Edit tour

Windows Analysis Report
pfwsmgr.exe

Overview

General Information

Sample Name:	pfwsmgr.exe
Analysis ID:	661942
MD5:	d46c7c73405cc847f4326058f770e4cb
SHA1:	9bc5a6a7e71fcafa1da8c079c013c2cb293f24c2
SHA256:	ea2ecd0786aec59d2739b9509e3a8271ee7280e35160d8407b93b55b6b9ef162
Infos:

Detection

Score:	18
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Yara detected Generic Downloader

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

PE file contains strange resources

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Creates or modifies windows services

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w10x64

pfwsmgr.exe (PID: 4696 cmdline: "C:\Users\user\Desktop\pfwsmgr.exe" MD5: D46C7C73405CC847F4326058F770E4CB)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
pfwsmgr.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: pfwsmgr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: pfwsmgr.exe

Static PE information: certificate valid

Source: pfwsmgr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\ADO-WORK\39\s\Projects\Compiled\Pfwsmgr\BabelOut\pfwsmgr.pdbx source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\ADO-WORK\39\s\Projects\Compiled\Pfwsmgr\BabelOut\pfwsmgr.pdb source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match

File source: pfwsmgr.exe, type: SAMPLE

Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.169.254/metadata/instance/compute?api-version=2020-06-01
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://aka.ms/msal-net-iwa
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://aka.ms/valid-authorities
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://openid.net/specs/jwt/1.0Hurn:ietf:params:oauth:token-type:jwt
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/claims/CommonName/denyonlyprimarygroupsid
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/claims/EmailAddress
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/claims/Group
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/claims/UPN
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/http#EndpointReference
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueWhttp://schemas.xmlsoap.org/ws/2005/02/trustsht
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/json_type
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp, pfwsmgr.exe, 00000001.00000002.383792843.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicyOhttp://schemas.xmlsoap.org/wsdl/soap12/)===
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/Brokered-Authentication-for-Android
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/IdentityModel/PII.
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/IdentityModel/create-ecdsa
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/IdentityModel/supported-algorithms
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/adal_token_cache_serialization
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-brokers
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-brokers.
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-client-apps
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-interactive-android
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-2-released)
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-3-breaking-changes
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-change
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-change)
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-changea
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-4x-cache-breaking-change
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-application-configuration
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-b2c
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-brokers
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-client-credentials
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-custom-instance-metadata
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-custom-web-uiVCustomWebUi
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-device-code-flow
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-enable-keychain-access
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-enable-keychain-groups
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-experimental-features
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-invalid-client
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-ios-13-broker
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-ios-broker
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-iwa
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-os-browser
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-os-browserxAuthorize
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-region-discovery
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-signed-assertion
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-system-browsers
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-up
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-up)
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-net-xamarin
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/msal-statemismatcherror
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/net-cache-persistence-errors.
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.msa/msal-net-3x-cache-breaking-change
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://enterpriseregistration.windows.net/
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com/
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com/A
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com/common
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/nativeclient
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/nativeclient3urn:ietf:wg:oauth:2.0:oob
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/nativeclientY
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com=https://login.chinacloudapi.cnAhttps://login.microsoftonline.deAht
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://res.com/res-one-workspace-editions
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sso2urn:ietf:wg:oauth:2.0:oobxhttps://login.microsoftonline.com/common/oauth2/nativeclient
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://storage.azure.com/.default
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.nuget.org/packages/Microsoft.Identity.Json.Bson
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.nuget.org/packages/Microsoft.IdentityModel.Json.Bson
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: pfwsmgr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: pfwsmgr.exe, 00000001.00000000.353676664.0000000000FC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: get_OriginalFileName vs pfwsmgr.exe
Source: pfwsmgr.exe, 00000001.00000000.353676664.0000000000FC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: pstrOriginalFileName vs pfwsmgr.exe
Source: pfwsmgr.exe, 00000001.00000000.353676664.0000000000FC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: _originalFileName vs pfwsmgr.exe
Source: pfwsmgr.exe, 00000001.00000002.383792843.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs pfwsmgr.exe
Source: pfwsmgr.exe, 00000001.00000002.383792843.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs pfwsmgr.exe
Source: pfwsmgr.exe	Binary or memory string: get_OriginalFileName vs pfwsmgr.exe
Source: pfwsmgr.exe	Binary or memory string: pstrOriginalFileName vs pfwsmgr.exe
Source: pfwsmgr.exe	Binary or memory string: _originalFileName vs pfwsmgr.exe

Source: pfwsmgr.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pfwsmgr.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\pfwsmgr.exe	Code function: 1_2_03D51638	1_2_03D51638
Source: C:\Users\user\Desktop\pfwsmgr.exe	Code function: 1_2_03D5F070	1_2_03D5F070
Source: C:\Users\user\Desktop\pfwsmgr.exe	Code function: 1_2_03D5162B	1_2_03D5162B
Source: C:\Users\user\Desktop\pfwsmgr.exe	Code function: 1_2_03D5DCB0	1_2_03D5DCB0
Source: C:\Users\user\Desktop\pfwsmgr.exe	Code function: 1_2_06338450	1_2_06338450
Source: C:\Users\user\Desktop\pfwsmgr.exe	Code function: 1_2_0633D540	1_2_0633D540
Source: C:\Users\user\Desktop\pfwsmgr.exe	Code function: 1_2_0633F000	1_2_0633F000

Source: pfwsmgr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pfwsmgr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pfwsmgr.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.87%
Source: C:\Users\user\Desktop\pfwsmgr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\pfwsmgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Users\user\Desktop\pfwsmgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\PfwsMgr

Source: C:\Users\user\Desktop\pfwsmgr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pfwsmgr.exe.log

Jump to behavior

Source: pfwsmgr.exe	String found in binary or memory: -Start at startup of Ivanti Workspace Control:D
Source: pfwsmgr.exe	String found in binary or memory: -Help file not found {0}. Please reinstall it.

Source: classification engine

Classification label: clean18.troj.winEXE@1/1@0/0

Source: pfwsmgr.exe

Static file information: File size 11539000 > 1048576

Source: pfwsmgr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: pfwsmgr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: pfwsmgr.exe

Static PE information: certificate valid

Source: pfwsmgr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0xadb000

Source: pfwsmgr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: pfwsmgr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\ADO-WORK\39\s\Projects\Compiled\Pfwsmgr\BabelOut\pfwsmgr.pdbx source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: E:\ADO-WORK\39\s\Projects\Compiled\Pfwsmgr\BabelOut\pfwsmgr.pdb source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\pfwsmgr.exe	Code function: 1_2_06334021 push es; ret		1_2_06334030
Source: C:\Users\user\Desktop\pfwsmgr.exe	Code function: 1_2_063340D0 push es; ret		1_2_063340E0

Source: C:\Users\user\Desktop\pfwsmgr.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\pfwsmgr.exe TID: 3468	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe TID: 6824	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\pfwsmgr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\pfwsmgr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\pfwsmgr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: pfwsmgr.exe	Binary or memory string: get_IsVMwareView
Source: pfwsmgr.exe	Binary or memory string: mysnIsVMwareView
Source: pfwsmgr.exe	Binary or memory string: VMWareViewClientSupportsVDX
Source: pfwsmgr.exe	Binary or memory string: mysnIsVMwareViewBlastExtreme
Source: pfwsmgr.exe	Binary or memory string: PostponeVMwareViewSessionRefresh
Source: pfwsmgr.exe, 00000001.00000002.383792843.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l$ForceVMWareView = yes => return true
Source: pfwsmgr.exe, 00000001.00000000.353676664.0000000000FC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: WaitForWMWareCVolatile registry not yet filled +modMain.WaitForVMWare
Source: pfwsmgr.exe, 00000001.00000002.383792843.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ForceVMWareView
Source: pfwsmgr.exe	Binary or memory string: get_ForceVMwareView
Source: pfwsmgr.exe	Binary or memory string: get_IsVMwareViewBlast
Source: pfwsmgr.exe	Binary or memory string: mysnIsVMwareViewBlast
Source: pfwsmgr.exe, 00000001.00000000.353676664.0000000000FC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: WaitForVMWare+WaitForVMWare set to )Volatile Environment/ViewClient_Machine_Name+ViewClient_IP_Address
Source: pfwsmgr.exe	Binary or memory string: WaitForVMWare
Source: pfwsmgr.exe	Binary or memory string: ysnHasBeenTrue_fysnIsVMWareViewSession
Source: pfwsmgr.exe, 00000001.00000002.383792843.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l!sharedPF8.fysnIsVMWareViewSession
Source: pfwsmgr.exe, 00000001.00000002.383792843.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareViewClientType =
Source: pfwsmgr.exe	Binary or memory string: sharedVMwareView
Source: pfwsmgr.exe, 00000001.00000002.383792843.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: fysnIsVMWareViewSession
Source: pfwsmgr.exe	Binary or memory string: get_IsVMwareViewBlastExtreme
Source: pfwsmgr.exe	Binary or memory string: VMWareViewClientType

Source: C:\Users\user\Desktop\pfwsmgr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\pfwsmgr.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: pfwsmgr.exe	Binary or memory string: flngGetExplorerProgmanHandle
Source: pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWnd
Source: pfwsmgr.exe, 00000001.00000000.353676664.0000000000FC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_Traywnd/Ignoring UnloadMode = 3
Source: pfwsmgr.exe, 00000001.00000000.353676664.0000000000FC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndOExternalSplashOperations.ShowMiniSplash

Source: C:\Users\user\Desktop\pfwsmgr.exe	Queries volume information: C:\Users\user\Desktop\pfwsmgr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Queries volume information: C:\Windows\SysWOW64\WinMetadata\Windows.Management.winmd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Queries volume information: C:\Windows\SysWOW64\WinMetadata\Windows.Foundation.winmd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pfwsmgr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\pfwsmgr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://sso2urn:ietf:wg:oauth:2.0:oobxhttps://login.microsoftonline.com/common/oauth2/nativeclient	0%	Avira URL Cloud	safe
http://169.254.169.254/metadata/instance/compute?api-version=2020-06-01	0%	Avira URL Cloud	safe
https://aka.msa/msal-net-3x-cache-breaking-change	0%	Avira URL Cloud	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
https://login.microsoftonline.com=https://login.chinacloudapi.cnAhttps://login.microsoftonline.deAht	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/claims/UPN	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://login.microsoftonline.com/	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-4x-cache-breaking-change	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/nativeclient3urn:ietf:wg:oauth:2.0:oob	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/net-cache-persistence-errors.	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/soap/http#EndpointReference	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://aka.ms/msal-net-iwa	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-invalid-client	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://aka.ms/valid-authorities	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-client-apps	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/adal_token_cache_serialization	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-3x-cache-breaking-changea	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-enable-keychain-access	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-custom-instance-metadata	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-iwa	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-up)	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/Brokered-Authentication-for-Android	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-os-browserxAuthorize	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-signed-assertion	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://storage.azure.com/.default	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.nuget.org/packages/Microsoft.IdentityModel.Json.Bson	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-region-discovery	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/soap/http	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-ios-13-broker	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.nuget.org/packages/Microsoft.Identity.Json.Bson	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-up	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/json_type	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://login.microsoftonline.com/A	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://sso2urn:ietf:wg:oauth:2.0:oobxhttps://login.microsoftonline.com/common/oauth2/nativeclient	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	low
http://169.254.169.254/metadata/instance/compute?api-version=2020-06-01	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-trust/200512	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.msa/msal-net-3x-cache-breaking-change	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp, pfwsmgr.exe, 00000001.00000002.383792843.0000000003EA7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/IdentityModel/supported-algorithms	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-application-configuration	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-3x-cache-breaking-change	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-b2c	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://res.com/res-one-workspace-editions	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueWhttp://schemas.xmlsoap.org/ws/2005/02/trustsht	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-3x-cache-breaking-change)	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/IdentityModel/create-ecdsa	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-enable-keychain-groups	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/07/securitypolicyOhttp://schemas.xmlsoap.org/wsdl/soap12/)===	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-ios-broker	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-system-browsers	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/claims/CommonName/denyonlyprimarygroupsid	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-brokers	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-device-code-flow	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/claims/Group	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://james.newtonking.com/projects/json	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/msal-net-xamarin	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-3-breaking-changes	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://enterpriseregistration.windows.net/	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/claims/EmailAddress	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/IdentityModel/PII.	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-statemismatcherror	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://login.microsoftonline.com/common/	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/nativeclient	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-interactive-android	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-custom-web-uiVCustomWebUi	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-brokers.	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.newtonsoft.com/jsonschema	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-2-released)	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-os-browser	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-client-credentials	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://aka.ms/msal-net-brokers	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://login.microsoftonline.com=https://login.chinacloudapi.cnAhttps://login.microsoftonline.deAht	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	low
https://login.microsoftonline.com/common/oauth2/nativeclientY	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://openid.net/specs/jwt/1.0Hurn:ietf:params:oauth:token-type:jwt	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
https://login.microsoftonline.com/common	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd	pfwsmgr.exe, 00000001.00000002.379280831.00000000019C2000.00000002.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	661942
Start date and time: 12/07/202214:38:23	2022-07-12 14:38:23 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	pfwsmgr.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean18.troj.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 23 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pfwsmgr.exe.log

Download File

Process:	C:\Users\user\Desktop\pfwsmgr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1439
Entropy (8bit):	5.35125016046415
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2EAE4Kzr7RKDE4KhK3VZ9pKhp1qE48E4FsXE45E4qXKIE4oKFKHKL:MIHK5HKXEAHKzvRYHKhQnop1qH8HAH5g
MD5:	C4F12A2E71202DC4D194D8AE568C7043
SHA1:	94F5BB503E69CFC3A51891048F402BB361175B69
SHA-256:	B51483B370072A318332F4A374AB80AB83397874DA0BA424BBE2E36D4E20089A
SHA-512:	85326CD8FE0E172F2F43FFE66B17D3F1FFF69146C00A0A0B39E18F05CBAEAB4B0BACCB73DB2003D5A45B01B2352008D54439F7BD8446D0E8DEBC64B8E53F15F6
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"C

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.07017393588027
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.87% Win32 Executable (generic) a (10002005/4) 49.83% InstallShield setup (43055/19) 0.21% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	pfwsmgr.exe
File size:	11539000
MD5:	d46c7c73405cc847f4326058f770e4cb
SHA1:	9bc5a6a7e71fcafa1da8c079c013c2cb293f24c2
SHA256:	ea2ecd0786aec59d2739b9509e3a8271ee7280e35160d8407b93b55b6b9ef162
SHA512:	39fe2a714e224818cb46e3c6d89dabc613e20d455ec2f00708581af85d4189bac8b34e05deba45a6c90b29d483caa561d8a1bcd25fdc1024404f8b3747fa2422
SSDEEP:	98304:2isClCD7B3MlA3PY7cTwCi4Me3hVFBO68:2isClMSlA/ecTC4MahVF
TLSH:	6DC64914BBFE4F09E0BF0B7499B241905BF2BD6A6B21C78E1555A09E2933702CB117B7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wb..............0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	b38bc8e6cad2ca60

Static PE Info

General

Entrypoint:	0xedcf9e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6257E6A2 [Thu Apr 14 09:17:22 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	4/21/2021 5:00:00 PM 4/27/2023 4:59:59 PM
Subject Chain	CN="Ivanti, Inc.", O="Ivanti, Inc.", L=South Jordan, S=Utah, C=US
Version:	3
Thumbprint MD5:	5B7A79636A7FD257C3320B19E2DFC041
Thumbprint SHA-1:	E059339A3F58FD4AFDB4296E1EDE30FA77136431
Thumbprint SHA-256:	C27C789DC357690B5EFA46DD95C686298030402AE1B12316DEC6EBCE10EBB29E
Serial:	0E1DBA2C040555C6C50EC290165ECA73

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xadcf50	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xade000	0xb200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xae6600	0x1ac38
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xadcedc	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xadafa4	0xadb000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xade000	0xb200	0xb200	False	0.46025719803370785	data	6.1389016538199455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaea000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xade200	0xea8	data
RT_ICON	0xadf0b8	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON	0xadf970	0x6c8	data
RT_ICON	0xae0048	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0xae05c0	0x3623	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xae3bf4	0x25a8	data
RT_ICON	0xae61ac	0x10a8	data
RT_ICON	0xae7264	0x988	data
RT_ICON	0xae7bfc	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xae8074	0x84	data
RT_VERSION	0xae8108	0x3a0	data
RT_MANIFEST	0xae84b8	0xc38	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• pfwsmgr.exe

Click to jump to process

Memory Usage

• pfwsmgr.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

System Behavior

Analysis Process: pfwsmgr.exePID: 4696, Parent PID: 5860

Function Logs

General

Target ID:	1
Start time:	14:39:36
Start date:	12/07/2022
Path:	C:\Users\user\Desktop\pfwsmgr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pfwsmgr.exe"
Imagebase:	0xfc0000
File size:	11539000 bytes
MD5 hash:	D46C7C73405CC847F4326058F770E4CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Value Created

Key Value Queried

Key Monitored

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Process Terminated

Show Windows behavior

Thread Activities

Thread Created

Thread APC Queued

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Message Posted to Windows UI

Process Token Activities

Token Adjusted

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: pfwsmgr.exePID: 4696, Parent PID: 5860COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.3%
Total number of Nodes:	232
Total number of Limit Nodes:	13

Executed Functions

Function 06338450 Relevance: 1.7, Strings: 1, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6, xrefs: 06338520

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: d50fb4016be174a0a709a12e6090f53b4d80c6734faa854c1dff1cb802d4f29e
Instruction ID: 463ea3c4a389102ba3cde91937537fd27f319aa2046f6b8ab8cd540e7f09e0bf
Opcode Fuzzy Hash: d50fb4016be174a0a709a12e6090f53b4d80c6734faa854c1dff1cb802d4f29e
Instruction Fuzzy Hash: 43F18D34F002158FEB54DBB5D854AAEB7B6EF88305F148129E902EB394DB39AC45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 03D5162B Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383508356.0000000003D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 03D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3d50000_pfwsmgr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aedb5ee2b15589fa975e5131401dbed8fe4feb1cfe175721c8b0318634dc9b60
Instruction ID: b8d8daa81ce1e31d8a52744ae207f52a07599de22961d87299c1fe0acc2df0c1
Opcode Fuzzy Hash: aedb5ee2b15589fa975e5131401dbed8fe4feb1cfe175721c8b0318634dc9b60
Instruction Fuzzy Hash: B9727730A05A49CBD308EF7AE45474A7BE3EB9530DF08D968D005DB26DDB796C0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 03D51638 Relevance: .7, Instructions: 703COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383508356.0000000003D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 03D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3d50000_pfwsmgr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b99e2753a44f79dbef11a055d00c6b6442dd581256ce1f2b5b357baaff71c6
Instruction ID: 841dfc230f233d5774be0b3642705fa0b9c477b3e33ee7d1ab1da91abe07e072
Opcode Fuzzy Hash: b5b99e2753a44f79dbef11a055d00c6b6442dd581256ce1f2b5b357baaff71c6
Instruction Fuzzy Hash: 04727730A05A49CBD308EF7AE45474A7BE3EB9530DF08D968D005DB26DDB796C0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0633D540 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdc5bbed15395f8965fc2cc9c9ad65befcb6f6f3e62cc0921634167b04f5b27
Instruction ID: 9c640c496c4ea952a1271043a925251f0813e22ad4aa680508b3aabc02282fcd
Opcode Fuzzy Hash: 4cdc5bbed15395f8965fc2cc9c9ad65befcb6f6f3e62cc0921634167b04f5b27
Instruction Fuzzy Hash: E1518735F002248BDB58DF75C8647AEB6E3AFC8344F148429D906AB394EF799C468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0633A784 Relevance: 1.7, APIs: 1, Instructions: 153
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,?,?,?,?,?,?,00000004), ref: 0633A8F2

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: abade5f5781f9397aa88d87c6fe80841c7aa9cf534f6b5d494a76a6df9978062
Instruction ID: 5ac5bcd2c7a342fead65c9bd0a3ca069077b901059a43f5a3d9960985ce87846
Opcode Fuzzy Hash: abade5f5781f9397aa88d87c6fe80841c7aa9cf534f6b5d494a76a6df9978062
Instruction Fuzzy Hash: A261F2B1D002698BCB50CFA9C940BDEFBB1BF48314F158159E949BB250DB75AA89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0633A790 Relevance: 1.6, APIs: 1, Instructions: 150
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,?,?,?,?,?,?,00000004), ref: 0633A8F2

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e08d83b4e6184421968d6faf4afe6545689493a7659b1fe8d14e3768fdd7ff19
Instruction ID: 4d3ff29ee4163be055271c1bd2f4d724cd75c7470f119c7f31912ef7b4f650ae
Opcode Fuzzy Hash: e08d83b4e6184421968d6faf4afe6545689493a7659b1fe8d14e3768fdd7ff19
Instruction Fuzzy Hash: 4461E2B1D002698BCB50CFA9C940BDEFBB1BF48314F158159E949BB250DB75AA89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0633E28C Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetShortPathNameW.KERNELBASE(00000000,00000000,?), ref: 0633E3C9

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: NamePathShort
String ID:
API String ID: 1295925010-0
Opcode ID: 87175b4f42c125c900ef16774da0d34c52ed9c0a119ff2fd627beac9bd385026
Instruction ID: 81fa026b653744f73c5adb47d36b94fcf12358646c6a7393ccff33a07826fdaa
Opcode Fuzzy Hash: 87175b4f42c125c900ef16774da0d34c52ed9c0a119ff2fd627beac9bd385026
Instruction Fuzzy Hash: 2B513671D102289FDB18CFA9D884B9EBBB1BF48314F15811AE809BB360D774A849CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0633E298 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetShortPathNameW.KERNELBASE(00000000,00000000,?), ref: 0633E3C9

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: NamePathShort
String ID:
API String ID: 1295925010-0
Opcode ID: c8ccab91cea7f9d8501f55e1920650552d3c32c9178ab4ced4eeabb3aadd4e06
Instruction ID: a7d53b33a787da01b95957c7b03d2d37c2a0c436c04417631f8a893941ad3e54
Opcode Fuzzy Hash: c8ccab91cea7f9d8501f55e1920650552d3c32c9178ab4ced4eeabb3aadd4e06
Instruction Fuzzy Hash: 73513471D10229DFDB58CFA9C884B9EBBB1BF48314F15851EE809AB360C774A845CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0633F6DE Relevance: 1.6, APIs: 1, Instructions: 111
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?,00000000), ref: 0633F7AF

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 675be0e0272c86ef22072b7be11fe498f41734e0135024b911d8eecb7caf4fd5
Instruction ID: 588fa10dd121b383cb3288e9acb91f733fba787de1271008d3e513438fb21039
Opcode Fuzzy Hash: 675be0e0272c86ef22072b7be11fe498f41734e0135024b911d8eecb7caf4fd5
Instruction Fuzzy Hash: FB4127B5C00329DFDB14CF99C944ADDBBB5FF48314F55812AE409BB250D774A989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0633F6E8 Relevance: 1.6, APIs: 1, Instructions: 103
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?,00000000), ref: 0633F7AF

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: fe90b3886311a933d654958d459e561c90b5b90556fa8214c6d835ffef2f1852
Instruction ID: ebf41269157d6823bdd5fcfe796df269acc44952ca98e1258230d2928d9748fc
Opcode Fuzzy Hash: fe90b3886311a933d654958d459e561c90b5b90556fa8214c6d835ffef2f1852
Instruction Fuzzy Hash: B541F6B1D00369DFDB14CFA5C984ADDBBB5FF48304F65812AE409BB250D774A949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06330F04 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 06330FC1

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8eec62a62ff5916432ba5eeae27b274c4483234e133be2cea9d14a6872d75e4d
Instruction ID: c985559c0e8709fbeddb9ecc94d75f855e7461470d73f31c4c9d51fd4ba43bc1
Opcode Fuzzy Hash: 8eec62a62ff5916432ba5eeae27b274c4483234e133be2cea9d14a6872d75e4d
Instruction Fuzzy Hash: D44113B1C04268CEDB64CFA9C884BDEBBF1BF48304F20855AD409BB250DB75594ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 03D56C8C Relevance: 1.6, APIs: 1, Instructions: 98
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,?,00000001,?), ref: 03D56D66

Memory Dump Source

Source File: 00000001.00000002.383508356.0000000003D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 03D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3d50000_pfwsmgr.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 23746bdfb304b476e0737a5ff1770cf1936447ccc649022f5421e55a1ac5f63f
Instruction ID: 6db1a9a47c939f9314860fd2a7ae1d94a93aff36ec2e15819080aa33bcba12fa
Opcode Fuzzy Hash: 23746bdfb304b476e0737a5ff1770cf1936447ccc649022f5421e55a1ac5f63f
Instruction Fuzzy Hash: 324104B0D042589FDB10CFA9C584A8EFBF5BF48314F58856AE809BB351D7B59845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03D56724 Relevance: 1.6, APIs: 1, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,?,00000001,?), ref: 03D56D66

Memory Dump Source

Source File: 00000001.00000002.383508356.0000000003D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 03D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3d50000_pfwsmgr.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 126e96d6716b4b09626406ae9c75e429e05cd627ffb9796564d0c901c96fa76f
Instruction ID: a5c8ed9b04da606dcc5a072cc512345f6cf28919f6bf5052307bcf97f2b22b73
Opcode Fuzzy Hash: 126e96d6716b4b09626406ae9c75e429e05cd627ffb9796564d0c901c96fa76f
Instruction Fuzzy Hash: 714101B0D042588FDB10CFA9C584A9EFBF4BF48318F58856AE809BB355D774A848CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06330F10 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 06330FC1

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6a4989ec3311ecdf37b96bc735a997855e5226fb7e5dd746f51ee1e134ef65a5
Instruction ID: 45680bd10ebf2bec12c12382f27150cf068226f9fcab20846e6115553e561e28
Opcode Fuzzy Hash: 6a4989ec3311ecdf37b96bc735a997855e5226fb7e5dd746f51ee1e134ef65a5
Instruction Fuzzy Hash: 454102B1C04269CFDB64CFAAC884B8EBBB5BF48308F108559D409BB250DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0633AB44 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0633ABF7

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f94e26d313f11ad106f58be78e112262338a7f46e2de6dcf48a8457d43d4eb26
Instruction ID: 875d6f19042e96c1e1c88ea3e5a14707b482afe189094c1b43e626cc5fb7b4c6
Opcode Fuzzy Hash: f94e26d313f11ad106f58be78e112262338a7f46e2de6dcf48a8457d43d4eb26
Instruction Fuzzy Hash: EC3104B1D012589FCB20CF99D584ACEFBF5EF48314F25801AE849BB350D7749949CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06336984 Relevance: 1.6, APIs: 1, Instructions: 82
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0633ABF7

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9071e8d467033431bb6104c9bf38e40effe92918f915243da3bc6b09ec48f91d
Instruction ID: 1e752896a20af05462489e23f967eb6ad1cf490818ff1ff2b0a995db1c37b63a
Opcode Fuzzy Hash: 9071e8d467033431bb6104c9bf38e40effe92918f915243da3bc6b09ec48f91d
Instruction Fuzzy Hash: C13113B1D012689FCB10CF9AC584ADEFBF5EF48314F15801AE849BB310D774A949CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06337073 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,?,?,?,?), ref: 063370F0

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 5ac5501e34b378d8b2c489090a735020b24d5e4395bd1642f47a23e1db9b51a5
Instruction ID: 08ef6a338b664c00928e2c50dea81288c0622e0570698708320882e30ee5fb69
Opcode Fuzzy Hash: 5ac5501e34b378d8b2c489090a735020b24d5e4395bd1642f47a23e1db9b51a5
Instruction Fuzzy Hash: 0A2138B6C043599FCB10CF9AC884BDEBBF4FB48364F05842AE954A7240C379A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06332B68 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06332BF7

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c59f1132c83d3206a96e03f9ecf1aafaee50ce1ae64eee568db69fe20a2dbc48
Instruction ID: 8b1a91a0190a46e5ca51d4cc63be53dd2a69a41bb853348e7fa291eeb3ac905c
Opcode Fuzzy Hash: c59f1132c83d3206a96e03f9ecf1aafaee50ce1ae64eee568db69fe20a2dbc48
Instruction Fuzzy Hash: 502105B5900259AFDB10CFA9D984ADEFBF8FB48324F14841AE954A7310C374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06332B70 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06332BF7

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 58c8c168f3fc6e17fcce3fc7e16ef68aaf6d89f9ce5aa671f925aa81a2d3517b
Instruction ID: bb9057e3dab2d7789181f7208c592f723cdd6cbd5a3145206c786c26ebd8a945
Opcode Fuzzy Hash: 58c8c168f3fc6e17fcce3fc7e16ef68aaf6d89f9ce5aa671f925aa81a2d3517b
Instruction Fuzzy Hash: A221E4B5D00258AFDB10CFAAD984ADEBBF8FB48324F14841AE914A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06337088 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,?,?,?,?), ref: 063370F0

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 0ae0cb959611aeafe129f6876cb8be709397bbe07c7628ccb7a90577de9b60fb
Instruction ID: e462de64982217581cd9a62fb816873bba9b3d3b7b8583e744d3d8b4b9830de6
Opcode Fuzzy Hash: 0ae0cb959611aeafe129f6876cb8be709397bbe07c7628ccb7a90577de9b60fb
Instruction Fuzzy Hash: AA11E7B6C042599FCB10CF9AC584BDEBBF4FB48324F158429E554A7240C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0633E8D8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 0633E93E

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 01c01beaffb297b7a2c25b02b0045502161713b54d41c8b0070a9b3ff6773144
Instruction ID: e92533d0e2ed819d8f4958b39e930d264b0be6894a44d1521f29050d7987342a
Opcode Fuzzy Hash: 01c01beaffb297b7a2c25b02b0045502161713b54d41c8b0070a9b3ff6773144
Instruction Fuzzy Hash: 241132B6C002598FCB50CFAAC444BDEFBF8AF88328F15841AD419B7200C378A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0205D504 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.379839694.000000000205D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0205D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_205d000_pfwsmgr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5243775e696816507162e4ad29a46b610ed13211873faba85ef868459be9145a
Instruction ID: 4296ecadf2cb0498ca1dd5191f51b44170a8aa9069bc118636a1a74efc436469
Opcode Fuzzy Hash: 5243775e696816507162e4ad29a46b610ed13211873faba85ef868459be9145a
Instruction Fuzzy Hash: 2F21D3B2504344DFDB05DF14D9C0B2BBBA5FB88328F2485AAED054B24AC336D856DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0205D4FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.379839694.000000000205D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0205D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_205d000_pfwsmgr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2714ef245c7a7d187a19bb68fde141c678a7e158619bf4c30222c01bc86617
Instruction ID: b84bb1ab5f0a1e867875af103346fa02935ad1c5eb3c78bb4ee0cec65f31ca3a
Opcode Fuzzy Hash: 6c2714ef245c7a7d187a19bb68fde141c678a7e158619bf4c30222c01bc86617
Instruction Fuzzy Hash: 0111B176404380CFCB12CF10D5C4B16BFB1FB84324F2886AADC454B65AC336D55ADBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0633F000 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.386899366.0000000006330000.00000040.00000800.00020000.00000000.sdmp, Offset: 06330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6330000_pfwsmgr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc71e84dbead9e2dc239d4318f4f2448c3169b41dbb85f7d353e9c9e02b8a61
Instruction ID: 0d50d030778553bdfbe16be94eadf2a12978c4ec8654cd331f45f5b82a5062e0
Opcode Fuzzy Hash: 5fc71e84dbead9e2dc239d4318f4f2448c3169b41dbb85f7d353e9c9e02b8a61
Instruction Fuzzy Hash: D9C1E035F042119FDB54AB74E95076E77A2AF89208F24442DE502DB3A4EF3ADC82CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 03D5DCB0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383508356.0000000003D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 03D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3d50000_pfwsmgr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2ef2c0b4010b6b2a8b68e0569153e37894ed8b7a236412308094ef12893063
Instruction ID: 2739cd5f9d3d342a0f88387881e9cf3b989fb0714aad34c0daa740bdd56e8824
Opcode Fuzzy Hash: db2ef2c0b4010b6b2a8b68e0569153e37894ed8b7a236412308094ef12893063
Instruction Fuzzy Hash: FAA16D30E0460ADBD744EF3BE89065AB7F3FB8420AF058924D101DB268DB797D1A8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 03D5F070 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383508356.0000000003D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 03D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3d50000_pfwsmgr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c4c589d0d5e07ca06931af8dc679614b9d2aba097f7c2eb33213f5ff1bdeb9
Instruction ID: 7c0e80ff181d7f60ad4c6ba51bcef823a6af0cf9c7f6633cc9aa104a4b0ce469
Opcode Fuzzy Hash: 49c4c589d0d5e07ca06931af8dc679614b9d2aba097f7c2eb33213f5ff1bdeb9
Instruction Fuzzy Hash: 0D513C319086068AD344EF3FE4807067BE2FB9220AF09C965C145CB26CEB796D5A8BD1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pfwsmgr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pfwsmgr.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: pfwsmgr.exePID: 4696, Parent PID: 5860

General

File Activities

File Opened

File Created

File Written

Windows Analysis Report
pfwsmgr.exe

Function 06338450 Relevance: 1.7, Strings: 1, Instructions: 426
COMMON

Function 0633A784 Relevance: 1.7, APIs: 1, Instructions: 153
registryCOMMON

Function 0633A790 Relevance: 1.6, APIs: 1, Instructions: 150
registryCOMMON

Function 0633E28C Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Function 0633E298 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Function 0633F6DE Relevance: 1.6, APIs: 1, Instructions: 111
synchronizationCOMMON