Edit tour

Windows Analysis Report
PDFast.exe

Overview

General Information

Sample name:PDFast.exe
Analysis ID:1671079
MD5:43798c955c9c5625196d148980a38e7d
SHA1:b8016581b1f506c593840471f8d615bc3750d4d1
SHA256:ddac0bbae9d29353563289e1084fa772a0e8e04c016e72f3a61f2e89ad6cc708
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
One or more processes crash
Queries the volume information (name, serial number etc) of a device

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • PDFast.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\PDFast.exe" MD5: 43798C955C9C5625196D148980A38E7D)
    • WerFault.exe (PID: 6412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 920 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • PDFast.exe (PID: 6712 cmdline: "C:\Users\user\Desktop\PDFast.exe" MD5: 43798C955C9C5625196D148980A38E7D)
    • WerFault.exe (PID: 6784 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 904 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PDFast.exeReversingLabs: Detection: 15%
Source: PDFast.exeVirustotal: Detection: 16%Perma Link
Source: PDFast.exeStatic PE information: certificate valid
Source: PDFast.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\PDFast.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 920
Source: PDFast.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal48.winEXE@4/6@0/9
Source: C:\Users\user\Desktop\PDFast.exeMutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6300
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6712
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\03dcefd8-cd0e-4c8b-a3ac-54ee35483b53
Source: PDFast.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PDFast.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\PDFast.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: PDFast.exeReversingLabs: Detection: 15%
Source: PDFast.exeVirustotal: Detection: 16%
Source: C:\Users\user\Desktop\PDFast.exeFile read: C:\Users\user\Desktop\PDFast.exe
Source: unknownProcess created: C:\Users\user\Desktop\PDFast.exe "C:\Users\user\Desktop\PDFast.exe"
Source: C:\Users\user\Desktop\PDFast.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 920
Source: unknownProcess created: C:\Users\user\Desktop\PDFast.exe "C:\Users\user\Desktop\PDFast.exe"
Source: C:\Users\user\Desktop\PDFast.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 904
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: mscoree.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: rsaenh.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: mscoree.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: rsaenh.dll
Source: C:\Users\user\Desktop\PDFast.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\PDFast.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
Source: C:\Users\user\Desktop\PDFast.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: PDFast.exeStatic PE information: certificate valid
Source: PDFast.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PDFast.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: PDFast.exeStatic file information: File size 1452336 > 1048576
Source: PDFast.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x15ae00
Source: PDFast.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PDFast.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PDFast.exeStatic PE information: 0xF3D20D39 [Mon Aug 17 05:57:13 2099 UTC]
Source: PDFast.exeStatic PE information: section name: .text entropy: 7.8293228783938105
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFast.exeMemory allocated: 1540000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\PDFast.exeMemory allocated: 2F40000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\PDFast.exeMemory allocated: 2E80000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\PDFast.exeMemory allocated: 2CD0000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\PDFast.exeMemory allocated: 2E80000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\PDFast.exeMemory allocated: 4E80000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\PDFast.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\PDFast.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\PDFast.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\PDFast.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\PDFast.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\Desktop\PDFast.exeQueries volume information: C:\Users\user\Desktop\PDFast.exe VolumeInformation
Source: C:\Users\user\Desktop\PDFast.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\PDFast.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\PDFast.exeQueries volume information: C:\Users\user\Desktop\PDFast.exe VolumeInformation
Source: C:\Users\user\Desktop\PDFast.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\PDFast.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\PDFast.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Process Injection
2
Virtualization/Sandbox Evasion
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Disable or Modify Tools
LSASS Memory2
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Software Packing
Security Account Manager12
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Obfuscated Files or Information
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PDFast.exe16%ReversingLabsWin32.Malware.Generic
PDFast.exe17%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
20.189.173.22
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1671079
Start date and time:2025-04-22 15:49:30 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:PDFast.exe
Detection:MAL
Classification:mal48.winEXE@4/6@0/9
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): WerFault.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.190.190.131
  • Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog
  • Not all processes where analyzed, report is missing behavior information
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.9462330151245307
Encrypted:false
SSDEEP:
MD5:360EB13BD15F03E4A184CAAE62337ABA
SHA1:8D6FD7EBB701759B27163EC7B3235BD859876E69
SHA-256:6B43AD34B1A5FF11AA1AE833850BF19B469AFD9EEE277739853D20EB47B0CE6C
SHA-512:3F4286FE06350F41A96C9273978CFF25F8D37E21E24FDBDDE15F1A5C772AF491D327766D46D5061EFFB507E46C4C363925877F82F8CBD2095256B85F96006528
Malicious:true
Reputation:unknown
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.9.8.0.3.3.9.9.5.2.5.1.2.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.9.8.0.3.3.9.9.8.9.3.1.2.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.8.7.5.6.e.c.-.d.1.8.b.-.4.5.5.0.-.8.b.5.9.-.e.8.6.6.3.2.5.9.2.e.9.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.9.4.4.b.9.2.-.3.5.4.c.-.4.7.e.4.-.8.e.9.a.-.d.9.f.a.6.c.f.a.6.f.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.D.F.a.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.D.F.a.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.9.c.-.0.0.0.1.-.0.0.1.9.-.2.2.a.d.-.1.b.7.0.8.d.b.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.8.3.5.2.0.e.9.c.5.5.c.0.4.e.6.e.2.9.b.b.4.6.5.2.f.9.9.9.a.a.e.0.0.0.0.0.0.0.0.!.0.0.0.0.b.8.0.1.6.5.8.1.b.1.f.5.0.6.c.5.9.3.8.4.0.4.7.1.f.8.d.6.1.5.b.c.3.7.5.0.d.4.d.1.!.P.
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.9391351574020396
Encrypted:false
SSDEEP:
MD5:7F087E60F1F7BD255EAECB1097EABDFF
SHA1:91BD2D9BAFDC45C7B050F2C70ED37D34C85F2102
SHA-256:98AC64AE83AF0936171318C93DC722F7C83B0E1C31DD44611215F2E38F5372E2
SHA-512:7DD9F32771805CCD67BFF264FD24D88FB3BA48DEDDD14945DA3942939FBE440078C196B923010432401A9DE6A2B74B92C252046AAC7363325819D4405D539260
Malicious:true
Reputation:unknown
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.9.8.0.3.4.1.1.4.5.8.0.6.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.9.8.0.3.4.1.1.8.2.4.0.7.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.2.b.b.d.c.4.-.9.a.5.e.-.4.f.9.f.-.a.5.4.0.-.5.8.9.4.5.2.d.e.c.2.8.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.b.7.1.e.c.e.-.0.1.4.9.-.4.4.5.b.-.a.5.2.5.-.a.8.9.7.d.d.e.4.e.7.b.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.D.F.a.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.D.F.a.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.3.8.-.0.0.0.1.-.0.0.1.9.-.d.3.7.6.-.5.0.7.7.8.d.b.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.8.3.5.2.0.e.9.c.5.5.c.0.4.e.6.e.2.9.b.b.4.6.5.2.f.9.9.9.a.a.e.0.0.0.0.0.0.0.0.!.0.0.0.0.b.8.0.1.6.5.8.1.b.1.f.5.0.6.c.5.9.3.8.4.0.4.7.1.f.8.d.6.1.5.b.c.3.7.5.0.d.4.d.1.!.P.
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 15 streams, Tue Apr 22 13:49:59 2025, 0x1205a4 type
Category:dropped
Size (bytes):209639
Entropy (8bit):3.6675927361091682
Encrypted:false
SSDEEP:
MD5:6EFD10CCF1FD7458DFEA8A26D167B5A5
SHA1:432D6A0B191AF53790E53FF6BE36867B30389E73
SHA-256:7D2E1D932F11DAEABB00AA97C75B0FC4C11B1388E51D9A2EEC7DBC232CF5B64B
SHA-512:36013BEFCBC0ABB116F842E04B72616BDA2E2DCE01082ADBD10E1B6DD4ECCF4F1CA1A40E8C65ADD5BE60D7E58C7EB900DF549D5352AC05F2665FE11FE536464D
Malicious:false
Reputation:unknown
Preview:MDMP..a..... ..........h....................................$...........d....>..........`.......8...........T...........x$..o.......................................................................................................eJ......,.......GenuineIntel............T..............h.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8372
Entropy (8bit):3.692244075467209
Encrypted:false
SSDEEP:
MD5:51BE7E8E1F0E01B2DE2E0669E430A028
SHA1:EF5962D60EF9CF56F05086EA408FEA8FF23172F9
SHA-256:797DD851C80FE61DBBC07E902C03833A1362C111352F70A938A5E8581F8C6DAD
SHA-512:87B46E5F094D2575B3B299D613F2A2D0749CCC4BFAA147AD40B441C7C501B8BB8E3BEB79E91C358EE2AD781FF87475A206DA069B36B934188FF67B6A755BF806
Malicious:false
Reputation:unknown
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.0.0.<./.P.i.
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4734
Entropy (8bit):4.4658662370205615
Encrypted:false
SSDEEP:
MD5:E5E6C1EF40DB3663BB52C01D0C8FA43D
SHA1:E71AB23B328F51F65FE61FDD633872BD8C2569D8
SHA-256:76F10C62D2F089CC72E37165F02184C28F954C5E9C2A5B565203DBFE6FE87A09
SHA-512:04FD931AAF581500335DCE4A01DCD5CF5C2DB823C1B634D8A74B1128E51FCB81468370624D3EB361C18503C8B8E9C80879D795E17C24929C69C590398DE4A18F
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="816772" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.310209406407499
Encrypted:false
SSDEEP:
MD5:8517EAAA5ADC30E92F105C7FAF0F4180
SHA1:37847EAE3DE9025887C15B870A4E5D03812082C7
SHA-256:7013F6CCABE28B92C7A4966CC782176818C4C70DD904685F43075E4B45928F6C
SHA-512:A5566207312BCAAE0BD77E6B8A417A7472C9A2AA4C8EA2D24E5B90AE32EB12DAE9210918AFC9C20CB09CB3AF1670959F45B131CDBCAC6FF8E2EBB2EF678CD0B5
Malicious:false
Reputation:unknown
Preview:regfJ...J....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.9Zp.................................................................................................................................................................................................................................................................................................................................................`ND........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):7.806894905267623
TrID:
  • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
  • Win32 Executable (generic) a (10002005/4) 49.93%
  • Windows Screen Saver (13104/52) 0.07%
  • Win16/32 Executable Delphi generic (2074/23) 0.01%
  • Generic Win/DOS Executable (2004/3) 0.01%
File name:PDFast.exe
File size:1'452'336 bytes
MD5:43798c955c9c5625196d148980a38e7d
SHA1:b8016581b1f506c593840471f8d615bc3750d4d1
SHA256:ddac0bbae9d29353563289e1084fa772a0e8e04c016e72f3a61f2e89ad6cc708
SHA512:ec6301b8229805f6be816c73f2e815d079048d9d80aa266543f3c3c98efb855d11c08791da2e7f4c9f869d099cc0b85e0c62377fb821b05c758f5831a6419b0b
SSDEEP:24576:H/p5T0fTO5FJMx0An49KEcWjj7o4eh5Pxjjba1N5V9itk3nsXc7T:fpeaJMWwqj7o5p1a/5VMC3nuS
TLSH:0E6512403BB9279AD27A2C3D166B53D007FFD1F7A950EACA3475A49C09D27428B13AC7
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9............."...0......N........... ........@.. .......................`......a.....`................................
Icon Hash:054531b8d4298505
Entrypoint:0x55cc0a
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0xF3D20D39 [Mon Aug 17 05:57:13 2099 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
Signature Valid:true
Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 09/10/2024 17:46:30 10/10/2025 17:46:30
Subject Chain
  • E=farhadikhlaq483@gmail.com, CN=SEELIV (SMC-PRIVATE) LIMITED, O=SEELIV (SMC-PRIVATE) LIMITED, L=Multan, S=Punjab, C=PK, OID.1.3.6.1.4.1.311.60.2.1.3=PK, SERIALNUMBER=0175853, OID.2.5.4.15=Private Organization
Version:3
Thumbprint MD5:64573BCA52FBEB6A1B2FF29FFA68D073
Thumbprint SHA-1:77E3B1710323F25812A7AF8D2A6A5C6A743DC25F
Thumbprint SHA-256:150693E5AC6DD5122FDF692B4B860268E13BC8C396DAF1CE0BF015CF488D623D
Serial:36CC39AA22030F7FA71592F8
Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x15cbb80x4f.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x15e0000x4a68.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x15fe000x2b30.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1640000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x15cb9c0x1c.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000x15ac100x15ae00652a1ad119114d831ca9fd8308c1a0a5False0.8801259853603604data7.8293228783938105IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0x15e0000x4a680x4c00195fb8009751e27bf15ed905dc61965fFalse0.1504420230263158data3.757628696341197IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x1640000xc0x2003c7581e8221e867000864ae10db7e776False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x15e1000x4428Device independent bitmap graphic, 65 x 128 x 32, image size 16640, resolution 2834 x 2834 px/m0.1244268684089867
RT_GROUP_ICON0x1625380x14data1.1
RT_VERSION0x16255c0x30cdata0.4358974358974359
RT_MANIFEST0x1628780x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
DLLImport
mscoree.dll_CorExeMain
DescriptionData
Translation0x0000 0x04b0
Comments
CompanyName
FileDescriptionPDFast
FileVersion1.0.0.2
InternalNamePDFast.exe
LegalCopyrightCopyright 2023
LegalTrademarks
OriginalFilenamePDFast.exe
ProductNamePDFast
ProductVersion1.0.0.2
Assembly Version1.0.0.0