8865A,?,00D87219,?,00000001,?,?,?,00D86253,00000000,00000000,?,00000000,?), ref: 00D88620

___initconout.LIBCMT ref: 00D8865A

Part of subcall function 00D885D1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D88600,00D87206,?,?,00D86253,00000000,00000000,?,00000000), ref: 00D885E4

WriteConsoleW.KERNEL32(?,00000008,?,00000000,?,00D87219,?,00000001,?,?,?,00D86253,00000000,00000000,?,00000000), ref: 00D8866F

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 869eb68c58014a4f8dcc11c54f9bac132907e40b948ad16d509a4f01ba82a071
Instruction ID: 133a0355fd10b10be48b8d0128b6abca9865dcd4c0b8b8cbd724c2332b07760f
Opcode Fuzzy Hash: 869eb68c58014a4f8dcc11c54f9bac132907e40b948ad16d509a4f01ba82a071
Instruction Fuzzy Hash: 4CF01536551319BBCF223F95DC0998A3F66FB093B1B454021FE28C5261EB328820EBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D77FE1 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00D77F7B,00000064), ref: 00D78004
LeaveCriticalSection.KERNEL32(00D970F8,?,?,00D77F7B,00000064,?,00D76209,00D97DFC,?,?,00D76AB9,?,?,00000000,00D76424,00000054), ref: 00D7800E
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00D77F7B,00000064,?,00D76209,00D97DFC,?,?,00D76AB9,?,?,00000000,00D76424,00000054), ref: 00D7801F
EnterCriticalSection.KERNEL32(00D970F8,?,00D77F7B,00000064,?,00D76209,00D97DFC,?,?,00D76AB9,?,?,00000000,00D76424,00000054,00D76736), ref: 00D78026

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 383094cc809463552b21ddcabdfc27214928e39d8a48311ec2a3a39f793dd453
Instruction ID: 246a76d6d45e7ff442ad0cf7a2929413498da80fb6053d7077e5bf42007cb70a
Opcode Fuzzy Hash: 383094cc809463552b21ddcabdfc27214928e39d8a48311ec2a3a39f793dd453
Instruction Fuzzy Hash: 18E01231AA5729FBCB111B51EC1DA9D7E24FB05B72B054012F90DAA370CF6158149BF8

Uniqueness

Uniqueness Score: -1.00%

Function 00D7EA60 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D7EA69

Part of subcall function 00D7F042: HeapFree.KERNEL32(00000000,00000000,?,00D829CD,?,00000000,?,?,?,00D829F4,?,00000007,?,?,00D82E44,?), ref: 00D7F058
Part of subcall function 00D7F042: GetLastError.KERNEL32(?,?,00D829CD,?,00000000,?,?,?,00D829F4,?,00000007,?,?,00D82E44,?,?), ref: 00D7F06A

_free.LIBCMT ref: 00D7EA7C
_free.LIBCMT ref: 00D7EA8D
_free.LIBCMT ref: 00D7EA9E

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 19a01e5466ae4039ca2b865f3e37f256add01c87d7fed3dda3dd7270695cb7de
Instruction ID: 78d281bcf0bfe3bf043d98e2cacbcd44d33bf79b4ef3df609a6201890754c985
Opcode Fuzzy Hash: 19a01e5466ae4039ca2b865f3e37f256add01c87d7fed3dda3dd7270695cb7de
Instruction Fuzzy Hash: ACE0E27193C3209A8B227F28FD099593FA5FB597403498097F44892373E73A0A52DBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A8B7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00D7A8DC

Strings

MOC, xrefs: 00D7A8EE
RCC, xrefs: 00D7A8F6

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: cd85b71b8f5085979f0af21fa3ed9f255e4bb1705e015023f3ef4fd411e2ec36
Instruction ID: ac9377251272e90ea9abe57ad4eaacb94ba14cc3907cf0d44ef9b04f3db41a85
Opcode Fuzzy Hash: cd85b71b8f5085979f0af21fa3ed9f255e4bb1705e015023f3ef4fd411e2ec36
Instruction Fuzzy Hash: C1415B72900209EFCF15DF98CC81AAEBBB5FF88304F598059FA0866251E3359960DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D73B59 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00D73BB0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00D73C27

Strings

4, xrefs: 00D73BD9

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: FilePointer
String ID: 4
API String ID: 973152223-4088798008
Opcode ID: ccd4a019c193b3d4627a283b649ad9bd66ae7408cd0ce7a6e71e6660da8b90c8
Instruction ID: 3f67edd806bdd643803b4c44faa2da3217570582fcaf8434ac762ac03cce692a
Opcode Fuzzy Hash: ccd4a019c193b3d4627a283b649ad9bd66ae7408cd0ce7a6e71e6660da8b90c8
Instruction Fuzzy Hash: 3521ECB1D0121D9BDB10CFA9C8849EEFBB8FB49724F14462AE425B6290D7745E498FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D76644 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00D76669

Strings

\Temp\, xrefs: 00D7667A
ArmReport.ini, xrefs: 00D76686

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: FolderPath
String ID: ArmReport.ini$\Temp\
API String ID: 1514166925-2511856615
Opcode ID: 503d4797748968787542df5454e45b4fd33bec29bceca9efcec2fde9d189349e
Instruction ID: eff95f1d6ceeaa2b4fe82018f9ce6c59e040191b47df74118ec79a98c1d09ca5
Opcode Fuzzy Hash: 503d4797748968787542df5454e45b4fd33bec29bceca9efcec2fde9d189349e
Instruction Fuzzy Hash: 2CE092F33003543BDB14AA655CC6D7B9A9ECBD1B68700843DB64697292EAB0DC099674

Uniqueness

Uniqueness Score: -1.00%

Function 00D7785F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D711FD: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,8007000E,?,?,00D94270), ref: 00D71203
Part of subcall function 00D711FD: GetLastError.KERNEL32(?,00000000,00000000,?,8007000E,?,?,00D94270), ref: 00D7120D

IsDebuggerPresent.KERNEL32(?,?,?,00D710EA), ref: 00D77892
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D710EA), ref: 00D778A1

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D7789C

Memory Dump Source

Source File: 00000000.00000002.3317512560.0000000000D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D70000, based on PE: true

Associated: 00000000.00000002.3317496637.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317532868.0000000000D8B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317553973.0000000000D96000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3317572569.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_armsvc.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 36dbea2bf819ed2ef7f55f2499905a294d5a8c08b270f95d1375218680559453
Instruction ID: 1d9c66a2a1cdb37b18486f2f71da8aaeb97024ca0135be95cfbdd8e3c1fd4e45
Opcode Fuzzy Hash: 36dbea2bf819ed2ef7f55f2499905a294d5a8c08b270f95d1375218680559453
Instruction Fuzzy Hash: 0DE06D706043018FD320AF28E8583227AE4AF04324F04CC5EE48AC6790F7B5E444CBB2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report armsvc.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: armsvc.exePID: 7032, Parent PID: 4004

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Windows Analysis Report
armsvc.exe

Function 00D75A2C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 55
registryCOMMON

Function 00D75E2F Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 81
stringCOMMON

Function 00D75C8D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 80
windowthreadCOMMON

Function 00D770CD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45
libraryloaderCOMMON

Function 00D76BE9 Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 335
filestringtimeCOMMON

Function 00D751F0 Relevance: 66.8, APIs: 21, Strings: 17, Instructions: 268
COMMON

Function 00D74E21 Relevance: 49.3, APIs: 12, Strings: 16, Instructions: 283
fileCOMMON

Function 00D74928 Relevance: 47.6, APIs: 2, Strings: 25, Instructions: 362
COMMON