Create Interactive Tour

Windows Analysis Report PcaSvc.dll

Overview

General Information

Sample Name:	PcaSvc.dll
Analysis ID:	497676
MD5:	c01a9d3e01e0519140f9e2b266bbf4a0
SHA1:	478b1f1fb8be008b22ac8034714ca717544c6f67
SHA256:	156a0e4d76e24922dda8ecb2d80a7754d1627246d9dd66dddbe46304fec3f472
Infos:
Most interesting Screenshot:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Checks if the current process is being debugged

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 4424 cmdline: loaddll64.exe 'C:\Users\user\Desktop\PcaSvc.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)

cmd.exe (PID: 6020 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\PcaSvc.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 3640 cmdline: rundll32.exe 'C:\Users\user\Desktop\PcaSvc.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5824 cmdline: rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,PcaPatchSdbTask MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 7016 cmdline: rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,QueryEncapsulationSettings MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4780 cmdline: rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,QueryEncapsulationSettingsTC MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: PcaSvc.dll

Static PE information: certificate valid

Source: PcaSvc.dll

Static PE information: GUARD_CF, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: pcasvc.pdb source: PcaSvc.dll
Source:	Binary string: pcasvc.pdbUGP source: PcaSvc.dll

Source: PcaSvc.dll	Binary or memory string: 0aTelemetryPermission-AllowDisableTelemetryPermission-DefaultLevelKernel-ProductInfoPRINTERRORMARKSimpleMetricMessageActivitys-1-5-18s-1-5-19s-1-5-20%system32%%systemroot%\system32%sysnative%%programfilesnative%%systemdrive%\Program FilesCommonFilesDirCommonProgramFilesCommonFilesDir (x86)CommonProgramFiles(x86)ProgramFilesDirProgramFilesProgramFilesDir (x86)ProgramFiles(x86)ProgramDataPublicOriginalFilename vs PcaSvc.dll
Source: PcaSvc.dll	Binary or memory string: NameOsComponentSizeMagicPeHeaderHashSizeOfImagePeChecksumLinkDateLinkerVersionBinFileVersionBinProductVersionBinaryTypeCreatedModifiedLastAccessedVerLanguageIdSwitchBackContextSigDisplayNameSigFriendlyPublisherNameSigMoreInfoURLOriginalFileNamePeImageTypePeSubsystemRunLevelUiAccessCrcChecksumClrVersionBoeProgramIdBoeProgramNameBoeProgramPublisherBoeProgramVersionBoeProgramLanguageSigPublisherNameFileSizekernelbase.dllRaiseFailFastException%wsstd::exception: %hsRtlNtStatusToDosErrorNoTebRtlDllShutdownInProgressCrashInstallFailedChainFirstRunUninstallFailedQuarantinedAppRunPinDLLFileTracerCreateFileMSILaunchBlockedMobileBroadbandInstallerO vs PcaSvc.dll

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apisampling.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: cryptsp.dll	Jump to behavior

Source: PcaSvc.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PcaSvc.dll

Binary string: %sMarkEventFailed to create store [%d]PcaChainDataBuilderExecuteIgnoreFreeLibrary FaultTolerantHeap DWM8And16BitMitigation ElevateCreateProcessPcaSvcTracePcaSvcDebugFailed to execute resolvers [%d]ResolverManager_ChainCompleteFailed to read NoisyResolvers [%d]ResolverManagerp_ExecuteResolversDisablePcaUISoftware\Policies\Microsoft\Windows\AppCompat%s\Temp\AslLog_%S_%s_%d.txt\Device\InstallShield\setup.exesetup16.execsrstub.exeERROR#%s#%d?

Source: classification engine

Classification label: clean3.winDLL@11/0@0/0

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,PcaPatchSdbTask

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\PcaSvc.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\PcaSvc.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,PcaPatchSdbTask
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\PcaSvc.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,QueryEncapsulationSettings
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,QueryEncapsulationSettingsTC
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\PcaSvc.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,PcaPatchSdbTask	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,QueryEncapsulationSettings	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,QueryEncapsulationSettingsTC	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\PcaSvc.dll',#1	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: PcaSvc.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: PcaSvc.dll

Static PE information: certificate valid

Source: PcaSvc.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PcaSvc.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PcaSvc.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PcaSvc.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PcaSvc.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PcaSvc.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PcaSvc.dll

Static PE information: GUARD_CF, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: PcaSvc.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: pcasvc.pdb source: PcaSvc.dll
Source:	Binary string: pcasvc.pdbUGP source: PcaSvc.dll

Source: PcaSvc.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PcaSvc.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PcaSvc.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PcaSvc.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PcaSvc.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: PcaSvc.dll

Static PE information: section name: .didat

Source: PcaSvc.dll

Static PE information: 0x8226DCB8 [Sat Mar 12 23:22:32 2039 UTC]

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\PcaSvc.dll',#1

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection11	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Rundll321	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PcaSvc.dll	0%	Virustotal		Browse
PcaSvc.dll	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	497676
Start date:	06.10.2021
Start time:	08:02:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PcaSvc.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean3.winDLL@11/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.50.102.62, 2.20.178.24, 2.20.178.33, 20.54.110.249, 40.112.88.60, 2.20.178.10, 2.20.178.56, 20.199.120.182, 20.199.120.85, 20.199.120.151 Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	6.343812707574443
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	PcaSvc.dll
File size:	876344
MD5:	c01a9d3e01e0519140f9e2b266bbf4a0
SHA1:	478b1f1fb8be008b22ac8034714ca717544c6f67
SHA256:	156a0e4d76e24922dda8ecb2d80a7754d1627246d9dd66dddbe46304fec3f472
SHA512:	5c59aa2a76189c654ce1acff067cb9df44d56974d617eff954f9b6f68a385dfb4c54f31c4e8e38264d73ae272886c3e53c1a2e70b905dcef3d86323c7cc50ff2
SSDEEP:	24576:GIdDBe0fbgZw/9FuKw4rsNkEQTHwzm+Zq2queGie:GI3e0fcqeLNkEEYPq2qu/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.. ...s...s...s..ss...s...r...s...r...s...s^..s...r...s...r...s...r...s...r...s...s...s...r...sRich...s................PE..d..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1800165b0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x180000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	GUARD_CF, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x8226DCB8 [Sat Mar 12 23:22:32 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	5bb5a2e1975ae78207abb2b6f6ef800f

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/15/2020 1:29:14 PM 12/2/2021 1:29:14 PM
Subject Chain	CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	1A1395EF5FC0A90A5B83AC4B531EEAC9
Thumbprint SHA-1:	312860D2047EB81F8F58C29FF19ECDB4C634CF6A
Thumbprint SHA-256:	416F4C0A00D1C4108488A04C2519325C5AA13BC80D0C017C45B00B911B8370A9
Serial:	33000002ED2C45E4C145CF48440000000002ED

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F8AE0F67807h
call 00007F8AE0F67FB8h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F8AE0F6780Ch
int3
int3
int3
int3
int3
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+20h], ebx
dec esp
mov dword ptr [eax+18h], eax
mov dword ptr [eax+10h], edx
dec eax
mov dword ptr [eax+08h], ecx
push esi
push edi
inc ecx
push esi
dec eax
sub esp, 00000150h
mov edi, edx
dec esp
mov esi, ecx
mov esi, 00000001h
mov ebx, esi
mov dword ptr [esp+20h], ebx
cmp edx, esi
jnbe 00007F8AE0F67808h
mov dword ptr [000B78A5h], edx
test edx, edx
jne 00007F8AE0F67815h
cmp dword ptr [000B7C6Bh], edx
jne 00007F8AE0F6780Dh
xor ebx, ebx
mov dword ptr [esp+20h], ebx
jmp 00007F8AE0F679DFh
lea eax, dword ptr [edx-01h]
cmp eax, esi
ja 00007F8AE0F67896h
dec esp
mov ecx, dword ptr [000B825Ch]
dec ebp
test ecx, ecx
je 00007F8AE0F67844h
mov eax, dword ptr [000B7C45h]
cmp edx, esi
cmove eax, esi
mov dword ptr [000B7C3Ah], eax
dec esp
mov eax, dword ptr [esp+00000180h]
dec ecx
mov eax, ecx
call dword ptr [00000005h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc49c0	0xd4	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc4a94	0x5f0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd9000	0x9a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xd1000	0x6474	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd3e00	0x2138	.pdata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xda000	0x998	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa7360	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x903e0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8f600	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x908a0	0x11d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc41fc	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8d525	0x8d600	False	0.516395197834	data	6.31932756603	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x3a3ba	0x3a400	False	0.338724684818	data	5.287775756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xca000	0x6c78	0x4400	False	0.145163143382	data	1.95420448251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xd1000	0x6474	0x6600	False	0.520450367647	data	5.87029876772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0xd8000	0x180	0x200	False	0.271484375	data	2.27820028491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xd9000	0x9a8	0xa00	False	0.39921875	data	3.88787898272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xda000	0x998	0xa00	False	0.53828125	data	5.35713875244	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
MUI	0xd98e0	0xc8	data	English	United States
RT_RCDATA	0xd9498	0x442	Windows application compatibility Shim DataBase	English	United States
RT_VERSION	0xd90f0	0x3a4	data	English	United States

Imports

DLL	Import
msvcrt.dll	free, _amsg_exit, _XcptFilter, _onexit, ?terminate@@YAXXZ, ??1type_info@@UEAA@XZ, _vsnprintf, strcmp, strncmp, _lock, ??0exception@@QEAA@AEBQEBD@Z, memmove_s, _vsnprintf_s, ??0exception@@QEAA@AEBV0@@Z, toupper, _unlock, ??0exception@@QEAA@XZ, memset, ?what@exception@@UEBAPEBDXZ, ??1exception@@UEAA@XZ, swscanf_s, memmove, memcpy, memcmp, __dllonexit, wcscat_s, strerror, __CxxFrameHandler3, _wcslwr_s, fclose, malloc, _purecall, sprintf_s, _CxxThrowException, wcsncpy_s, _callnewh, ??0exception@@QEAA@AEBQEBDH@Z, swprintf_s, strnlen, _wtof, _vsnwprintf_s, _wtoi, _wsplitpath_s, wcstoul, towlower, wcsrchr, _itow_s, wcscpy_s, sscanf_s, _wcsicmp, fwprintf_s, _wcsnicmp, ??3@YAXPEAX@Z, memcpy_s, _itoa_s, _initterm, _wfopen_s, __C_specific_handler, _vsnwprintf, strcpy_s, wcschr, _wcslwr, wcsstr, strchr, wcsncmp, wcsspn, qsort, wcscmp
ntdll.dll	RtlCopyUnicodeString, RtlRunOnceExecuteOnce, NtOpenProcessToken, NtQueryInformationToken, NtOpenThreadToken, RtlAdjustPrivilege, RtlAllocateAndInitializeSid, RtlFreeSid, NtQueryKey, RtlRandomEx, RtlDosPathNameToRelativeNtPathName_U, NtLoadKeyEx, RtlReleaseRelativeName, RtlImageRvaToVa, NtCreateSection, NtQuerySection, EtwTraceMessage, RtlDosPathNameToNtPathName_U, NtQueryInformationFile, NtOpenFile, RtlGetVersion, NtDeleteValueKey, NtSetValueKey, RtlImageDirectoryEntryToData, RtlVerifyVersionInfo, LdrResSearchResource, RtlTimeToTimeFields, ZwMapViewOfSection, ZwUnmapViewOfSection, ZwQuerySystemInformation, RtlGetNativeSystemInformation, RtlUpcaseUnicodeChar, RtlUnicodeStringToAnsiString, RtlUpcaseUnicodeString, RtlAnsiStringToUnicodeString, RtlxAnsiStringToUnicodeSize, RtlInitString, NtClose, NtQueryValueKey, RtlNtPathNameToDosPathName, RtlpEnsureBufferSize, ZwQueryDirectoryFile, RtlSecondsSince1970ToTime, ZwSetInformationProcess, ZwQueryInformationProcess, ZwCreateSection, ZwQueryInformationFile, ZwCreateFile, RtlGetFullPathName_UEx, ZwCreateKey, RtlFormatCurrentUserKeyPath, RtlAppendUnicodeToString, RtlAppendUnicodeStringToString, ZwQueryValueKey, RtlInitUnicodeStringEx, ZwEnumerateKey, ZwOpenKey, ZwOpenFile, RtlInitUnicodeString, RtlDosPathNameToNtPathName_U_WithStatus, RtlMultiByteToUnicodeN, RtlInitAnsiString, RtlEqualString, ZwClose, EtwEventRegister, EtwEventWrite, EtwEventUnregister, RtlCaptureContext, RtlLookupFunctionEntry, NtQueryLicenseValue, VerSetConditionMask, WinSqmIsOptedInEx, RtlValidSid, NtSuspendProcess, NtResumeProcess, RtlSubscribeWnfStateChangeNotification, NtQuerySystemInformation, RtlImageNtHeaderEx, RtlInitializeSRWLock, RtlReleaseSRWLockExclusive, RtlAcquireSRWLockExclusive, RtlTryEnterCriticalSection, RtlDeleteCriticalSection, RtlLeaveCriticalSection, RtlEnterCriticalSection, RtlInitializeCriticalSection, RtlNtStatusToDosError, RtlFreeUnicodeString, RtlStringFromGUID, RtlComputeCrc32, RtlGetPersistedStateLocation, RtlGetDeviceFamilyInfoEnum, RtlDoesFileExists_U, RtlNtStatusToDosErrorNoTeb, RtlGetNtSystemRoot, RtlIsCriticalSectionLockedByThread, NtApphelpCacheControl, RtlAllocateHeap, NtQuerySystemTime, RtlCompareMemory, RtlFreeHeap, EtwEventWriteNoRegistration, RtlVirtualUnwind
api-ms-win-core-libraryloader-l1-2-0.dll	LoadLibraryExW, LoadResource, SizeofResource, FreeLibrary, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleW, LockResource, GetModuleHandleExW, GetProcAddress
api-ms-win-core-synch-l1-1-0.dll	CreateEventExW, CreateMutexW, OpenEventW, OpenWaitableTimerW, CreateSemaphoreExW, EnterCriticalSection, ReleaseSemaphore, LeaveCriticalSection, InitializeCriticalSectionEx, InitializeCriticalSection, TryEnterCriticalSection, SetWaitableTimer, WaitForSingleObject, ReleaseMutex, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, CreateEventW, WaitForSingleObjectEx, OpenSemaphoreW, ReleaseSRWLockShared, CreateMutexExW, AcquireSRWLockShared, DeleteCriticalSection, ResetEvent, SetEvent
api-ms-win-core-heap-l1-1-0.dll	HeapReAlloc, HeapFree, GetProcessHeap, HeapAlloc
api-ms-win-core-errorhandling-l1-1-0.dll	SetErrorMode, GetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, RaiseException, SetLastError
api-ms-win-core-threadpool-l1-2-0.dll	WaitForThreadpoolTimerCallbacks, CloseThreadpoolWork, CreateThreadpoolTimer, SetThreadpoolThreadMinimum, CloseThreadpool, SetThreadpoolTimer, WaitForThreadpoolWorkCallbacks, CloseThreadpoolTimer, CreateThreadpoolWait, CloseThreadpoolWait, WaitForThreadpoolWaitCallbacks, SetThreadpoolThreadMaximum, CreateThreadpool, SetThreadpoolWait, CreateThreadpoolWork, SubmitThreadpoolWork
api-ms-win-core-processthreads-l1-1-0.dll	ExitProcess, GetProcessId, GetCurrentProcessId, TerminateProcess, CreateProcessW, GetCurrentProcess, CreateProcessA, GetCurrentThreadId, OpenProcessToken, CreateThread, GetExitCodeProcess, GetCurrentThread, CreateProcessAsUserW, SetThreadPriority, ProcessIdToSessionId
api-ms-win-core-localization-l1-2-0.dll	FormatMessageW
api-ms-win-core-debug-l1-1-0.dll	OutputDebugStringA, OutputDebugStringW, DebugBreak, IsDebuggerPresent
api-ms-win-core-handle-l1-1-0.dll	DuplicateHandle, CloseHandle
RPCRT4.dll	UuidCreate, RpcEpUnregister, RpcRevertToSelfEx, RpcServerInqBindings, RpcServerUseProtseqW, RpcServerUnregisterIf, RpcServerRegisterIfEx, RpcImpersonateClient, I_RpcBindingInqLocalClientPID, NdrServerCall2, NdrServerCallAll, RpcEpRegisterW, RpcBindingVectorFree
api-ms-win-service-core-l1-1-0.dll	RegisterServiceCtrlHandlerExW, SetServiceStatus
api-ms-win-core-registry-l1-1-0.dll	RegQueryValueExW, RegOpenKeyExW, RegSaveKeyExW, RegDeleteKeyExW, RegSetKeySecurity, RegEnumValueW, RegGetValueW, RegUnLoadKeyW, RegEnumKeyExW, RegDeleteTreeW, RegLoadKeyW, RegFlushKey, RegQueryInfoKeyW, RegLoadAppKeyW, RegNotifyChangeKeyValue, RegSetValueExW, RegCreateKeyExW, RegCloseKey, RegDeleteValueW
api-ms-win-core-synch-l1-2-0.dll	InitOnceComplete, InitOnceBeginInitialize, WakeAllConditionVariable, SleepConditionVariableSRW, Sleep
api-ms-win-eventing-provider-l1-1-0.dll	EventUnregister, EventRegister, EventWriteTransfer, EventSetInformation
api-ms-win-power-base-l1-1-0.dll	PowerRegisterSuspendResumeNotification, PowerUnregisterSuspendResumeNotification
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll	GetVersionExW, GetSystemWindowsDirectoryW, GetSystemDirectoryW, GetTickCount, GetTickCount64, GetLocalTime, GetSystemTime, GetSystemInfo, GetSystemTimeAsFileTime, GlobalMemoryStatusEx
api-ms-win-core-kernel32-legacy-l1-1-0.dll	UnregisterWait, WTSGetActiveConsoleSessionId
APISAMPLING.dll	APISamplingSetValue, APISamplingUninitialize, APISamplingInitialize
api-ms-win-core-job-l2-1-0.dll	CreateJobObjectW, AssignProcessToJobObject, SetInformationJobObject, QueryInformationJobObject
api-ms-win-core-kernel32-private-l1-1-0.dll	CheckElevationEnabled
USER32.dll	LoadStringW
api-ms-win-core-processthreads-l1-1-1.dll	GetThreadTimes, OpenProcess, IsProcessorFeaturePresent
api-ms-win-core-file-l1-1-0.dll	SetFilePointer, FindClose, GetFileAttributesW, GetFileSizeEx, WriteFile, CreateFileA, GetDriveTypeW, CreateFileW, GetTempFileNameW, GetFileInformationByHandle, GetVolumeInformationByHandleW, GetVolumeInformationW, GetFileTime, CreateDirectoryW, DeleteFileW, GetLongPathNameW, FindNextFileW, QueryDosDeviceW, GetFileSize, ReadFile, GetLogicalDriveStringsW, GetShortPathNameW, FindFirstFileW, GetDiskFreeSpaceExW
api-ms-win-security-base-l1-1-0.dll	RevertToSelf, FreeSid, ImpersonateLoggedOnUser, GetTokenInformation, AddAccessAllowedAce, InitializeAcl, AllocateAndInitializeSid, GetLengthSid, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetSecurityDescriptorGroup
api-ms-win-security-sddl-l1-1-0.dll	ConvertSidToStringSidW
api-ms-win-core-heap-l2-1-0.dll	LocalFree, LocalAlloc, GlobalFree
api-ms-win-core-io-l1-1-0.dll	PostQueuedCompletionStatus, CreateIoCompletionPort, GetQueuedCompletionStatus, DeviceIoControl
api-ms-win-core-job-l1-1-0.dll	IsProcessInJob
api-ms-win-core-memory-l1-1-0.dll	CreateFileMappingW, WriteProcessMemory, UnmapViewOfFile, MapViewOfFile
api-ms-win-core-com-l1-1-0.dll	StringFromGUID2, CoGetInterfaceAndReleaseStream, CoTaskMemFree, CoGetClassObject, CoReleaseMarshalData, CoCancelCall, CoUninitialize, CoDisableCallCancellation, CoEnableCallCancellation, CoCreateGuid, CoCreateInstance, CoWaitForMultipleHandles, CoInitializeEx, CoMarshalInterThreadInterfaceInStream
api-ms-win-core-path-l1-1-0.dll	PathIsUNCEx, PathCchRemoveFileSpec
api-ms-win-core-psapi-l1-1-0.dll	K32GetModuleFileNameExW, QueryFullProcessImageNameW
api-ms-win-core-processenvironment-l1-1-0.dll	FreeEnvironmentStringsW, GetEnvironmentStringsW, ExpandEnvironmentStringsA, GetCommandLineW, ExpandEnvironmentStringsW
api-ms-win-core-registry-l1-1-1.dll	RegDeleteKeyValueW, RegSetKeyValueW
api-ms-win-core-sysinfo-l1-2-0.dll	GetSystemFirmwareTable, GetNativeSystemInfo
api-ms-win-core-file-l1-2-0.dll	GetVolumeNameForVolumeMountPointW, GetTempPathW
OLEAUT32.dll	SysAllocString, VariantInit, SysFreeString
CRYPT32.dll	CertVerifyCertificateChainPolicy
WINHTTP.dll	WinHttpReadData, WinHttpGetIEProxyConfigForCurrentUser, WinHttpSendRequest, WinHttpQueryAuthSchemes, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpGetDefaultProxyConfiguration, WinHttpOpen, WinHttpCrackUrl, WinHttpGetProxyForUrl, WinHttpConnect, WinHttpAddRequestHeaders, WinHttpOpenRequest, WinHttpReceiveResponse, WinHttpSetOption, WinHttpQueryHeaders, WinHttpCloseHandle
api-ms-win-core-file-l2-1-0.dll	MoveFileExW
api-ms-win-core-file-l2-1-2.dll	CopyFileW
api-ms-win-eventing-controller-l1-1-0.dll	ControlTraceW, EnableTraceEx2, StartTraceW
api-ms-win-eventing-consumer-l1-1-0.dll	OpenTraceW, CloseTrace, ProcessTrace
api-ms-win-core-realtime-l1-1-0.dll	QueryUnbiasedInterruptTime
api-ms-win-core-string-l1-1-0.dll	MultiByteToWideChar, CompareStringOrdinal
api-ms-win-devices-config-l1-1-1.dll	CM_Get_Device_IDW, CM_Register_Notification, CM_Get_Parent, CM_Unregister_Notification
api-ms-win-core-synch-l1-2-1.dll	WaitForMultipleObjects, CreateWaitableTimerW, CreateSemaphoreW
api-ms-win-core-libraryloader-l1-2-1.dll	FindResourceW
api-ms-win-core-winrt-l1-1-0.dll	RoGetActivationFactory, RoInitialize, RoUninitialize, RoActivateInstance
api-ms-win-core-delayload-l1-1-1.dll	ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll	DelayLoadFailureHook
api-ms-win-core-threadpool-legacy-l1-1-0.dll	DeleteTimerQueueTimer, ChangeTimerQueueTimer, QueueUserWorkItem, CreateTimerQueueTimer
api-ms-win-core-shlwapi-legacy-l1-1-0.dll	PathRemoveExtensionW, PathGetDriveNumberW, PathFindExtensionW, PathFileExistsW, PathAppendW, PathSkipRootW, PathFindFileNameW, PathStripPathW
api-ms-win-core-registry-l2-1-0.dll	RegOpenKeyW, RegDeleteKeyW
api-ms-win-core-kernel32-legacy-l1-1-1.dll	VerifyVersionInfoW
api-ms-win-core-appcompat-l1-1-1.dll	BaseFreeAppCompatDataForProcess, BaseReadAppCompatDataForProcess
tdh.dll	TdhGetProperty, TdhGetPropertySize
SETUPAPI.dll	SetupIterateCabinetW
api-ms-win-core-url-l1-1-0.dll	UrlGetPartW
api-ms-win-oobe-notification-l1-1-0.dll	OOBEComplete
apphelp.dll	SetPermLayerState
api-ms-win-core-sidebyside-l1-1-0.dll	ReleaseActCtx, QueryActCtxW, CreateActCtxW
api-ms-win-core-timezone-l1-1-0.dll	SystemTimeToFileTime, FileTimeToSystemTime
USERENV.dll	ExpandEnvironmentStringsForUserW
api-ms-win-core-com-l1-1-1.dll	RoGetAgileReference
api-ms-win-core-version-l1-1-1.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW
api-ms-win-core-version-l1-1-0.dll	VerQueryValueW
api-ms-win-security-credentials-l1-1-0.dll	CredReadW
api-ms-win-core-winrt-string-l1-1-0.dll	WindowsGetStringRawBuffer, WindowsDeleteString, WindowsCreateString, WindowsCreateStringReference
api-ms-win-core-string-obsolete-l1-1-0.dll	lstrcmpW, lstrcmpiW
api-ms-win-security-cryptoapi-l1-1-0.dll	CryptDestroyHash, CryptReleaseContext, CryptGetHashParam, CryptHashData, CryptAcquireContextW, CryptCreateHash
api-ms-win-shcore-taskpool-l1-1-0.dll	SHTaskPoolQueueTask

Exports

Name	Ordinal	Address
PcaPatchSdbTask	1	0x18001e3e0
QueryEncapsulationSettings	2	0x18001e260
QueryEncapsulationSettingsTC	3	0x18001e2f0
ServiceMain	4	0x180013580
SvchostPushServiceGlobals	5	0x180015d90

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName
FileVersion	10.0.19041.1202 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	10.0.19041.1202
FileDescription	Program Compatibility Assistant Service
OriginalFilename	pcasvc.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• loaddll64.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

Memory Usage

• loaddll64.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

Behavior

• loaddll64.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 4424 Parent PID: 2248

Function Logs

General

Start time:	08:03:31
Start date:	06/10/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\PcaSvc.dll'
Imagebase:	0x7ff640820000
File size:	1136128 bytes
MD5 hash:	E0CC9D126C39A9D2FA1CAD5027EBBD18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Start time:	08:03:32
Start date:	06/10/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\PcaSvc.dll',#1
Imagebase:	0x7ff78f3e0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	08:03:35
Start date:	06/10/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,QueryEncapsulationSettings
Imagebase:	0x7ff7aae90000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	08:03:39
Start date:	06/10/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\PcaSvc.dll,QueryEncapsulationSettingsTC
Imagebase:	0x7ff7aae90000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PcaSvc.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll64.exe PID: 4424 Parent PID: 2248

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows