Edit tour

Windows Analysis Report
Scan_PDF_3008059384.exe

Overview

General Information

Sample name:	Scan_PDF_3008059384.exe
Analysis ID:	1523871
MD5:	22c3cd9f336a5cea2d8fbdacb711b80c
SHA1:	4edb2257126ad8aa9310ef0e389221e7b5cef796
SHA256:	ebd0038b416c567e44fd873f2c1b194e206e5915a82f604de4b25ca45a3d64b5
Tags:	exefiledn-comuser-JAMESWT_MHT
Infos:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Stores large binary data to the registry

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Scan_PDF_3008059384.exe (PID: 8184 cmdline: "C:\Users\user\Desktop\Scan_PDF_3008059384.exe" MD5: 22C3CD9F336A5CEA2D8FBDACB711B80C)

dfsvc.exe (PID: 7204 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Scan_PDF_3008059384.exe	ReversingLabs: Detection: 18%
Source: Scan_PDF_3008059384.exe	Virustotal: Detection: 16%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Code function: 4_2_00F41000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,

4_2_00F41000

Source: Scan_PDF_3008059384.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Scan_PDF_3008059384.exe

Static PE information: certificate valid

Source: Scan_PDF_3008059384.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: Scan_PDF_3008059384.exe
Source:	Binary string: b.pdbJ: source: dfsvc.exe, 00000005.00000002.2036763574.0000019EA7E1E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbz source: dfsvc.exe, 00000005.00000002.2036665985.0000019EA7DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.pdb source: dfsvc.exe, 00000005.00000002.2035229255.0000019E8DA84000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lture=en, PublicKeyToken=b03f5f7f11d50a3aem.pdb source: dfsvc.exe, 00000005.00000002.2036665985.0000019EA7DB6000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Code function: 4_2_00F44A4B FindFirstFileExA,

4_2_00F44A4B

Source: unknown

DNS traffic detected: query: app.cloudfiles-secure.io replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: app.cloudfiles-secure.io

Source: Scan_PDF_3008059384.exe, 00000004.00000003.1284708860.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Scan_PDF_3008059384.exe, 00000004.00000002.1285669681.00000000006CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredID
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000005.00000002.2037336189.0000019EA841D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/Mic
Source: dfsvc.exe, 00000005.00000002.2037336189.0000019EA841D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000005.00000002.2035838213.0000019E8F78E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Scan_PDF_3008059384.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000005.00000002.2035838213.0000019E8F832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.cloudfiles-secure.io
Source: Scan_PDF_3008059384.exe, 00000004.00000003.1284708860.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Scan_PDF_3008059384.exe, 00000004.00000002.1285669681.00000000006CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://app.cloudfiles-secure.io/Bin/ScreenConnect.Client.a
Source: dfsvc.exe, 00000005.00000002.2035838213.0000019E8F890000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000005.00000002.2035838213.0000019E8F83A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.cloudfiles-secure.io/Bin/ScreenConnect.Client.application?e=Support&y=
Source: B96Z294P.log.5.dr	String found in binary or memory: https://app.cloudfiles-secure.io/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kkl22.ddns

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Scan_PDF_3008059384.exe

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Code function: 4_2_00F4A495	4_2_00F4A495
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 5_2_00007FF7C0E4AEF5	5_2_00007FF7C0E4AEF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 5_2_00007FF7C0E51FB6	5_2_00007FF7C0E51FB6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 5_2_00007FF7C0E41240	5_2_00007FF7C0E41240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 5_2_00007FF7C0E4F441	5_2_00007FF7C0E4F441

Source: Scan_PDF_3008059384.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal42.evad.winEXE@3/2@1/0

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

4_2_00F41000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Mutant created: NULL

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Command line argument: dfshim

4_2_00F41000

Source: Scan_PDF_3008059384.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Scan_PDF_3008059384.exe	ReversingLabs: Detection: 18%
Source: Scan_PDF_3008059384.exe	Virustotal: Detection: 16%

Source: unknown	Process created: C:\Users\user\Desktop\Scan_PDF_3008059384.exe "C:\Users\user\Desktop\Scan_PDF_3008059384.exe"
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Scan_PDF_3008059384.exe

Static PE information: certificate valid

Source: Scan_PDF_3008059384.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Scan_PDF_3008059384.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Scan_PDF_3008059384.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Scan_PDF_3008059384.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Scan_PDF_3008059384.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Scan_PDF_3008059384.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Scan_PDF_3008059384.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Scan_PDF_3008059384.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: Scan_PDF_3008059384.exe
Source:	Binary string: b.pdbJ: source: dfsvc.exe, 00000005.00000002.2036763574.0000019EA7E1E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbz source: dfsvc.exe, 00000005.00000002.2036665985.0000019EA7DB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.pdb source: dfsvc.exe, 00000005.00000002.2035229255.0000019E8DA84000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lture=en, PublicKeyToken=b03f5f7f11d50a3aem.pdb source: dfsvc.exe, 00000005.00000002.2036665985.0000019EA7DB6000.00000004.00000020.00020000.00000000.sdmp

Source: Scan_PDF_3008059384.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Scan_PDF_3008059384.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Scan_PDF_3008059384.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Scan_PDF_3008059384.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Scan_PDF_3008059384.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

4_2_00F41000

Source: Scan_PDF_3008059384.exe

Static PE information: real checksum: 0x1bda6 should be: 0x1ea85

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Code function: 4_2_00F41BC0 push ecx; ret	4_2_00F41BD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 5_2_00007FF7C0E4B92B push cs; iretd	5_2_00007FF7C0E4B96A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 5_2_00007FF7C0E4845E push eax; ret	5_2_00007FF7C0E4846D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 5_2_00007FF7C0E4842E pushad ; ret	5_2_00007FF7C0E4845D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 5_2_00007FF7C0E47C35 push eax; retf	5_2_00007FF7C0E47C6D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 5_2_00007FF7C0E400BD pushad ; iretd	5_2_00007FF7C0E400C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 5_2_00007FF7C0E47018 push cs; iretd	5_2_00007FF7C0E4701F

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 19E8DC00000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 19EA76C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599512	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599404	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598878	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598728	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598538	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598103	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595971	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594700	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594031	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 2354			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 7386			Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe TID: 8188	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -599860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -599735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -599625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -599512s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -599404s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -598878s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -598728s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -598538s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -598103s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -597077s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -595971s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -595731s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -594700s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -594375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -594266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7404	Thread sleep time: -594031s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Code function: 4_2_00F44A4B FindFirstFileExA,

4_2_00F44A4B

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599512	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599404	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598878	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598728	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598538	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598103	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595971	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594700	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594031	Jump to behavior

Source: dfsvc.exe, 00000005.00000002.2036665985.0000019EA7DB6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Code function: 4_2_00F44573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00F44573

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

4_2_00F41000

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Code function: 4_2_00F43677 mov eax, dword ptr fs:[00000030h]

4_2_00F43677

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Code function: 4_2_00F46893 GetProcessHeap,

4_2_00F46893

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Code function: 4_2_00F41493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00F41493
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Code function: 4_2_00F44573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00F44573
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Code function: 4_2_00F4191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00F4191F
Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe	Code function: 4_2_00F41AAC SetUnhandledExceptionFilter,	4_2_00F41AAC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Code function: 4_2_00F41BD4 cpuid

4_2_00F41BD4

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Code function: 4_2_00F41806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00F41806

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3008059384.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Disable or Modify Tools	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	31 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Install Root Certificate	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Scan_PDF_3008059384.exe	18%	ReversingLabs
Scan_PDF_3008059384.exe	16%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
app.cloudfiles-secure.io	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://app.cloudfiles-secure.io	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
app.cloudfiles-secure.io	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://app.cloudfiles-secure.io/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kkl22.ddns	B96Z294P.log.5.dr	false		unknown
https://app.cloudfiles-secure.io	dfsvc.exe, 00000005.00000002.2035838213.0000019E8F832000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://app.cloudfiles-secure.io/Bin/ScreenConnect.Client.application?e=Support&y=	dfsvc.exe, 00000005.00000002.2035838213.0000019E8F890000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000005.00000002.2035838213.0000019E8F83A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ns.adobe.	dfsvc.exe, 00000005.00000002.2037336189.0000019EA841D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dfsvc.exe, 00000005.00000002.2035838213.0000019E8F78E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.cloudfiles-secure.io/Bin/ScreenConnect.Client.a	Scan_PDF_3008059384.exe, 00000004.00000003.1284708860.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Scan_PDF_3008059384.exe, 00000004.00000002.1285669681.00000000006CB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/Mic	dfsvc.exe, 00000005.00000002.2037336189.0000019EA841D000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523871
Start date and time:	2024-10-02 06:11:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Scan_PDF_3008059384.exe
Detection:	MAL
Classification:	mal42.evad.winEXE@3/2@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 6 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:12:00	API Interceptor	20589x Sleep call for process: dfsvc.exe modified
00:12:00	API Interceptor	1x Sleep call for process: Scan_PDF_3008059384.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1373
Entropy (8bit):	5.369201792577388
Encrypted:	false
SSDEEP:	24:ML1XE4qpE4KQ71qE4GIs0E4KGAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:M1H2HKQ71qHGIs0HKGAHKKkKYHKGSI65
MD5:	AE112903AD8CD5C130DF44E7E1601F48
SHA1:	A3D879E7F63259F5C76C846DC8A59E5AA36EC5F6
SHA-256:	FAFA70F9D4F34235B7681A6296CA5B27A7932EDFF8A029BE748810DC2547C2ED
SHA-512:	29388D9599B400D9BDC2F869548A0448470755C7A3AFA24955B768D214A7E5802BB655C1EB4C679E308916266DFA5C2FA7CE3A3F10E802D349C63588C735984F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\B96Z294P.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (653), with CRLF line terminators
Category:	dropped
Size (bytes):	12798
Entropy (8bit):	3.897147969230462
Encrypted:	false
SSDEEP:	192:zjZqHzcjZqHzejngHd+jKDjZqHzrjngHdB4e1ujr3n:vgmgIg28grgz4e1E7
MD5:	5475367DAD0D73811E52A0C034E4EA0A
SHA1:	C8B2311C214F42729CE0D644F27A4C4F57200FCF
SHA-256:	0DD82EECF7F9EE56303868D34CA9574989C1EEA1D0AF552FA0222A6174FC3CE9
SHA-512:	82392F7E0901CC11517CE0609F219137287FEFEE40903B9C6F4F90C6B171F175DBAC47B9BBF3E338C53166778EB4648142CD89EA770731F41B7803EC12B0D0C8
Malicious:	false
Reputation:	low
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.a.p.p...c.l.o.u.d.f.i.l.e.s.-.s.e.c.u.r.e...i.o./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.k.k.l.2.2...d.d.n.s...n.e.t.&.p.=.8.0.4.1.&.s.=.3.9.a.0.2.2.c.8.-.7.b.3.8.-.4.4.c.0.-.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.514301896434248
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Scan_PDF_3008059384.exe
File size:	83'376 bytes
MD5:	22c3cd9f336a5cea2d8fbdacb711b80c
SHA1:	4edb2257126ad8aa9310ef0e389221e7b5cef796
SHA256:	ebd0038b416c567e44fd873f2c1b194e206e5915a82f604de4b25ca45a3d64b5
SHA512:	0e0e3d6c20ddc57e094ec87e2b1dc065d66ec362007a1030fb7f754c1e53053c113576f6c74ea20ee757cd15a19afc7e7603672a05a4e833bf3aec58c1590245
SSDEEP:	1536:JoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYX7gxD1:TenkyfPAwiMq0RqRfbaxZJYYX0
TLSH:	B7835B43B5D18475E9720E3118B1D9B4593FBE110EA48EAF3398426E0F351D1AE3AE7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............\|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401489
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BBDDB2 [Tue Aug 13 22:26:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	37d5c89163970dd3cc69230538a1b72b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 02:00:00 16/08/2025 01:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007F0BA8DB9C5Ah
jmp 00007F0BA8DB970Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040B048h]
push dword ptr [ebp+08h]
call dword ptr [0040B044h]
push C0000409h
call dword ptr [0040B04Ch]
push eax
call dword ptr [0040B050h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040B054h]
test eax, eax
je 00007F0BA8DB9897h
push 00000002h
pop ecx
int 29h
mov dword ptr [004118C0h], eax
mov dword ptr [004118BCh], ecx
mov dword ptr [004118B8h], edx
mov dword ptr [004118B4h], ebx
mov dword ptr [004118B0h], esi
mov dword ptr [004118ACh], edi
mov word ptr [004118D8h], ss
mov word ptr [004118CCh], cs
mov word ptr [004118A8h], ds
mov word ptr [004118A4h], es
mov word ptr [004118A0h], fs
mov word ptr [0041189Ch], gs
pushfd
pop dword ptr [004118D0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004118C4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004118C8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004118D4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00411810h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1060c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11800	0x2db0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xddc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfe38	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfd78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9cf8	0x9e00	bae4521030709e187bdbe8a34d7bf731	False	0.6035650712025317	data	6.581464957368758	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x5d58	0x5e00	ec94ce6ebdbe57640638e0aa31d08896	False	0.4178025265957447	Applesoft BASIC program data, first line number 1	4.843224204192078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x11cc	0x800	04a548a5c04675d08166d3823a6bf61b	False	0.16357421875	data	2.0120795802951505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0x1e0	0x200	aa256780346be2e1ee49ac6d69d2faff	False	0.52734375	data	4.703723272345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xddc	0xe00	908329e10a1923a3c4938a10d44237d9	False	0.7776227678571429	data	6.495696626464028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

LocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW

CRYPT32.dll

CertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:12:03.588624001 CEST	50291	53	192.168.2.10	1.1.1.1
Oct 2, 2024 06:12:03.685935974 CEST	53	50291	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 06:12:03.588624001 CEST	192.168.2.10	1.1.1.1	0x744c	Standard query (0)	app.cloudfiles-secure.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 06:12:03.685935974 CEST	1.1.1.1	192.168.2.10	0x744c	Name error (3)	app.cloudfiles-secure.io	none	none	A (IP address)	IN (0x0001)	false

Target ID:	4
Start time:	00:12:00
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\Scan_PDF_3008059384.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Scan_PDF_3008059384.exe"
Imagebase:	0xf40000
File size:	83'376 bytes
MD5 hash:	22C3CD9F336A5CEA2D8FBDACB711B80C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:12:00
Start date:	02/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Imagebase:	0x19e8d8d0000
File size:	24'856 bytes
MD5 hash:	B4088F44B80D363902E11F897A7BAC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	1473
Total number of Limit Nodes:	34

Executed Functions

Function 00F41000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199
encryptionmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000000,00000104), ref: 00F41016
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00F41025
CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00F41032
LocalAlloc.KERNELBASE(00000000,00040000), ref: 00F41057
LocalAlloc.KERNEL32(00000000,00040000), ref: 00F41063
CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00F41082
CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 00F410B2
LocalAlloc.KERNEL32(00000000,?), ref: 00F410C5
LocalAlloc.KERNEL32(00000000,00002000), ref: 00F410F4
CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 00F4110A
CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 00F4111A
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 00F4112D
CertFreeCertificateContext.CRYPT32(00000000), ref: 00F41134
LocalFree.KERNEL32(00000000), ref: 00F4113E
LocalFree.KERNEL32(00000000), ref: 00F4115D
CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 00F4116E
CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00F41182
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00F41198
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 00F411A9
LoadLibraryA.KERNELBASE(dfshim), ref: 00F411BA
GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 00F411C6
Sleep.KERNELBASE(00009C40), ref: 00F411E8
CertDeleteCertificateFromStore.CRYPT32(?), ref: 00F4120B
CertCloseStore.CRYPT32(?,00000000), ref: 00F4121A
LocalFree.KERNEL32(?), ref: 00F41223
LocalFree.KERNEL32(?), ref: 00F41228
LocalFree.KERNELBASE(?), ref: 00F4122D

Strings

TrustedPublisher, xrefs: 00F4102B
1.3.6.1.4.1.311.4.1.1, xrefs: 00F41193, 00F411A4
dfshim, xrefs: 00F411B5
ShOpenVerbApplicationW, xrefs: 00F411C0

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
API String ID: 335784236-860318880
Opcode ID: 0c2d8c274c91487cdb77be5fdefe71071f8f1ecc26e028618085193b5dd78a76
Instruction ID: 9ed27409b84635515df14f8e8bc11c8526fbb227aa53c2527994f87730efd0b8
Opcode Fuzzy Hash: 0c2d8c274c91487cdb77be5fdefe71071f8f1ecc26e028618085193b5dd78a76
Instruction Fuzzy Hash: EE615C75E40218ABEB209BA8DC45FAFBBB9FF49B51F100014EE14B7291C7719D41ABA4

Function 00F43677 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00F4364D,?,00F502E0,0000000C,00F437A4,?,00000002,00000000,?,00F43F66,00000003,00F4209F,00F41AFC), ref: 00F43698
TerminateProcess.KERNEL32(00000000,?,00F4364D,?,00F502E0,0000000C,00F437A4,?,00000002,00000000,?,00F43F66,00000003,00F4209F,00F41AFC), ref: 00F4369F
ExitProcess.KERNEL32 ref: 00F436B1

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 1af250764c10ea1f5e66e5c9274f4d1acefb51d079a9d2fe92215217b2934ccc
Instruction ID: 4673f2926237e02646bf0d14d0e6be46051b80c8a067f3558a42957e4a13c5ce
Opcode Fuzzy Hash: 1af250764c10ea1f5e66e5c9274f4d1acefb51d079a9d2fe92215217b2934ccc
Instruction Fuzzy Hash: F4E0463100010CAFCF11BF68CD09E4A3F2AEF52396B010014FE058A232DB39DE42EA50

Non-executed Functions

Function 00F4191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00F4192B
IsDebuggerPresent.KERNEL32 ref: 00F419F7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F41A10
UnhandledExceptionFilter.KERNEL32(?), ref: 00F41A1A

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 89ae765d8ba847ce6aeeab09ccf1b9f410bd8d8aec4e6fc65d3f66b13b735406
Instruction ID: 679a1e2049080b23d40fa48a805abe35da73aff42d8cb63a28991e2b3ec3b98c
Opcode Fuzzy Hash: 89ae765d8ba847ce6aeeab09ccf1b9f410bd8d8aec4e6fc65d3f66b13b735406
Instruction Fuzzy Hash: EB311675D0121C9BDB20DFA4DD497CDBBB8BF08300F1041AAE80DAB250EB749A84DF45

Function 00F44573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00F4466B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00F44675
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00F44682

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 44c7f4830ac7520fd3671a254c7b920f4c44b93fe7f5d97a00fc32c0b413baf4
Instruction ID: d714caa115512eb72fbd88e6009a65f23c6e970e2b22f7660453efd3e90bf293
Opcode Fuzzy Hash: 44c7f4830ac7520fd3671a254c7b920f4c44b93fe7f5d97a00fc32c0b413baf4
Instruction Fuzzy Hash: F331D37490121C9BCB21DF68DC88B8DBBB8FF08311F5041EAE81CA7251EB749B859F45

Function 00F44A4B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00F44BDE

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 629e6b05fbf8e1a1e8797821c0a1f384c6e1098e89fa72c16eb20e04e1652e79
Instruction ID: 521086f8d786646291a71fe5174fad45820ad4fc0d5f2bdd705a3da3a479d2da
Opcode Fuzzy Hash: 629e6b05fbf8e1a1e8797821c0a1f384c6e1098e89fa72c16eb20e04e1652e79
Instruction Fuzzy Hash: 1331D272D00249ABCB249E78CC85FEA7FBDEB85314F0441A8F919E7251E634AD459B50

Function 00F4A495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F4A490,?,?,00000008,?,?,00F4A130,00000000), ref: 00F4A6C2

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 893d80eac0b8764b712ba475d147fd1a041f41e50b2c33edf5f87fa56d8fc8c1
Instruction ID: 7e9061983d041829ee7c6e8a0fe99cb16d365be6904a5b1dc31b0a79ee9721d4
Opcode Fuzzy Hash: 893d80eac0b8764b712ba475d147fd1a041f41e50b2c33edf5f87fa56d8fc8c1
Instruction Fuzzy Hash: 6CB16C326506088FD725CF28C58AB657FE0FF45364F298658EC9ACF2A1C335D992DB41

Function 00F41BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F41BEA

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: aaa0c8c0120a5b7045302c4c5e8ce959a9b2ba5aedfb4c94d262e1473d135c0a
Instruction ID: cf1d3ad97394b1ceac18c67cc0389cafb2aad93443c9ff29cb56ebca19238d17
Opcode Fuzzy Hash: aaa0c8c0120a5b7045302c4c5e8ce959a9b2ba5aedfb4c94d262e1473d135c0a
Instruction Fuzzy Hash: BD51AFB1E103099FEB14CF64E8817AEBBF0FB88355F15852ACA05EB290D374A981DF50

Function 00F41AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00F41300), ref: 00F41AB1

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 90f51331131eea2ac8f1e693a05bb6ab0115d9e8a4432572658725cee60bde64
Instruction ID: a3e8dc61245912c6a1efb67211ca3b6b16c22e14981c5e6d2a53159b925399e0
Opcode Fuzzy Hash: 90f51331131eea2ac8f1e693a05bb6ab0115d9e8a4432572658725cee60bde64
Instruction Fuzzy Hash:

Function 00F46893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00F46893

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c9cd69b70c57339d4f4bfd74cc30e6170d92ec742a50549f2d9e9cad8741e8d0
Instruction ID: 825353238a4aa099d2d5d5ec2a9de58aa4ab69260e658c214837c6bbca495176
Opcode Fuzzy Hash: c9cd69b70c57339d4f4bfd74cc30e6170d92ec742a50549f2d9e9cad8741e8d0
Instruction Fuzzy Hash: 75A012302002098B43408F345A4520935985746581B0200145504C0020DB2080407A01

Function 00F46507 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 00F4654B

Part of subcall function 00F46078: _free.LIBCMT ref: 00F46095
Part of subcall function 00F46078: _free.LIBCMT ref: 00F460A7
Part of subcall function 00F46078: _free.LIBCMT ref: 00F460B9
Part of subcall function 00F46078: _free.LIBCMT ref: 00F460CB
Part of subcall function 00F46078: _free.LIBCMT ref: 00F460DD
Part of subcall function 00F46078: _free.LIBCMT ref: 00F460EF
Part of subcall function 00F46078: _free.LIBCMT ref: 00F46101
Part of subcall function 00F46078: _free.LIBCMT ref: 00F46113
Part of subcall function 00F46078: _free.LIBCMT ref: 00F46125
Part of subcall function 00F46078: _free.LIBCMT ref: 00F46137
Part of subcall function 00F46078: _free.LIBCMT ref: 00F46149
Part of subcall function 00F46078: _free.LIBCMT ref: 00F4615B
Part of subcall function 00F46078: _free.LIBCMT ref: 00F4616D

_free.LIBCMT ref: 00F46540

Part of subcall function 00F44869: HeapFree.KERNEL32(00000000,00000000,?,00F4620D,?,00000000,?,00000000,?,00F46234,?,00000007,?,?,00F4669F,?), ref: 00F4487F
Part of subcall function 00F44869: GetLastError.KERNEL32(?,?,00F4620D,?,00000000,?,00000000,?,00F46234,?,00000007,?,?,00F4669F,?,?), ref: 00F44891

_free.LIBCMT ref: 00F46562
_free.LIBCMT ref: 00F46577
_free.LIBCMT ref: 00F46582
_free.LIBCMT ref: 00F465A4
_free.LIBCMT ref: 00F465B7
_free.LIBCMT ref: 00F465C5
_free.LIBCMT ref: 00F465D0
_free.LIBCMT ref: 00F46608
_free.LIBCMT ref: 00F4660F
_free.LIBCMT ref: 00F4662C
_free.LIBCMT ref: 00F46644

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1a0a1c5d5c24196f8f50c76e2a97f937d026bce54c0120ce888ac8cb1af577ae
Instruction ID: ecbd1a0250705887d1f5df12e085b5032295a9e9cb8c7350c91ad6244cff770a
Opcode Fuzzy Hash: 1a0a1c5d5c24196f8f50c76e2a97f937d026bce54c0120ce888ac8cb1af577ae
Instruction Fuzzy Hash: 7B315E71A003009FEB60AB7AEC05B567BE8EF42320F144429F849E7295DE34FD90AB51

Function 00F44330 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00F44344

Part of subcall function 00F44869: HeapFree.KERNEL32(00000000,00000000,?,00F4620D,?,00000000,?,00000000,?,00F46234,?,00000007,?,?,00F4669F,?), ref: 00F4487F
Part of subcall function 00F44869: GetLastError.KERNEL32(?,?,00F4620D,?,00000000,?,00000000,?,00F46234,?,00000007,?,?,00F4669F,?,?), ref: 00F44891

_free.LIBCMT ref: 00F44350
_free.LIBCMT ref: 00F4435B
_free.LIBCMT ref: 00F44366
_free.LIBCMT ref: 00F44371
_free.LIBCMT ref: 00F4437C
_free.LIBCMT ref: 00F44387
_free.LIBCMT ref: 00F44392
_free.LIBCMT ref: 00F4439D
_free.LIBCMT ref: 00F443AB

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 16ea9d594e8d76e84ac09107b5056313d8f95d7f60f4a6e9c08015a0412bf795
Instruction ID: 0d95b5a126ee73d3982180f53a4162c5787b17e35ee60b7fb7a4834fb86d5d4d
Opcode Fuzzy Hash: 16ea9d594e8d76e84ac09107b5056313d8f95d7f60f4a6e9c08015a0412bf795
Instruction Fuzzy Hash: B5118976600148FFCB41EF96DC42ED93F65EF44750F5141A6BE089F262DA35EE50AB80

Function 00F47AB4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00F454C8,00000000,?,?,?,00F47D05,?,?,00000100), ref: 00F47B0E
__alloca_probe_16.LIBCMT ref: 00F47B46
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00F47D05,?,?,00000100,5EFC4D8B,?,?), ref: 00F47B94
__alloca_probe_16.LIBCMT ref: 00F47C2B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F47C8E
__freea.LIBCMT ref: 00F47C9B

Part of subcall function 00F462FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00F47E5B,?,00000000,?,00F4686F,?,00000004,00000000,?,?,?,00F43BCD), ref: 00F46331

__freea.LIBCMT ref: 00F47CA4
__freea.LIBCMT ref: 00F47CC9

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: 7c2c752473c4b8b17de736038d117316ecb35683cdebfe645866fccd723253bf
Instruction ID: bbd723b38bb66f3e7147a038f5e7b2aaa67fe53bd3a4971b8ee8f5255657c9c6
Opcode Fuzzy Hash: 7c2c752473c4b8b17de736038d117316ecb35683cdebfe645866fccd723253bf
Instruction Fuzzy Hash: F551E372A14316AFEF25AF64DC81FAF7FAAEB44760B154628FD04D6150EB38DC40E690

Function 00F48417 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00F48B8C,?,00000000,?,00000000,00000000), ref: 00F48459
__fassign.LIBCMT ref: 00F484D4
__fassign.LIBCMT ref: 00F484EF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00F48515
WriteFile.KERNEL32(?,?,00000000,00F48B8C,00000000,?,?,?,?,?,?,?,?,?,00F48B8C,?), ref: 00F48534
WriteFile.KERNEL32(?,?,00000001,00F48B8C,00000000,?,?,?,?,?,?,?,?,?,00F48B8C,?), ref: 00F4856D

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4f8b5ff1e1c281fe220af3962ebcb3f75262227bbdbe52250431c2e8d502e7d4
Instruction ID: 88983e665f510da314ff1b6f178742b3a39620c5c988479afc074e4cb0851a83
Opcode Fuzzy Hash: 4f8b5ff1e1c281fe220af3962ebcb3f75262227bbdbe52250431c2e8d502e7d4
Instruction Fuzzy Hash: 56518F75E002499FDB10CFA8DC85AEEBBF8FF19350F18411AE955E7291DB30AA41DB60

Function 00F41E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00F41E37
___except_validate_context_record.LIBVCRUNTIME ref: 00F41E3F
_ValidateLocalCookies.LIBCMT ref: 00F41EC8
__IsNonwritableInCurrentImage.LIBCMT ref: 00F41EF3
_ValidateLocalCookies.LIBCMT ref: 00F41F48

Strings

csm, xrefs: 00F41EDD

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0fbc0b3f7399b19f861fcc898686394f3d1448adacd7adfecb9e77e8b01fd6f6
Instruction ID: ff62367b69fecc146c5d239fcf98c5e558569d3f57998a2e32ee7bcdd63e8b2a
Opcode Fuzzy Hash: 0fbc0b3f7399b19f861fcc898686394f3d1448adacd7adfecb9e77e8b01fd6f6
Instruction Fuzzy Hash: 9041BF38E002099BCF10DF68CC80AAEBFB5BF45364F148055EC149B392D735EA85EB91

Function 00F4621B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F461DF: _free.LIBCMT ref: 00F46208

_free.LIBCMT ref: 00F46269

Part of subcall function 00F44869: HeapFree.KERNEL32(00000000,00000000,?,00F4620D,?,00000000,?,00000000,?,00F46234,?,00000007,?,?,00F4669F,?), ref: 00F4487F
Part of subcall function 00F44869: GetLastError.KERNEL32(?,?,00F4620D,?,00000000,?,00000000,?,00F46234,?,00000007,?,?,00F4669F,?,?), ref: 00F44891

_free.LIBCMT ref: 00F46274
_free.LIBCMT ref: 00F4627F
_free.LIBCMT ref: 00F462D3
_free.LIBCMT ref: 00F462DE
_free.LIBCMT ref: 00F462E9
_free.LIBCMT ref: 00F462F4

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction ID: 418df24534cd613afdfcad56ce8b8afb5ee6f488d1ce385d948d02586c4a34c2
Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction Fuzzy Hash: 03115171540B14BAD520B7B1CC07FCB7F9D5F81B00F404825BE9AE6193EA69BA046651

Function 00F43D8F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00F43DAD

Part of subcall function 00F44869: HeapFree.KERNEL32(00000000,00000000,?,00F4620D,?,00000000,?,00000000,?,00F46234,?,00000007,?,?,00F4669F,?), ref: 00F4487F
Part of subcall function 00F44869: GetLastError.KERNEL32(?,?,00F4620D,?,00000000,?,00000000,?,00F46234,?,00000007,?,?,00F4669F,?,?), ref: 00F44891

_free.LIBCMT ref: 00F43DBF
_free.LIBCMT ref: 00F43DD2
_free.LIBCMT ref: 00F43DE3
_free.LIBCMT ref: 00F43DF4

Strings

8Gd, xrefs: 00F43D8F, 00F43D9E, 00F43DB3

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 8Gd
API String ID: 776569668-551424441
Opcode ID: 6a5bfab6ada6792a5780ab120f9b4b525d16842d5d0539ec0df7a22f66602223
Instruction ID: e0d73706049f50d1f4e7be14b37fe23d69f2a8ffe5bb4240089819e5ca5f3a03
Opcode Fuzzy Hash: 6a5bfab6ada6792a5780ab120f9b4b525d16842d5d0539ec0df7a22f66602223
Instruction Fuzzy Hash: 59F0D478800B689FDB916F25FC0164A3F70BB857223450617FF12AA3B2D7792951BBC1

Function 00F423D1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00F423C8,00F4209F,00F41AFC), ref: 00F423DF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F423ED
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F42406
SetLastError.KERNEL32(00000000,00F423C8,00F4209F,00F41AFC), ref: 00F42458

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 395e329ef3b8ab475dc502b77550b73c26e0e5ae52a7eaf1bc1d5db30e334187
Instruction ID: f370a745f5018e723709231bd71297e4cf6346a735aa7ee95e8126db8142b078
Opcode Fuzzy Hash: 395e329ef3b8ab475dc502b77550b73c26e0e5ae52a7eaf1bc1d5db30e334187
Instruction Fuzzy Hash: 0A01F2336193295EA6A46BB8BC85B2B3F54EB127B67600239FE20810F6EF555C81B254

Function 00F44424 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000008,?,00F46D69,?,?,?,00F504C8,0000002C,00F43F34,00000016,00F4209F,00F41AFC), ref: 00F44428
_free.LIBCMT ref: 00F4445B
_free.LIBCMT ref: 00F44483
SetLastError.KERNEL32(00000000), ref: 00F44490
SetLastError.KERNEL32(00000000), ref: 00F4449C
_abort.LIBCMT ref: 00F444A2

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 858cc7a6abf67a7c7a40374b7262ff39f940e84e5da72e517189e072f0ac78b8
Instruction ID: 49bde206999a28607631b1152991a0f062534de762d6f4f608d3d3e2881f6608
Opcode Fuzzy Hash: 858cc7a6abf67a7c7a40374b7262ff39f940e84e5da72e517189e072f0ac78b8
Instruction Fuzzy Hash: 63F0F236900744A7C611F7346C05B2B3E596FD2772F254114FD28F31E6EF69E9017121

Function 00F436FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F436AD,?,?,00F4364D,?,00F502E0,0000000C,00F437A4,?,00000002), ref: 00F4371C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F4372F
FreeLibrary.KERNEL32(00000000,?,?,?,00F436AD,?,?,00F4364D,?,00F502E0,0000000C,00F437A4,?,00000002,00000000), ref: 00F43752

Strings

CorExitProcess, xrefs: 00F43727
mscoree.dll, xrefs: 00F43715

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 19dae7c5e27ce3cdfb896d3f58e98cafc171c42bd67247db60728245e0cca771
Instruction ID: 7d66d19c50d508686e51b813013b002ab03bc004d147ce581fa3ce72dbe67a37
Opcode Fuzzy Hash: 19dae7c5e27ce3cdfb896d3f58e98cafc171c42bd67247db60728245e0cca771
Instruction Fuzzy Hash: 4FF04F75A0020CBBDB159BA4DC49BAEBFB4EF19756F0040A4FD05A2151DB74DE84EB90

Function 00F4634D Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,00F454C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 00F4639A
__alloca_probe_16.LIBCMT ref: 00F463D2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F46423
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F46435
__freea.LIBCMT ref: 00F4643E

Part of subcall function 00F462FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00F47E5B,?,00000000,?,00F4686F,?,00000004,00000000,?,?,?,00F43BCD), ref: 00F46331

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 35c969f037d924c8fbcc09fb48de0a588bb9e0c0ead4010f2431307a21238605
Instruction ID: a2a4503c6f01065f1547c40448c7d516ddd40ba1c8ab7bcd482e0bbfb54b07d9
Opcode Fuzzy Hash: 35c969f037d924c8fbcc09fb48de0a588bb9e0c0ead4010f2431307a21238605
Instruction Fuzzy Hash: 3C31E172A0021AABDF25DF64DC45EAE7FA5EF02320F044129FC14D6260E739CD90EBA1

Function 00F4561E Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F45627
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F4564A

Part of subcall function 00F462FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00F47E5B,?,00000000,?,00F4686F,?,00000004,00000000,?,?,?,00F43BCD), ref: 00F46331

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F45670
_free.LIBCMT ref: 00F45683
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F45692

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: a745500d9afcf70b9c6e4710bbd45844a0490ec8b05d1665d349afdf8e2499cb
Instruction ID: e89a1fd6d49d487c441fc982366929349d79a8a692212c7fbad1a73255335468
Opcode Fuzzy Hash: a745500d9afcf70b9c6e4710bbd45844a0490ec8b05d1665d349afdf8e2499cb
Instruction Fuzzy Hash: 27018476A02A597F27212ABA5C4CD7B7E6DDEC2FB13560129FD04D7142EBA48D01B1B0

Function 00F444A8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F447FE,00F47E79,?,00F4686F,?,00000004,00000000,?,?,?,00F43BCD,?,00000000), ref: 00F444AD
_free.LIBCMT ref: 00F444E2
_free.LIBCMT ref: 00F44509
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F44516
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F4451F

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 703727764acdeb6ecddda3ff3e8713eb4c12c2788885a932d076e76505f879bd
Instruction ID: ff86f12e866f594198bb61cd3fc33ba7946e9aafa8519be401ae9af54bb6dbfd
Opcode Fuzzy Hash: 703727764acdeb6ecddda3ff3e8713eb4c12c2788885a932d076e76505f879bd
Instruction Fuzzy Hash: 8301F437A00608AB9612B6346C45F2B3E2EBBD27727250125FD19F22D3EF68ED017020

Function 00F46176 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F4618E

Part of subcall function 00F44869: HeapFree.KERNEL32(00000000,00000000,?,00F4620D,?,00000000,?,00000000,?,00F46234,?,00000007,?,?,00F4669F,?), ref: 00F4487F
Part of subcall function 00F44869: GetLastError.KERNEL32(?,?,00F4620D,?,00000000,?,00000000,?,00F46234,?,00000007,?,?,00F4669F,?,?), ref: 00F44891

_free.LIBCMT ref: 00F461A0
_free.LIBCMT ref: 00F461B2
_free.LIBCMT ref: 00F461C4
_free.LIBCMT ref: 00F461D6

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 29500f2b75e71d4de73a096812a0b20ab52707e5d8a40c6badbbf628b4d8dc51
Instruction ID: e9c0b23874b88691cacfdbe4a4746878d3e3ea6238d609fba57684c5c75e79d4
Opcode Fuzzy Hash: 29500f2b75e71d4de73a096812a0b20ab52707e5d8a40c6badbbf628b4d8dc51
Instruction Fuzzy Hash: A2F06272A04344AF8660EB55F981E1A7FDDBB82F213680805FC09E7652C734FC80AA51

Function 00F42F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Scan_PDF_3008059384.exe,00000104), ref: 00F42F93
_free.LIBCMT ref: 00F4305E
_free.LIBCMT ref: 00F43068

Strings

C:\Users\user\Desktop\Scan_PDF_3008059384.exe, xrefs: 00F42F8A, 00F42F91, 00F42FC0, 00F42FF8

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Scan_PDF_3008059384.exe
API String ID: 2506810119-846507713
Opcode ID: 1f44ab28b7c9d046150a6d7c778bda357d1acbf73f1ee90760f1b939368ed519
Instruction ID: 46e097f437ed5fbadc7470b0326bb96dd2b853708ce7e08f28a7f1d5bb9b49d3
Opcode Fuzzy Hash: 1f44ab28b7c9d046150a6d7c778bda357d1acbf73f1ee90760f1b939368ed519
Instruction Fuzzy Hash: 66319D71E00208AFCB21DB99DC81AAEBFBCEB85724F104166FD04A7211D6B59E44EB91

Function 00F4512A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00F44424: GetLastError.KERNEL32(00000008,?,00F46D69,?,?,?,00F504C8,0000002C,00F43F34,00000016,00F4209F,00F41AFC), ref: 00F44428
Part of subcall function 00F44424: _free.LIBCMT ref: 00F4445B
Part of subcall function 00F44424: SetLastError.KERNEL32(00000000), ref: 00F4449C
Part of subcall function 00F44424: _abort.LIBCMT ref: 00F444A2

Part of subcall function 00F45249: _abort.LIBCMT ref: 00F4527B
Part of subcall function 00F45249: _free.LIBCMT ref: 00F452AF

Part of subcall function 00F44EBE: GetOEMCP.KERNEL32(00000000,?,?,00F45147,?), ref: 00F44EE9

_free.LIBCMT ref: 00F451A2
_free.LIBCMT ref: 00F451D8

Strings

8Gd, xrefs: 00F4521C
8Gd, xrefs: 00F45221

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: 8Gd$8Gd
API String ID: 2991157371-2294296528
Opcode ID: b5cc91d9b05e588ce642ff83ef6bcba58b06c9761b718085172b08c15517c5d1
Instruction ID: 8a50491643f6f44dc8ff3ee40b5f58fb236df1ed846bbb49187a88675cd65007
Opcode Fuzzy Hash: b5cc91d9b05e588ce642ff83ef6bcba58b06c9761b718085172b08c15517c5d1
Instruction Fuzzy Hash: 1C31E431D00648AFDB11EBA9D841B9DBFE5EF81721F25019AED049B292EB356D41EB40

Function 00F425E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00F42594,00000000,?,00F51B50,?,?,?,00F42737,00000004,InitializeCriticalSectionEx,00F4BC48,InitializeCriticalSectionEx), ref: 00F425F0
GetLastError.KERNEL32(?,00F42594,00000000,?,00F51B50,?,?,?,00F42737,00000004,InitializeCriticalSectionEx,00F4BC48,InitializeCriticalSectionEx,00000000,?,00F424C7), ref: 00F425FA
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00F42622

Strings

api-ms-, xrefs: 00F42607

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 8cc67f7b8b670680165b9849b00550111c2f6be9f34bb430573edb076f2f5c4d
Instruction ID: 1883817a1ce8c3c95886a7070f086264ab83c7aeff8571da52d038e6a71d0fce
Opcode Fuzzy Hash: 8cc67f7b8b670680165b9849b00550111c2f6be9f34bb430573edb076f2f5c4d
Instruction Fuzzy Hash: C6E04831640308BBDF212B64EC06F593F54EB25B52F514430FD0DE40E2E7A5E954B555

Function 00F457DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00F45784,00000000,00000000,00000000,00000000,?,00F45981,00000006,FlsSetValue), ref: 00F4580F
GetLastError.KERNEL32(?,00F45784,00000000,00000000,00000000,00000000,?,00F45981,00000006,FlsSetValue,00F4C4D8,FlsSetValue,00000000,00000364,?,00F444F6), ref: 00F4581B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F45784,00000000,00000000,00000000,00000000,?,00F45981,00000006,FlsSetValue,00F4C4D8,FlsSetValue,00000000), ref: 00F45829

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 9fc3f03f993b580a41b84d8931e223b936d9022a5eba0983c20b8225ac72429d
Instruction ID: 76f3be610b93d9d53fef3b05579e45ed21d5b7298c78406a173e50d2ed1ad821
Opcode Fuzzy Hash: 9fc3f03f993b580a41b84d8931e223b936d9022a5eba0983c20b8225ac72429d
Instruction Fuzzy Hash: CE01A737A0572AABD7215A6CAC44A577F98AF16FB1B240634FD1AD7142DF20D800E6E0

Function 00F448BB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F44A27

Part of subcall function 00F4474D: IsProcessorFeaturePresent.KERNEL32(00000017,00F4473C,00000000,?,00000004,00000000,?,?,?,?,00F44749,00000000,00000000,00000000,00000000,00000000), ref: 00F4474F
Part of subcall function 00F4474D: GetCurrentProcess.KERNEL32(C0000417), ref: 00F44771
Part of subcall function 00F4474D: TerminateProcess.KERNEL32(00000000), ref: 00F44778

Strings

., xrefs: 00F44BDE
*?, xrefs: 00F448FE

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
Instruction ID: efcb2a45e28c5e9a67ba660bb5a4fd98577971d1113d9e304b816b5f9ac9d12d
Opcode Fuzzy Hash: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
Instruction Fuzzy Hash: CD517175E00219AFDF14DFA8CC81AAEBBB5FF58314F248169E854F7341E635AE01AB50

Function 00F45249 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F44424: GetLastError.KERNEL32(00000008,?,00F46D69,?,?,?,00F504C8,0000002C,00F43F34,00000016,00F4209F,00F41AFC), ref: 00F44428
Part of subcall function 00F44424: _free.LIBCMT ref: 00F4445B
Part of subcall function 00F44424: SetLastError.KERNEL32(00000000), ref: 00F4449C
Part of subcall function 00F44424: _abort.LIBCMT ref: 00F444A2

_abort.LIBCMT ref: 00F4527B
_free.LIBCMT ref: 00F452AF

Strings

8Gd, xrefs: 00F452B5, 00F452BD

Memory Dump Source

Source File: 00000004.00000002.1285833569.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000004.00000002.1285816396.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285848452.0000000000F4B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285863312.0000000000F51000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1285880196.0000000000F53000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f40000_Scan_PDF_3008059384.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: 8Gd
API String ID: 289325740-551424441
Opcode ID: c1a328460ca7b752d1b8aa8dd0387a9f7665bec09cc71cd71f4fe5bdb64e2885
Instruction ID: ef4a12b5fc95d8906067671edaf38ef73df8a2f978196e360bfc31d507844079
Opcode Fuzzy Hash: c1a328460ca7b752d1b8aa8dd0387a9f7665bec09cc71cd71f4fe5bdb64e2885
Instruction Fuzzy Hash: C0016131D01F259BC761BFA89801729BB60BB44F71B19020AED2567292D7B47A41BFC1

Analysis Process: dfsvc.exePID: 7204, Parent PID: 8184COMMON

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	148
Total number of Limit Nodes:	9

Executed Functions

Function 00007FF7C0E41488 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 404
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF7C0E41827

Strings

1L_I, xrefs: 00007FF7C0E41604
2L_I, xrefs: 00007FF7C0E41504

Memory Dump Source

Source File: 00000005.00000002.2038085721.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c0e40000_dfsvc.jbxd

Similarity

API ID: LibraryLoad
String ID: 1L_I$2L_I
API String ID: 1029625771-2038145154
Opcode ID: c42cea9f59cce506352998ca8adeb8cf2ae7f33f740f197512bf1ce3bb2d8bf1
Instruction ID: 700579f308c284d7a0242ecd51d6e6e09a210275a68f56a96963e7d0042f8629
Opcode Fuzzy Hash: c42cea9f59cce506352998ca8adeb8cf2ae7f33f740f197512bf1ce3bb2d8bf1
Instruction Fuzzy Hash: 57D1387060DA899FD7059B7D481A3A9BBA1FF86311B0482EFC059C7297CB34E952C7C1

Function 00007FF7C0E529F9 Relevance: 1.8, APIs: 1, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateUrlCacheEntryW.WININET ref: 00007FF7C0E52C03

Memory Dump Source

Source File: 00000005.00000002.2038085721.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c0e40000_dfsvc.jbxd

Similarity

API ID: CacheCreateEntry
String ID:
API String ID: 3741994674-0
Opcode ID: 5d6b0071710929d1f3b5a2ecfc0f31db30b4694b340759d5d31e9b006389c79d
Instruction ID: f3075745d70eb1d9be9d6853c5c2daf534d56679c3bc64b685968098d6ab8fda
Opcode Fuzzy Hash: 5d6b0071710929d1f3b5a2ecfc0f31db30b4694b340759d5d31e9b006389c79d
Instruction Fuzzy Hash: 4791D430518A8D8FDBA9EF28D8457F57BE0EF5A320F14416EE88DC7292DB34A845C791

Function 00007FF7C0E51212 Relevance: 1.8, APIs: 1, Instructions: 275
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetGetCookieW.WININET ref: 00007FF7C0E513F6

Memory Dump Source

Source File: 00000005.00000002.2038085721.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c0e40000_dfsvc.jbxd

Similarity

API ID: CookieInternet
String ID:
API String ID: 930238652-0
Opcode ID: 8b191fe9220ee3179a27da01c53153028415a7de196f21d166dbc217db35fb67
Instruction ID: 43a3c69a17e167b65e08353acf4a65335b147bff0c95bf0490f298b5e2636751
Opcode Fuzzy Hash: 8b191fe9220ee3179a27da01c53153028415a7de196f21d166dbc217db35fb67
Instruction Fuzzy Hash: C491EF30508B8C4FDB69EF28C8557E57BE1FF59320F0442AED84DCB292CB74A8458B91

Function 00007FF7C0E499F5 Relevance: 1.7, APIs: 1, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FF7C0E49B1C

Memory Dump Source

Source File: 00000005.00000002.2038085721.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7c0e40000_dfsvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e7c557725bda61d339863a0bb012d7241fbe59c43ea560580c27bbef3a9ca692
Instruction ID: 5c268938beb2906a7fe41005fe6358a41b974a1ad341743dc160aaf920773f7e
Opcode Fuzzy Hash: e7c557725bda61d339863a0bb012d7241fbe59c43ea560580c27bbef3a9ca692
Instruction Fuzzy Hash: 9651AF7190CA5C9FDB58EF58D845BE9BBE0FB59320F1441AEE04DD3252CB34A985CB81

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Scan_PDF_3008059384.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\B96Z294P.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
Scan_PDF_3008059384.exe

Function 00F41000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199
encryptionmemorylibraryCOMMON

Function 00F43677 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 00F46507 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Function 00F44330 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Function 00F47AB4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Function 00F48417 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Function 00F41E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Function 00F4621B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Function 00F43D8F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
COMMON

Function 00F423D1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Function 00F44424 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Function 00007FF7C0E41488 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 404
libraryCOMMON

Function 00007FF7C0E529F9 Relevance: 1.8, APIs: 1, Instructions: 291
COMMON

Function 00007FF7C0E51212 Relevance: 1.8, APIs: 1, Instructions: 275
networkCOMMON

Function 00007FF7C0E499F5 Relevance: 1.7, APIs: 1, Instructions: 172
fileCOMMON