Edit tour

Windows Analysis Report
PDFast.exe

Overview

General Information

Sample name:PDFast.exe
Analysis ID:1645050
MD5:4231b7c3e3b9fdf012e9aad4d4e2e62a
SHA1:a3764a0b089caa62fd1bc4182dd6eba5a6149ec2
SHA256:e147f02b38a81a65c1862b0d2c882654cbb8e1ab24bdd2c8712735f313970770
Tags:exeHOTELFATAZPRIVATELIMITEDuser-SquiblydooBlog
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • PDFast.exe (PID: 8060 cmdline: "C:\Users\user\Desktop\PDFast.exe" MD5: 4231B7C3E3B9FDF012E9AAD4D4E2E62A)
    • WerFault.exe (PID: 8172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8060 -s 904 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PDFast.exeVirustotal: Detection: 48%Perma Link
Source: PDFast.exeReversingLabs: Detection: 36%
Source: PDFast.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: -+ncalrpc:[OLEB5ABBDECC861AA3A34BB8783059A]bj\Release\PDFast.pdbi source: PDFast.exe, 00000001.00000002.1254568529.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.ni.pdbRSDS source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: D:\a\pdf-ize-software\pdf-ize-software\PDFast\obj\Release\PDFast.pdb source: PDFast.exe
Source: Binary string: System.Core.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.pdb4 source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: PDFast.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.ni.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdb source: WER2B4B.tmp.dmp.4.dr
Source: PDFast.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PDFast.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PDFast.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PDFast.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: PDFast.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: PDFast.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PDFast.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PDFast.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PDFast.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: PDFast.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: PDFast.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: PDFast.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: PDFast.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: PDFast.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: PDFast.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: PDFast.exeString found in binary or memory: http://www.google.com1PDF.Properties.Resources
Source: PDFast.exeString found in binary or memory: http://www.marksimonson.comProxima
Source: PDFast.exeString found in binary or memory: https://www.globalsign.com/repository/0
Source: C:\Users\user\Desktop\PDFast.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8060 -s 904
Source: PDFast.exe, 00000001.00000002.1254568529.0000000000B9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PDFast.exe
Source: PDFast.exe, InstallerClass.csTask registration methods: 'CreateScheduleUpdaterTask'
Source: PDFast.exe, JREDownload.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: PDFast.exe, JREDownload.csSecurity API names: System.IO.DirectoryInfo.GetAccessControl()
Source: PDFast.exe, JREDownload.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: PDFast.exe, InstallerClass.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engineClassification label: mal48.winEXE@2/5@0/0
Source: C:\Users\user\Desktop\PDFast.exeMutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8060
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\7cbfad79-359e-4cce-92ed-76e2984dddd2Jump to behavior
Source: PDFast.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PDFast.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\PDFast.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PDFast.exeVirustotal: Detection: 48%
Source: PDFast.exeReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\PDFast.exeFile read: C:\Users\user\Desktop\PDFast.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\PDFast.exe "C:\Users\user\Desktop\PDFast.exe"
Source: C:\Users\user\Desktop\PDFast.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8060 -s 904
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\PDFast.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: PDFast.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PDFast.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: PDFast.exeStatic file information: File size 2990499 > 1048576
Source: PDFast.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x294c00
Source: PDFast.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PDFast.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: -+ncalrpc:[OLEB5ABBDECC861AA3A34BB8783059A]bj\Release\PDFast.pdbi source: PDFast.exe, 00000001.00000002.1254568529.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.ni.pdbRSDS source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: D:\a\pdf-ize-software\pdf-ize-software\PDFast\obj\Release\PDFast.pdb source: PDFast.exe
Source: Binary string: System.Core.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.pdb4 source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: PDFast.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.ni.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER2B4B.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdb source: WER2B4B.tmp.dmp.4.dr
Source: PDFast.exeStatic PE information: 0xC4BD2F4C [Sun Aug 5 22:12:28 2074 UTC]
Source: PDFast.exeStatic PE information: real checksum: 0x2de54a should be: 0x2db8b8
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeMemory allocated: 2890000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeMemory allocated: 29C0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeMemory allocated: 49C0000 memory reserve | memory write watchJump to behavior
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\PDFast.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeQueries volume information: C:\Users\user\Desktop\PDFast.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PDFast.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Scheduled Task/Job
1
Scheduled Task/Job
1
Process Injection
2
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
Scheduled Task/Job
1
Disable or Modify Tools
LSASS Memory2
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
1
Process Injection
Security Account Manager12
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1645050 Sample: PDFast.exe Startdate: 21/03/2025 Architecture: WINDOWS Score: 48 13 Multi AV Scanner detection for submitted file 2->13 6 PDFast.exe 2->6         started        process3 process4 8 WerFault.exe 21 16 6->8         started        file5 11 C:\ProgramData\Microsoft\...\Report.wer, Unicode 8->11 dropped

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PDFast.exe49%VirustotalBrowse
PDFast.exe36%ReversingLabsWin32.Trojan.Generic
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://www.google.com1PDF.Properties.Resources0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.4.drfalse
    high
    http://www.marksimonson.comProximaPDFast.exefalse
      high
      http://www.google.com1PDF.Properties.ResourcesPDFast.exefalse
      • Avira URL Cloud: safe
      unknown
      No contacted IP infos
      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1645050
      Start date and time:2025-03-21 12:12:07 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 18s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:15
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:PDFast.exe
      Detection:MAL
      Classification:mal48.winEXE@2/5@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 20.189.173.21, 40.126.24.81, 184.31.69.3, 204.79.197.222, 20.12.23.50
      • Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      TimeTypeDescription
      07:13:12API Interceptor1x Sleep call for process: WerFault.exe modified
      No context
      No context
      No context
      No context
      No context
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.9183001780968642
      Encrypted:false
      SSDEEP:96:vMfFkK7lxNqsJg2zxTMbTdQXIDcQvc6QcEVcw3cE/v+BHUHZ0ownOgHkEwH3dEFd:cR7xqWT0BU/ya2RzuiFtZ24IO8BK
      MD5:82A33F4944254B1CB5FF236AC405605E
      SHA1:711172950A1C1172FAC1485C3540AD021D0408C6
      SHA-256:84A28F27D5BF8E2C2C165A58E94456890504D0BD2FAF71F21A98342354F37F0A
      SHA-512:32039C0D0F1E2C5EE37A1DBEA36E1F0B8F3EDAB166D2760099B14F0E4C9FD348E86C96A663D3CA8894AC976A9D19827382808A10B0266806D9A75019BC369FC8
      Malicious:true
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.7.0.2.9.1.8.9.4.9.0.1.0.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.7.0.2.9.1.9.0.0.6.8.2.4.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.8.f.2.f.f.e.-.1.2.3.1.-.4.b.b.f.-.8.6.0.4.-.7.7.f.c.8.d.8.e.f.3.e.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.b.4.b.5.4.2.-.7.4.3.1.-.4.d.1.f.-.b.c.3.5.-.6.b.8.5.8.b.e.c.0.d.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.D.F.a.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.D.F.a.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.7.c.-.0.0.0.1.-.0.0.1.8.-.8.8.a.3.-.f.3.3.9.5.2.9.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.5.e.e.c.2.2.9.7.1.1.0.6.3.5.e.5.7.c.c.d.8.1.d.d.5.0.c.a.9.5.b.0.0.0.0.0.0.0.0.!.0.0.0.0.a.3.7.6.4.a.0.b.0.8.9.c.a.a.6.2.f.d.1.b.c.4.1.8.2.d.d.6.e.b.a.5.a.6.1.4.9.e.c.2.!.
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 15 streams, Fri Mar 21 11:13:09 2025, 0x1205a4 type
      Category:dropped
      Size (bytes):175043
      Entropy (8bit):3.9163281596731445
      Encrypted:false
      SSDEEP:1536:bM487SVXxCzqATPFnCDMetTQAy5oHuBojRypN4uE2aOhVLTgBUxi:bMHyosMI5UopU4uEqhVLTgBU
      MD5:6C1C6F25150FCAF662D42C1E871275D2
      SHA1:D67C85663DF3653E4226DACE005DE8931E59AC0A
      SHA-256:FB2F79E0980B3CF98E27E482FB60827CFAB08D558C11D7218D4FB2F96F759CE3
      SHA-512:6FCA5E8DF4E3945650E84E27D0E32F878801F9E2B07C1AFFD4083CA7A57C9B443D89CF84F8E4E4D7EE2EBBDE95BEE767A3F7CAE58435B51818C3AC5F549EE582
      Malicious:false
      Reputation:low
      Preview:MDMP..a..... ........I.g........................x...........$................9..........`.......8...........T............#.............4........... ...............................................................................eJ..............GenuineIntel............T.......|....I.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8314
      Entropy (8bit):3.6992439075966668
      Encrypted:false
      SSDEEP:192:R6l7wVeJbjL61kh1hq6Y6tSUb8/1gmf440aprw89blOCsfK30m:R6lXJXL61A1hq6YwSUbk1gmf440ilOBQ
      MD5:1A63F40636F79F6ED2ED3F03E497DBC8
      SHA1:32CD8B6349A79C890672BAB8EBD71151BDB18B4C
      SHA-256:FCA78EEED0B090CDEBF5BDAD1F1BB6BF0BE56DA0D5B2A90E5302FF5A69E3D534
      SHA-512:ACFE1461E7CBB97444F424A0722484DAB20594EA271FA64FCB67B323C53F87E6ADB5B3CDC735C897FCADB21A13C155D6D89476E782CCB6BE68FE304868FC9012
      Malicious:false
      Reputation:low
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.6.0.<./.P.i.
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4641
      Entropy (8bit):4.474199063420382
      Encrypted:false
      SSDEEP:48:cvIwWl8zsTJg77aI9GJWpW8VYFYm8M4JwzjF1+q8uZIrYNSJp9d:uIjftI7g47VxJw7BI+SD9d
      MD5:28033B0104CA89F1CCD5E81FA6147AAB
      SHA1:0CE1BBDC3A56D93DE2637614E00EA2BCC42A3280
      SHA-256:9A38FFDFFF928AAFC34387A2EEDFF4D2200D56980FACDA0B424D1C287C46BA34
      SHA-512:B4F344090AD7AF7A7D1DC5719AB4C4922F2E1E3A8260570FF19C50E4E0BF5EBE7472650AD5C6D2DC18DED38984F6FB45A7A7E1106918FA15CBBD2D1DB7311627
      Malicious:false
      Reputation:low
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="770535" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1835008
      Entropy (8bit):4.468733599320542
      Encrypted:false
      SSDEEP:6144:2IXfpi67eLPU9skLmb0b4QWSPKaJG8nAgejZMMhA2gX4WABlVuNRdwBCswSb7:7XD94QWlLZMM6YFU3+7
      MD5:21EF2FAA7CE45595E090B9C52C2E0C6B
      SHA1:9F64D91EDE17A756273C38DD9B95B711B91860F5
      SHA-256:9D1CBFCEA8601408688627828DD75083A134EBC6AF729E2D80D7668578D40BEE
      SHA-512:1522F305493FA191C9749E5F8965EDFC93CB790F4E700A7167BA03D95B0A275A1A33DF0ACD22C59D6967F83C273B00B9914B87FA7B44635690C2567A37FF9B55
      Malicious:false
      Reputation:low
      Preview:regf:...:....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.IC:R...............................................................................................................................................................................................................................................................................................................................................f.U.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):7.160275703820239
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
      • Win32 Executable (generic) a (10002005/4) 49.96%
      • Win16/32 Executable Delphi generic (2074/23) 0.01%
      • Generic Win/DOS Executable (2004/3) 0.01%
      • DOS Executable Generic (2002/1) 0.01%
      File name:PDFast.exe
      File size:2'990'499 bytes
      MD5:4231b7c3e3b9fdf012e9aad4d4e2e62a
      SHA1:a3764a0b089caa62fd1bc4182dd6eba5a6149ec2
      SHA256:e147f02b38a81a65c1862b0d2c882654cbb8e1ab24bdd2c8712735f313970770
      SHA512:87bee08533ffbc6f2e203b3e042d9fb337156ed2158c12e3de46f4007427fac86a6b911ef0efb90d9f6ae356963f81b3964a9715300974855a5da5d81ffc80db
      SSDEEP:24576:sdsi4tNecTNecTNecDNecyNec+T0fTO5FJMx0An49KEcWjj7o4eh5Pxjjba1N5VK:sOvmTTbO0aJMWwqj7o5p1a/5VMC3nuXF
      TLSH:B9D58C9D1E76C84FD3410B7C9DF8FB3CA53AD3A53C2AC301AA2229D56A75F9D6C81412
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L/............"...0..L)..*.......j).. ....)...@.. ........................-.....J.-...`................................
      Icon Hash:98718992c4518c9d
      Entrypoint:0x696ad2
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Time Stamp:0xC4BD2F4C [Sun Aug 5 22:12:28 2074 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
      Signature Valid:
      Signature Issuer:
      Signature Validation Error:
      Error Number:
      Not Before, Not After
        Subject Chain
          Version:
          Thumbprint MD5:
          Thumbprint SHA-1:
          Thumbprint SHA-256:
          Serial:
          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x296a7d0x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2980000x42668.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x2d78000x2998.rsrc
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2dc0000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x2969e80x38.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000x294ad80x294c0074a95a46eb8f9946b4399020e5446117unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rsrc0x2980000x426680x42800e82d5b88f6343a0bef90c1a7aa219e40False0.5093764685150376data5.821098194889655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x2dc0000xc0x20010f15610201dda6345aff66f2bebcc85False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0x2981000x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2834 x 2834 px/m0.5101414326715389
          RT_GROUP_ICON0x2da1380x14data1.1
          RT_VERSION0x2da15c0x30cdata0.42948717948717946
          RT_MANIFEST0x2da4780x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
          DLLImport
          mscoree.dll_CorExeMain
          DescriptionData
          Translation0x0000 0x04b0
          Comments
          CompanyName
          FileDescriptionPDFast
          FileVersion1.0.0.0
          InternalNamePDFast.exe
          LegalCopyrightCopyright 2023
          LegalTrademarks
          OriginalFilenamePDFast.exe
          ProductNamePDFast
          ProductVersion1.0.0.0
          Assembly Version1.0.0.0
          No network behavior found
          050100s020406080100

          Click to jump to process

          050100s0.005101520MB

          Click to jump to process

          • File
          • Registry

          Click to dive into process behavior distribution

          Click to jump to process

          Target ID:1
          Start time:07:13:08
          Start date:21/03/2025
          Path:C:\Users\user\Desktop\PDFast.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\PDFast.exe"
          Imagebase:0x480000
          File size:2'990'499 bytes
          MD5 hash:4231B7C3E3B9FDF012E9AAD4D4E2E62A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          Target ID:4
          Start time:07:13:09
          Start date:21/03/2025
          Path:C:\Windows\SysWOW64\WerFault.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8060 -s 904
          Imagebase:0x3b0000
          File size:483'680 bytes
          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true
          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

          No disassembly