Edit tour

Windows Analysis Report
Scan_PDF_3269252267.exe

Overview

General Information

Sample name:	Scan_PDF_3269252267.exe
Analysis ID:	1523873
MD5:	c9426f860a1ffb8e4c9cfec788cd83b6
SHA1:	45e9d7aec3c6d0bd8715ea5d08ae0e6e73d7986e
SHA256:	503455f565a8ada637e80686399dfde6caa6ecb8dd0a33e747b2cde0e8b276c2
Tags:	exefiledn-comuser-JAMESWT_MHT
Infos:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores large binary data to the registry

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Scan_PDF_3269252267.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\Scan_PDF_3269252267.exe" MD5: C9426F860A1FFB8E4C9CFEC788CD83B6)

dfsvc.exe (PID: 6892 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

WerFault.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 756 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Scan_PDF_3269252267.exe	ReversingLabs: Detection: 15%
Source: Scan_PDF_3269252267.exe	Virustotal: Detection: 10%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Code function: 0_2_00211000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,

0_2_00211000

Source: Scan_PDF_3269252267.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Scan_PDF_3269252267.exe

Static PE information: certificate valid

Source: Scan_PDF_3269252267.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: Scan_PDF_3269252267.exe
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb6t source: dfsvc.exe, 00000002.00000002.3188890770.000001DAB7D75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.pdb source: dfsvc.exe, 00000002.00000002.3188890770.000001DAB7D75000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Code function: 0_2_00214A4B FindFirstFileExA,

0_2_00214A4B

Source: unknown

DNS traffic detected: query: app.cloudfiles-secure.io replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: app.cloudfiles-secure.io

Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000002.00000002.3188155054.000001DA9F75D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: Scan_PDF_3269252267.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000002.00000002.3188155054.000001DA9F7F6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3188155054.000001DA9F7FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.cloudfiles-secure.io
Source: dfsvc.exe, 00000002.00000002.3188155054.000001DA9F857000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3188155054.000001DA9F803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.cloudfiles-secure.io/Bin/ScreenConnect.Client.application?e=Support&y=
Source: AD7YJBRP.log.2.dr	String found in binary or memory: https://app.cloudfiles-secure.io/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kkl22.ddns

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Scan_PDF_3269252267.exe

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Code function: 0_2_0021A495

0_2_0021A495

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 756

Source: Scan_PDF_3269252267.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal42.evad.winEXE@4/6@1/0

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

0_2_00211000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6848

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Command line argument: dfshim

0_2_00211000

Source: Scan_PDF_3269252267.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Scan_PDF_3269252267.exe	ReversingLabs: Detection: 15%
Source: Scan_PDF_3269252267.exe	Virustotal: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\Scan_PDF_3269252267.exe "C:\Users\user\Desktop\Scan_PDF_3269252267.exe"
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 756
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Scan_PDF_3269252267.exe

Static PE information: certificate valid

Source: Scan_PDF_3269252267.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Scan_PDF_3269252267.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Scan_PDF_3269252267.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Scan_PDF_3269252267.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Scan_PDF_3269252267.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Scan_PDF_3269252267.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Scan_PDF_3269252267.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Scan_PDF_3269252267.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: Scan_PDF_3269252267.exe
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb6t source: dfsvc.exe, 00000002.00000002.3188890770.000001DAB7D75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.pdb source: dfsvc.exe, 00000002.00000002.3188890770.000001DAB7D75000.00000004.00000020.00020000.00000000.sdmp

Source: Scan_PDF_3269252267.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Scan_PDF_3269252267.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Scan_PDF_3269252267.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Scan_PDF_3269252267.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Scan_PDF_3269252267.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

0_2_00211000

Source: Scan_PDF_3269252267.exe

Static PE information: real checksum: 0x1bda6 should be: 0x19086

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Code function: 0_2_00211BC0 push ecx; ret	0_2_00211BD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFE166277B3 push eax; ret	2_2_00007FFE166277BD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFE16627638 pushad ; ret	2_2_00007FFE16627639

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 1DA9DC90000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 1DAB7680000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599642	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599403	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597908	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597792	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597667	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597431	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597324	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595760	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595318	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594199	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593967	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593297	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 2281			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 7424			Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe TID: 6852	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -599642s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -599515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -599403s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -599281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -597908s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -597792s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -597667s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -597544s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -597431s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -597324s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -596874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -596546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -596436s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -596218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -595760s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -595318s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -595201s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -594421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -594312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -594199s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -594078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -593967s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -593858s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -593734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -593625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -593515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -593406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6964	Thread sleep time: -593297s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Code function: 0_2_00214A4B FindFirstFileExA,

0_2_00214A4B

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599642	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599403	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597908	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597792	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597667	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597431	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597324	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595760	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595318	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594199	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593967	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 593297	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: dfsvc.exe, 00000002.00000002.3188890770.000001DAB7D75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 6e d0 59 6b 97 52-b4 9a 7f 42 1f 0e 66 9c
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Code function: 0_2_0021191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0021191F

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

0_2_00211000

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Code function: 0_2_00213677 mov eax, dword ptr fs:[00000030h]

0_2_00213677

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Code function: 0_2_00216893 GetProcessHeap,

0_2_00216893

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Code function: 0_2_00211493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00211493
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Code function: 0_2_0021191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0021191F
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Code function: 0_2_00214573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00214573
Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe	Code function: 0_2_00211AAC SetUnhandledExceptionFilter,	0_2_00211AAC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Code function: 0_2_00211BD4 cpuid

0_2_00211BD4

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Code function: 0_2_00211806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00211806

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Scan_PDF_3269252267.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Install Root Certificate	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Scan_PDF_3269252267.exe	16%	ReversingLabs
Scan_PDF_3269252267.exe	10%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
app.cloudfiles-secure.io	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://app.cloudfiles-secure.io	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
app.cloudfiles-secure.io	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://app.cloudfiles-secure.io/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kkl22.ddns	AD7YJBRP.log.2.dr	false		unknown
https://app.cloudfiles-secure.io	dfsvc.exe, 00000002.00000002.3188155054.000001DA9F7F6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3188155054.000001DA9F7FC000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://app.cloudfiles-secure.io/Bin/ScreenConnect.Client.application?e=Support&y=	dfsvc.exe, 00000002.00000002.3188155054.000001DA9F857000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3188155054.000001DA9F803000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dfsvc.exe, 00000002.00000002.3188155054.000001DA9F75D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523873
Start date and time:	2024-10-02 06:12:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Scan_PDF_3269252267.exe
Detection:	MAL
Classification:	mal42.evad.winEXE@4/6@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 52% Number of executed functions: 6 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:13:07	API Interceptor	4575x Sleep call for process: dfsvc.exe modified
00:13:07	API Interceptor	1x Sleep call for process: Scan_PDF_3269252267.exe modified
00:13:16	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Scan_PDF_3269252_fa341ae57d71ae7e7b2778d1ef9fa7b6b7bc40_f83fe985_9d33202f-831e-4896-b8ed-87978e5387c5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9220110222425887
Encrypted:	false
SSDEEP:	96:r0FBitW0sQhqvGXyf5QXIDcQvc6QcEVcw3cE/MF2+HbHg/Jg+OgBCXEYcI+1sTJz:g7J0ky0BU/IFnjq0ozuiFjZ24IO8dR
MD5:	893CB44F9E376646CCB250F8C00150D4
SHA1:	5D65ECC81085DC097005AABFDCD090ABFB8DBF8D
SHA-256:	0415487D021665C55E34F74EC2DA6AE46D640E393ADF6540BB803533F4D9C80F
SHA-512:	8BA607BDDE36793AA6649054FE4F9711475E9C26AAD3AAAB97EA3F368FFFB356239F25A741EC1839215482F281033FCC706170301B6F2FBC6E50DC13487CD166
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.1.5.9.8.9.5.5.9.7.1.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.1.5.9.9.0.3.7.2.2.1.2.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.3.3.2.0.2.f.-.8.3.1.e.-.4.8.9.6.-.b.8.e.d.-.8.7.9.7.8.e.5.3.8.7.c.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.e.f.e.f.0.b.-.c.d.7.a.-.4.6.f.8.-.8.d.6.5.-.0.4.4.5.5.e.8.4.e.f.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.c.a.n._.P.D.F._.3.2.6.9.2.5.2.2.6.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.c.0.-.0.0.0.1.-.0.0.1.4.-.6.7.8.6.-.4.f.6.2.8.1.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.7.e.6.f.2.7.4.3.7.0.8.3.c.9.d.b.a.4.d.4.0.2.0.0.f.2.c.7.1.e.b.0.0.0.0.f.f.f.f.!.0.0.0.0.4.5.e.9.d.7.a.e.c.3.c.6.d.0.b.d.8.7.1.5.e.a.5.d.0.8.a.e.0.e.6.e.7.3.d.7.9.8.6.e.!.S.c.a.n._.P.D.F._.3.2.6.9.2.5.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DE9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 04:13:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	79430
Entropy (8bit):	1.7229055778519875
Encrypted:	false
SSDEEP:	384:fCdByhI/cDlYx/jtqI3G/kzq6smQvqmy7QH5:fC7yhI/cDlYljtqmGMzqrmQvqXQZ
MD5:	BA1E983380C0A91D6616678A68E9F8D6
SHA1:	3E7940FE7C1C2001EBB87E90E11FC2FC30306C6B
SHA-256:	126E6A9C3E4DD0EF93875DF3F24A26BF4232155A52AFFDCDFA310B539385E132
SHA-512:	1E3BAF1737787B8D0EB4E5588D17AF611E69C262D0904AA456AB24B79F11836C8CF0F078582EEE67EDAB6E0AB82425D6BA960127B70C96665CE68714A644D651
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......U..f.........................................;..........T.......8...........T............!..v........... ...........................................................................................eJ..............GenuineIntel............T...........S..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F80.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8364
Entropy (8bit):	3.7027490790359527
Encrypted:	false
SSDEEP:	192:R6l7wVeJO66N3T6Y++SU9jIL5gmf8W5pr6x89b6fsfy+m:R6lXJz6N3T6YnSU9sL5gmf8Wx6EfC
MD5:	C0C2B29E8CCB2A1DFE12DC05E598CA46
SHA1:	04EFA7F19F3074D661B03DEBBDC5A7A0AFB077FD
SHA-256:	27511B335C5EA5852B9597D0608312BB897054539D01AF559C09D5FE1B9AF9E5
SHA-512:	47053FD38123ECC6918C26EB4BD707006EDE25A559A76D363A5899CDB7EA1BB9DF9BA580EDABDE668BB551CF95BE5E8E6CF7A7CC94C9A6F8050232E250BF66C3
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FCF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4638
Entropy (8bit):	4.505350192807973
Encrypted:	false
SSDEEP:	48:cvIwWl8zsnJg77aI9PAzXWpW8VYiYm8M4JqNSFEFZj+q8N1scP5lkg8zOz3d:uIjfJI7OC7VKJwu5lkL43d
MD5:	4DBA25FBFAB988E0E6F79165F4D19D30
SHA1:	852DB51EC28262D18B7DCF511A0AA388AC7F9AD7
SHA-256:	9D4F8F116B969B706E985A93BB1883FBAA0C861961EB5ED2CB16DD7C4C5F9DF7
SHA-512:	C03EEC48D9216D08D957F6C70760B104E9A7051598F988BF7F25F7C7C9D6B685A010F09195B5648AD267F17ECD30A54C279E86C2A3E54874A0B0C8A309781658
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="525315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\AD7YJBRP.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (653), with CRLF line terminators
Category:	dropped
Size (bytes):	12798
Entropy (8bit):	3.8989816071649948
Encrypted:	false
SSDEEP:	192:Sj9qHzcj9qHzejDgHd+jK9Rj9qHzhjDgHdB4e1ujr3n:IkmkIE2U1k5Ez4e1E7
MD5:	D38DA79B21DC71EFEF3BF4566109E831
SHA1:	FB80A7538E2D0BCA642A770D56ADDE5E82F54B53
SHA-256:	2F1D23834FB52DAE9CB4B1F0CCEF8FAACB1687CFC943B5DB8C39D4A080C25EC4
SHA-512:	268018A4FFEC58E4E2D46C0BEFC11B63CD22BE4BB43B57AF8116395DB5E93653AFA6C0F0CD585E5A23A77CBE918823873281947EB2F788DC65EB5D4E0958051B
Malicious:	false
Reputation:	low
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.6.5.4...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.B.......c.l.r...d.l.l. .......:. .4...8...4.6.4.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.B.......d.f.d.l.l...d.l.l. .......:. .4...8...4.6.5.4...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.B.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.a.p.p...c.l.o.u.d.f.i.l.e.s.-.s.e.c.u.r.e...i.o./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.k.k.l.2.2...d.d.n.s...n.e.t.&.p.=.8.0.4.1.&.s.=.1.5.5.7.5.a.f.6.-.1.b.6.8.-.4.b.8.6.-.

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.568495264947026
Encrypted:	false
SSDEEP:	6144:GoPefZnQMa3tfL9bn90foomgsattlbSldrUHT7hSgkSNv0juQJYchUJvTGA3BsL6:zPZAooVJHnsg/d1TNqG
MD5:	54F641BDA8E24420DE51AD830498EE52
SHA1:	0BA7E3CB03278C94B22D4FA85FED056C499CBCF6
SHA-256:	29E318A01940BE0B2B1C61CA10749D6F05745DBFC38CD7F3D5A3CCBF016F3D6A
SHA-512:	03B2AFAE9C477A1373AE776856A357B02AF851142AF3EB59616AAC1E8F736F484A5B4888B7C22515507877AC60DAFAFCE568E3796E5D92FE6CCA3F2D688C4C9E
Malicious:	false
Reputation:	low
Preview:	regfJ...J....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^..b................................................................................................................................................................................................................................................................................................................................................y..V........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.514398325318669
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Scan_PDF_3269252267.exe
File size:	83'376 bytes
MD5:	c9426f860a1ffb8e4c9cfec788cd83b6
SHA1:	45e9d7aec3c6d0bd8715ea5d08ae0e6e73d7986e
SHA256:	503455f565a8ada637e80686399dfde6caa6ecb8dd0a33e747b2cde0e8b276c2
SHA512:	f32c3b31ce03ac5754e46af8a0a03c6b298f7ec7f280defd1d94580e9cd6eac1b6eeb5998388b02d2ebaea27c92b3a402e39a3ffdc27d5ab6700c73b72113862
SSDEEP:	1536:JoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYX7gxD1:TenkyfPAwiMq0RqRfbaxZJYYX0
TLSH:	0B835B43B5D18875E9720E3118B1D9B4593FBE110EA48EAF3398426E0F351D19E3AE7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............\|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x401489
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BBDDB2 [Tue Aug 13 22:26:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	37d5c89163970dd3cc69230538a1b72b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 02:00:00 16/08/2025 01:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007FF168F79E7Ah
jmp 00007FF168F7992Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040B048h]
push dword ptr [ebp+08h]
call dword ptr [0040B044h]
push C0000409h
call dword ptr [0040B04Ch]
push eax
call dword ptr [0040B050h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040B054h]
test eax, eax
je 00007FF168F79AB7h
push 00000002h
pop ecx
int 29h
mov dword ptr [004118C0h], eax
mov dword ptr [004118BCh], ecx
mov dword ptr [004118B8h], edx
mov dword ptr [004118B4h], ebx
mov dword ptr [004118B0h], esi
mov dword ptr [004118ACh], edi
mov word ptr [004118D8h], ss
mov word ptr [004118CCh], cs
mov word ptr [004118A8h], ds
mov word ptr [004118A4h], es
mov word ptr [004118A0h], fs
mov word ptr [0041189Ch], gs
pushfd
pop dword ptr [004118D0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004118C4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004118C8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004118D4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00411810h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1060c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11800	0x2db0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xddc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfe38	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfd78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9cf8	0x9e00	bae4521030709e187bdbe8a34d7bf731	False	0.6035650712025317	data	6.581464957368758	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x5d58	0x5e00	ec94ce6ebdbe57640638e0aa31d08896	False	0.4178025265957447	Applesoft BASIC program data, first line number 1	4.843224204192078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x11cc	0x800	04a548a5c04675d08166d3823a6bf61b	False	0.16357421875	data	2.0120795802951505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0x1e0	0x200	aa256780346be2e1ee49ac6d69d2faff	False	0.52734375	data	4.703723272345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xddc	0xe00	908329e10a1923a3c4938a10d44237d9	False	0.7776227678571429	data	6.495696626464028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

LocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW

CRYPT32.dll

CertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:13:11.142363071 CEST	63258	53	192.168.2.12	1.1.1.1
Oct 2, 2024 06:13:11.227122068 CEST	53	63258	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 06:13:11.142363071 CEST	192.168.2.12	1.1.1.1	0x64f4	Standard query (0)	app.cloudfiles-secure.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 06:13:11.227122068 CEST	1.1.1.1	192.168.2.12	0x64f4	Name error (3)	app.cloudfiles-secure.io	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	00:13:07
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\Scan_PDF_3269252267.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Scan_PDF_3269252267.exe"
Imagebase:	0x210000
File size:	83'376 bytes
MD5 hash:	C9426F860A1FFB8E4C9CFEC788CD83B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:13:07
Start date:	02/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Imagebase:	0x1da9d950000
File size:	24'856 bytes
MD5 hash:	B4088F44B80D363902E11F897A7BAC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:13:08
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 756
Imagebase:	0xd90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	1464
Total number of Limit Nodes:	4

Executed Functions

Function 00211000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199
encryptionmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000000,00000104), ref: 00211016
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00211025
CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00211032
LocalAlloc.KERNELBASE(00000000,00040000), ref: 00211057
LocalAlloc.KERNEL32(00000000,00040000), ref: 00211063
CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00211082
CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 002110B2
LocalAlloc.KERNEL32(00000000,?), ref: 002110C5
LocalAlloc.KERNEL32(00000000,00002000), ref: 002110F4
CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 0021110A
CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 0021111A
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 0021112D
CertFreeCertificateContext.CRYPT32(00000000), ref: 00211134
LocalFree.KERNEL32(00000000), ref: 0021113E
LocalFree.KERNEL32(00000000), ref: 0021115D
CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 0021116E
CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00211182
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00211198
CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 002111A9
LoadLibraryA.KERNELBASE(dfshim), ref: 002111BA
GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 002111C6
Sleep.KERNELBASE(00009C40), ref: 002111E8
CertDeleteCertificateFromStore.CRYPT32(?), ref: 0021120B
CertCloseStore.CRYPT32(?,00000000), ref: 0021121A
LocalFree.KERNEL32(?), ref: 00211223
LocalFree.KERNEL32(?), ref: 00211228
LocalFree.KERNEL32(?), ref: 0021122D

Strings

TrustedPublisher, xrefs: 0021102B
1.3.6.1.4.1.311.4.1.1, xrefs: 00211193, 002111A4
dfshim, xrefs: 002111B5
ShOpenVerbApplicationW, xrefs: 002111C0

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
API String ID: 335784236-860318880
Opcode ID: 9c380761302f90f3aa7aefc0511a627122db31f458df41d73b00a5d90ddf510d
Instruction ID: 6ad736217ef0b7911994b954190d3c84fea8464a93ec24c3d9a7edec082f21ee
Opcode Fuzzy Hash: 9c380761302f90f3aa7aefc0511a627122db31f458df41d73b00a5d90ddf510d
Instruction Fuzzy Hash: 04618D71A10219BFEB219F90EC49FEFBBB4EF58B50F104054FA14B7290CB7199508BA4

Non-executed Functions

Function 0021191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0021192B
IsDebuggerPresent.KERNEL32 ref: 002119F7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00211A10
UnhandledExceptionFilter.KERNEL32(?), ref: 00211A1A

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 9743126381bd0d22aea149a4a345826151deff88ef6930ed1c23c4ab0e6b9221
Instruction ID: 083bf3b23d6addf33f27581096de036b6a6ac2b9d5810d441618107bd4b64eff
Opcode Fuzzy Hash: 9743126381bd0d22aea149a4a345826151deff88ef6930ed1c23c4ab0e6b9221
Instruction Fuzzy Hash: 33311475D112289BDB21DFA4D949BCEBBF8AF18300F1041AAE50CAB250EB749A94CF45

Function 00214573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0021466B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00214675
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00214682

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 130947a829832e9c936e562aa14c50fcf85dfebf1da495b9ac20da50c1054aa2
Instruction ID: 46f88c6cb065ab263ccc9fe44197fc2df4b210ad959ddcf5dfd5037ab2d922a8
Opcode Fuzzy Hash: 130947a829832e9c936e562aa14c50fcf85dfebf1da495b9ac20da50c1054aa2
Instruction Fuzzy Hash: AE31B374911229ABCB21DF64D989BCDBBF8BF18310F5041EAE81CA7250EB709BD58F45

Function 00213677 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0021364D,?,002202E0,0000000C,002137A4,?,00000002,00000000,?,00213F66,00000003,0021209F,00211AFC), ref: 00213698
TerminateProcess.KERNEL32(00000000,?,0021364D,?,002202E0,0000000C,002137A4,?,00000002,00000000,?,00213F66,00000003,0021209F,00211AFC), ref: 0021369F
ExitProcess.KERNEL32 ref: 002136B1

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 04deff73b402352a30538dae3535e71ead4113ca584b5baba5e5aa6791bcbe67
Instruction ID: 82d6666e55eab675c8a48eea0fd115b508c7d7cb51d5cfa71b83dd4ea58f4c44
Opcode Fuzzy Hash: 04deff73b402352a30538dae3535e71ead4113ca584b5baba5e5aa6791bcbe67
Instruction Fuzzy Hash: 7EE0B631020588EFCF12AF54ED0DADA3BBEEF68345B008054FA559A231DF35DEA2CA54

Function 00214A4B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00214BDE

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 3fd4b2ba691f60b1fe65d9326d016c545b7a3003cfaea1e2d97b168daf010a33
Instruction ID: de6210f710e1548ea65add622544f1b2224a4fee2a1f073bc3fc4da5b1eb1386
Opcode Fuzzy Hash: 3fd4b2ba691f60b1fe65d9326d016c545b7a3003cfaea1e2d97b168daf010a33
Instruction Fuzzy Hash: AB310671C1420AABCB24EE78CC94EFA7BFDEF95308F0441A8F81D97251E6309E958B50

Function 0021A495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0021A490,?,?,00000008,?,?,0021A130,00000000), ref: 0021A6C2

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 10818fa9caa059db9822b01076ed80986ac4febb8d1757e3c0f192cbe3aefe57
Instruction ID: b2f65e4310287c6248aeb6f65201f816678bd255c67af3c2b6971b45eaaef610
Opcode Fuzzy Hash: 10818fa9caa059db9822b01076ed80986ac4febb8d1757e3c0f192cbe3aefe57
Instruction Fuzzy Hash: 71B17E315216099FD715CF28C48ABA47BE1FF14364F298658E89ACF2E1C335D9A2CB41

Function 00211BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00211BEA

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8dd70a9643a58458a399e20bcfd1ab44de49055ad12e566228d90008eb9850f3
Instruction ID: 547abedab7711baa729b8479611869471b351a11e466a1fb6db7f59bb0b2780a
Opcode Fuzzy Hash: 8dd70a9643a58458a399e20bcfd1ab44de49055ad12e566228d90008eb9850f3
Instruction Fuzzy Hash: 8D519371E202099FDB24CFA4E885BEEB7F0FB68344F14902AC501EB294D37499A1CF90

Function 00211AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00211300), ref: 00211AB1

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 858875da908bda8baff2053e3dded2f2cd9ddb6d10336b8ad553be3b02e90bf8
Instruction ID: c407d637019e6e63386ad4a6e664ede069922ac1077e5d23af4887e63446d88b
Opcode Fuzzy Hash: 858875da908bda8baff2053e3dded2f2cd9ddb6d10336b8ad553be3b02e90bf8
Instruction Fuzzy Hash:

Function 00216893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00216893

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 3535c55f56ae7c6fe13f6b55f2f344419b748b7d41462b5e8d16d86071022cd1
Instruction ID: aa704dc376ac9f4f377de55104f6cf8e5a66294c52480638f12b6a6f6f4d3218
Opcode Fuzzy Hash: 3535c55f56ae7c6fe13f6b55f2f344419b748b7d41462b5e8d16d86071022cd1
Instruction Fuzzy Hash: 23A01130200202FBA3208F30BA8E2083AA8AA00A80B828028A00CC0020EB2080A0AA02

Function 00216507 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 0021654B

Part of subcall function 00216078: _free.LIBCMT ref: 00216095
Part of subcall function 00216078: _free.LIBCMT ref: 002160A7
Part of subcall function 00216078: _free.LIBCMT ref: 002160B9
Part of subcall function 00216078: _free.LIBCMT ref: 002160CB
Part of subcall function 00216078: _free.LIBCMT ref: 002160DD
Part of subcall function 00216078: _free.LIBCMT ref: 002160EF
Part of subcall function 00216078: _free.LIBCMT ref: 00216101
Part of subcall function 00216078: _free.LIBCMT ref: 00216113
Part of subcall function 00216078: _free.LIBCMT ref: 00216125
Part of subcall function 00216078: _free.LIBCMT ref: 00216137
Part of subcall function 00216078: _free.LIBCMT ref: 00216149
Part of subcall function 00216078: _free.LIBCMT ref: 0021615B
Part of subcall function 00216078: _free.LIBCMT ref: 0021616D

_free.LIBCMT ref: 00216540

Part of subcall function 00214869: HeapFree.KERNEL32(00000000,00000000,?,0021620D,?,00000000,?,00000000,?,00216234,?,00000007,?,?,0021669F,?), ref: 0021487F
Part of subcall function 00214869: GetLastError.KERNEL32(?,?,0021620D,?,00000000,?,00000000,?,00216234,?,00000007,?,?,0021669F,?,?), ref: 00214891

_free.LIBCMT ref: 00216562
_free.LIBCMT ref: 00216577
_free.LIBCMT ref: 00216582
_free.LIBCMT ref: 002165A4
_free.LIBCMT ref: 002165B7
_free.LIBCMT ref: 002165C5
_free.LIBCMT ref: 002165D0
_free.LIBCMT ref: 00216608
_free.LIBCMT ref: 0021660F
_free.LIBCMT ref: 0021662C
_free.LIBCMT ref: 00216644

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 65589774f270b43fa9dd4f63d39d759716e43a9bfd19eb1d606094c8bb4e321b
Instruction ID: 56d4f19b06a6439b5e48f9b3835e8b8bc16b5e78282964316af0a7b63d49ee33
Opcode Fuzzy Hash: 65589774f270b43fa9dd4f63d39d759716e43a9bfd19eb1d606094c8bb4e321b
Instruction Fuzzy Hash: 49316D71620242AFEB20AE7AEC09BDA73E9EF60310F554429F059D7191DE35EDE0CB50

Function 00214330 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00214344

Part of subcall function 00214869: HeapFree.KERNEL32(00000000,00000000,?,0021620D,?,00000000,?,00000000,?,00216234,?,00000007,?,?,0021669F,?), ref: 0021487F
Part of subcall function 00214869: GetLastError.KERNEL32(?,?,0021620D,?,00000000,?,00000000,?,00216234,?,00000007,?,?,0021669F,?,?), ref: 00214891

_free.LIBCMT ref: 00214350
_free.LIBCMT ref: 0021435B
_free.LIBCMT ref: 00214366
_free.LIBCMT ref: 00214371
_free.LIBCMT ref: 0021437C
_free.LIBCMT ref: 00214387
_free.LIBCMT ref: 00214392
_free.LIBCMT ref: 0021439D
_free.LIBCMT ref: 002143AB

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 815f73ee29472d42380449114299e46619b71d0cb809755225c34d985f7980d5
Instruction ID: 3ffe83132e56af2eef8214865eeeb6a0c57cd35c023811a9a7a1ab82f9bdb863
Opcode Fuzzy Hash: 815f73ee29472d42380449114299e46619b71d0cb809755225c34d985f7980d5
Instruction Fuzzy Hash: 55116376620148EFCB41FF96DC42CD93BA5EF54750F5241A6BA0C8B262DA31DAA09F80

Function 00217AB4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,002154C8,00000000,?,?,?,00217D05,?,?,00000100), ref: 00217B0E
__alloca_probe_16.LIBCMT ref: 00217B46
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00217D05,?,?,00000100,5EFC4D8B,?,?), ref: 00217B94
__alloca_probe_16.LIBCMT ref: 00217C2B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00217C8E
__freea.LIBCMT ref: 00217C9B

Part of subcall function 002162FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00217E5B,?,00000000,?,0021686F,?,00000004,00000000,?,?,?,00213BCD), ref: 00216331

__freea.LIBCMT ref: 00217CA4
__freea.LIBCMT ref: 00217CC9

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: 7e8ed53990016fe9fa622b65c5c4b9377cc24daafc052d065a0ebb2c02a8ce2c
Instruction ID: 028b9f93f1913b2d91487f715d78d8f500fd0c5a963e6852911a72a7c8c6f1fa
Opcode Fuzzy Hash: 7e8ed53990016fe9fa622b65c5c4b9377cc24daafc052d065a0ebb2c02a8ce2c
Instruction Fuzzy Hash: C951BE72624216ABDB258E64CC85EEF77FAEBA4750B15462AFC04D6140EB74DCE08A90

Function 00218417 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00218B8C,?,00000000,?,00000000,00000000), ref: 00218459
__fassign.LIBCMT ref: 002184D4
__fassign.LIBCMT ref: 002184EF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00218515
WriteFile.KERNEL32(?,?,00000000,00218B8C,00000000,?,?,?,?,?,?,?,?,?,00218B8C,?), ref: 00218534
WriteFile.KERNEL32(?,?,00000001,00218B8C,00000000,?,?,?,?,?,?,?,?,?,00218B8C,?), ref: 0021856D

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 682459c3d0de3e00a1f4e3f30dc14ebe3e49aed357243ce86bdcd67153bb5bad
Instruction ID: 83e0aef36d39caf63a31d2b085bb05ecc7bd4f1478145eb5afadbfe7f3b0cbf9
Opcode Fuzzy Hash: 682459c3d0de3e00a1f4e3f30dc14ebe3e49aed357243ce86bdcd67153bb5bad
Instruction Fuzzy Hash: 4251B7B1D10249AFDB20CFA4D885AEEBBF9EF29300F15411AE955E7291DB309991CB60

Function 00211E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00211E37
___except_validate_context_record.LIBVCRUNTIME ref: 00211E3F
_ValidateLocalCookies.LIBCMT ref: 00211EC8
__IsNonwritableInCurrentImage.LIBCMT ref: 00211EF3
_ValidateLocalCookies.LIBCMT ref: 00211F48

Strings

csm, xrefs: 00211EDD

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7ee84e5b905da2548fe707db852d425f0b77323db548e0f650d412a5feba9bbf
Instruction ID: 7225e57e075bf365449b117f8140ea485126fd593fdc315d9b5c4ca2aec9e324
Opcode Fuzzy Hash: 7ee84e5b905da2548fe707db852d425f0b77323db548e0f650d412a5feba9bbf
Instruction Fuzzy Hash: C241B234A20209ABCF10DF68C885ADEBBF5BF65364F148095ED145B292D7319AB5CF90

Function 0021621B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002161DF: _free.LIBCMT ref: 00216208

_free.LIBCMT ref: 00216269

Part of subcall function 00214869: HeapFree.KERNEL32(00000000,00000000,?,0021620D,?,00000000,?,00000000,?,00216234,?,00000007,?,?,0021669F,?), ref: 0021487F
Part of subcall function 00214869: GetLastError.KERNEL32(?,?,0021620D,?,00000000,?,00000000,?,00216234,?,00000007,?,?,0021669F,?,?), ref: 00214891

_free.LIBCMT ref: 00216274
_free.LIBCMT ref: 0021627F
_free.LIBCMT ref: 002162D3
_free.LIBCMT ref: 002162DE
_free.LIBCMT ref: 002162E9
_free.LIBCMT ref: 002162F4

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction ID: 4d29d8d275041718e153a22cbecb2b2d0d7f57debd0d8f2960df755e2e05fe9b
Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
Instruction Fuzzy Hash: CE114F71560B14BAD520BBB5CC0FFCF77DC5F50700F404825B69EA6193DA66BAA44E90

Function 002123D1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,002123C8,0021209F,00211AFC), ref: 002123DF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002123ED
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00212406
SetLastError.KERNEL32(00000000,002123C8,0021209F,00211AFC), ref: 00212458

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: efcd6bd0caf534ef5846ee5a94104f74e6a2b6560c075bcf221b743d607fba5b
Instruction ID: dca5e320d34aa5b008a44b1c38cb77d4773c4f133a479069e1b9ea008d77adda
Opcode Fuzzy Hash: efcd6bd0caf534ef5846ee5a94104f74e6a2b6560c075bcf221b743d607fba5b
Instruction Fuzzy Hash: 4301FC321383BAEFA6252BB57C89DE727D8DB357B47201239F920410E4EF524CFA5540

Function 00214424 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000008,?,00216D69,?,?,?,002204C8,0000002C,00213F34,00000016,0021209F,00211AFC), ref: 00214428
_free.LIBCMT ref: 0021445B
_free.LIBCMT ref: 00214483
SetLastError.KERNEL32(00000000), ref: 00214490
SetLastError.KERNEL32(00000000), ref: 0021449C
_abort.LIBCMT ref: 002144A2

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1a2f8c426ec6af81a5b2c9bc328d137aa95824a50347e3d63297b67d67d38286
Instruction ID: 65fb88488eb8c67e4af0d8f74f95ae68ebc725ed74722c3641d02bd903fad475
Opcode Fuzzy Hash: 1a2f8c426ec6af81a5b2c9bc328d137aa95824a50347e3d63297b67d67d38286
Instruction Fuzzy Hash: 8EF02831530681B6C622BB74BC0DFEB22FAAFF5771B258124F92CD2195EF6089F24561

Function 002136FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002136AD,?,?,0021364D,?,002202E0,0000000C,002137A4,?,00000002), ref: 0021371C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0021372F
FreeLibrary.KERNEL32(00000000,?,?,?,002136AD,?,?,0021364D,?,002202E0,0000000C,002137A4,?,00000002,00000000), ref: 00213752

Strings

mscoree.dll, xrefs: 00213715
CorExitProcess, xrefs: 00213727

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 28a19599f405e16199e0c5544589800a20f9fa383dcaaceca18436c8154cfb9b
Instruction ID: 0b4acd09f4cd1ced0ce648735ab63e38be4ceffd4449e3256646fbb30040dcf4
Opcode Fuzzy Hash: 28a19599f405e16199e0c5544589800a20f9fa383dcaaceca18436c8154cfb9b
Instruction Fuzzy Hash: C0F04471A10218BBCB169F90EC4DBEEBFF5EF29752F0080A4F905A2190DF305A95CA90

Function 0021634D Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,002154C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 0021639A
__alloca_probe_16.LIBCMT ref: 002163D2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00216423
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00216435
__freea.LIBCMT ref: 0021643E

Part of subcall function 002162FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00217E5B,?,00000000,?,0021686F,?,00000004,00000000,?,?,?,00213BCD), ref: 00216331

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 4301a779c451e75e76f26efb2c40a434bb8a13aa17d03ef0a697a267d6b565a7
Instruction ID: 631a7b6a54abfcca7427f99f20edc7b871abc6317bb561b5759d0f15ccbe07ff
Opcode Fuzzy Hash: 4301a779c451e75e76f26efb2c40a434bb8a13aa17d03ef0a697a267d6b565a7
Instruction Fuzzy Hash: 1731CD72A2021AABDB259F64EC49DEF7BE5EB24710B044169FC14D6150EB35CDA1CBA0

Function 0021561E Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00215627
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0021564A

Part of subcall function 002162FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00217E5B,?,00000000,?,0021686F,?,00000004,00000000,?,?,?,00213BCD), ref: 00216331

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00215670
_free.LIBCMT ref: 00215683
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00215692

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 0effe1d1f7dd13199d9b70f35f893fbb908b5c9d1caa75349fd33a09e981c9bc
Instruction ID: 09c92e8ffe61fcc88d636136f60ff1e82e664abed5ead4becb3100310a3f5534
Opcode Fuzzy Hash: 0effe1d1f7dd13199d9b70f35f893fbb908b5c9d1caa75349fd33a09e981c9bc
Instruction Fuzzy Hash: DA01D872621BA5BF27211E666C4CCFB6ABDDEE6B6135601B9F804C3100EF648C5189F0

Function 002144A8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,002147FE,00217E79,?,0021686F,?,00000004,00000000,?,?,?,00213BCD,?,00000000), ref: 002144AD
_free.LIBCMT ref: 002144E2
_free.LIBCMT ref: 00214509
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00214516
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 0021451F

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a92db9d81261be901700dd763725b229da4e8b2be1331b61779b53dc41d4f312
Instruction ID: ec7324a88dcc8463e1890f757f5d258465b8288b04521292342fcc726dd94af1
Opcode Fuzzy Hash: a92db9d81261be901700dd763725b229da4e8b2be1331b61779b53dc41d4f312
Instruction Fuzzy Hash: EE01F936230611BB86227B747C49EEB22EEABF57717214125F81DE2182EF748DF14460

Function 00216176 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0021618E

Part of subcall function 00214869: HeapFree.KERNEL32(00000000,00000000,?,0021620D,?,00000000,?,00000000,?,00216234,?,00000007,?,?,0021669F,?), ref: 0021487F
Part of subcall function 00214869: GetLastError.KERNEL32(?,?,0021620D,?,00000000,?,00000000,?,00216234,?,00000007,?,?,0021669F,?,?), ref: 00214891

_free.LIBCMT ref: 002161A0
_free.LIBCMT ref: 002161B2
_free.LIBCMT ref: 002161C4
_free.LIBCMT ref: 002161D6

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cc9188fccf6a36572853e0be90426404c8e3c0bf8584c92b5c335ea7f0a97b25
Instruction ID: 0ea1acd97fd0bfb15a090e000a4e4b3addd7d1cfbe6b0ae5b8c0012e79ab7b09
Opcode Fuzzy Hash: cc9188fccf6a36572853e0be90426404c8e3c0bf8584c92b5c335ea7f0a97b25
Instruction Fuzzy Hash: CEF04F32624251BF8674EF99F98DCEE77EDAA70B103590815F40DD7652C621FCE08AA0

Function 00213D8F Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00213DAD

Part of subcall function 00214869: HeapFree.KERNEL32(00000000,00000000,?,0021620D,?,00000000,?,00000000,?,00216234,?,00000007,?,?,0021669F,?), ref: 0021487F
Part of subcall function 00214869: GetLastError.KERNEL32(?,?,0021620D,?,00000000,?,00000000,?,00216234,?,00000007,?,?,0021669F,?,?), ref: 00214891

_free.LIBCMT ref: 00213DBF
_free.LIBCMT ref: 00213DD2
_free.LIBCMT ref: 00213DE3
_free.LIBCMT ref: 00213DF4

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6c11f6a5bd08f56d6aa9e0a8e81d4b247fdfa57aab30ff4479e1c55bbdbf73f8
Instruction ID: 0bb1ed8611ea24fdb19026a3c32a0432c396f70ccbcf75582e54ba334d89f49a
Opcode Fuzzy Hash: 6c11f6a5bd08f56d6aa9e0a8e81d4b247fdfa57aab30ff4479e1c55bbdbf73f8
Instruction Fuzzy Hash: F0F01D78420260FBC775AF95FC0ACC53BA1A7747103412266F409562B5C73905B6CED0

Function 00212F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Scan_PDF_3269252267.exe,00000104), ref: 00212F93
_free.LIBCMT ref: 0021305E
_free.LIBCMT ref: 00213068

Strings

C:\Users\user\Desktop\Scan_PDF_3269252267.exe, xrefs: 00212F8A, 00212F91, 00212FC0, 00212FF8

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Scan_PDF_3269252267.exe
API String ID: 2506810119-2764299211
Opcode ID: 5225499a4bebaf4a6bed04eff2fbb2e42228f54dcdf2976698f72e6c4c3973d5
Instruction ID: e5e47704966d7b1774c1a324883aefb3aeb0eb5f362c91090c792be74f17e5c3
Opcode Fuzzy Hash: 5225499a4bebaf4a6bed04eff2fbb2e42228f54dcdf2976698f72e6c4c3973d5
Instruction Fuzzy Hash: 57318171A10258FFCB21EF99DC85DDEBBFDEBA9710F104066F40497211D6708AA5CB91

Function 002125E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00212594,00000000,?,00221B50,?,?,?,00212737,00000004,InitializeCriticalSectionEx,0021BC48,InitializeCriticalSectionEx), ref: 002125F0
GetLastError.KERNEL32(?,00212594,00000000,?,00221B50,?,?,?,00212737,00000004,InitializeCriticalSectionEx,0021BC48,InitializeCriticalSectionEx,00000000,?,002124C7), ref: 002125FA
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00212622

Strings

api-ms-, xrefs: 00212607

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: fac3daa0f7912307c8ea2a6f4e1b9d78a8e9e3bf6ea1975f7326b7aaed104017
Instruction ID: 25f869122617b0bacc9740eb0c06462106ac425b1c42a4d275e333aa544964d9
Opcode Fuzzy Hash: fac3daa0f7912307c8ea2a6f4e1b9d78a8e9e3bf6ea1975f7326b7aaed104017
Instruction Fuzzy Hash: A8E01230654205FBDF121F61EC0AFD93BA8AB35B51F104420F90DA44E1EBA19AB49944

Function 002157DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00215784,00000000,00000000,00000000,00000000,?,00215981,00000006,FlsSetValue), ref: 0021580F
GetLastError.KERNEL32(?,00215784,00000000,00000000,00000000,00000000,?,00215981,00000006,FlsSetValue,0021C4D8,FlsSetValue,00000000,00000364,?,002144F6), ref: 0021581B
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00215784,00000000,00000000,00000000,00000000,?,00215981,00000006,FlsSetValue,0021C4D8,FlsSetValue,00000000), ref: 00215829

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: c12ac9a78cb9066d5ca6c3b3c60277d6df8556d24b07c7c4271423d93f11fcc0
Instruction ID: aeeca9bdd714f9404bc0ba581eb3ffd72210e2ff9b2ff67668086ab1af5e1430
Opcode Fuzzy Hash: c12ac9a78cb9066d5ca6c3b3c60277d6df8556d24b07c7c4271423d93f11fcc0
Instruction Fuzzy Hash: 6301FC32635633EBC7214E78BC48AD777E8AFA97A0B124564F916D7140DB20D8D1C6E0

Function 002148BB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00214A27

Part of subcall function 0021474D: IsProcessorFeaturePresent.KERNEL32(00000017,0021473C,00000000,?,00000004,00000000,?,?,?,?,00214749,00000000,00000000,00000000,00000000,00000000), ref: 0021474F
Part of subcall function 0021474D: GetCurrentProcess.KERNEL32(C0000417), ref: 00214771
Part of subcall function 0021474D: TerminateProcess.KERNEL32(00000000), ref: 00214778

Strings

*?, xrefs: 002148FE
., xrefs: 00214BDE

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
Instruction ID: 79fea6cd00366716332d52075e988c02738d8b8ae05cc749e30e1fb5e29c200d
Opcode Fuzzy Hash: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
Instruction Fuzzy Hash: 6051C371E1010AAFDF14EFA8C881AEEF7F5EF68314F25416AE858E7340E6319E518B50

Function 00214EBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,00215147,?), ref: 00214EE9
GetACP.KERNEL32(00000000,?,?,00215147,?), ref: 00214F00

Strings

GQ!, xrefs: 00214ED7

Memory Dump Source

Source File: 00000000.00000002.2428551574.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.2428518471.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428573744.000000000021B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428593908.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428613467.0000000000223000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_Scan_PDF_3269252267.jbxd

Similarity

API ID:
String ID: GQ!
API String ID: 0-1700609564
Opcode ID: df031d1789d96868975ba34551bb6c74101d65b495e7cc80c033e1d3ab8917cc
Instruction ID: dcd1854164c46a109dbd8ed044aace6d634fdcff142a855c23d27b7312ae77c4
Opcode Fuzzy Hash: df031d1789d96868975ba34551bb6c74101d65b495e7cc80c033e1d3ab8917cc
Instruction Fuzzy Hash: C3F03130420105DBDB34EF98EC4DBE877B4AB61329F504344E4394AAE1C77199A68B51

Analysis Process: dfsvc.exePID: 6892, Parent PID: 6848COMMON

Execution Graph

Execution Coverage:	21.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFE166215E2 Relevance: 1.8, APIs: 1, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateUrlCacheEntryW.WININET ref: 00007FFE16632C03

Memory Dump Source

Source File: 00000002.00000002.3190864341.00007FFE16620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe16620000_dfsvc.jbxd

Similarity

API ID: CacheCreateEntry
String ID:
API String ID: 3741994674-0
Opcode ID: e6453e01b45829068ec569abdbc937d3e6f8f1a43cfbcb35d7b27ae69ab8b468
Instruction ID: 843144875c3f284b5cbf812d6d0ddc18143e21842d3fd0d9f4904c28b2e7e628
Opcode Fuzzy Hash: e6453e01b45829068ec569abdbc937d3e6f8f1a43cfbcb35d7b27ae69ab8b468
Instruction Fuzzy Hash: 69818171518A4D8FEBA8DF19C8457F977D1FB58310F10827EE84EC72A1DA74A845CB81

Function 00007FFE16621754 Relevance: 1.6, APIs: 1, Instructions: 131
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFE16621827

Memory Dump Source

Source File: 00000002.00000002.3190864341.00007FFE16620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe16620000_dfsvc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f1d0e6cf2015f1266a6813283340dc8270a0ad7ff132db4dc8958e996bd18090
Instruction ID: 18cb8cc4db02ea3120865b47d2948e440ca6f5c8d1c3cc9ad183fe3d2a0057db
Opcode Fuzzy Hash: f1d0e6cf2015f1266a6813283340dc8270a0ad7ff132db4dc8958e996bd18090
Instruction Fuzzy Hash: AC41913190CA5C8FDB58DB6884497F9BBE1EF95321F04826FD04DD3662DB34A8468B81

Function 00007FFE16621492 Relevance: 1.6, APIs: 1, Instructions: 102
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFE16621827

Memory Dump Source

Source File: 00000002.00000002.3190864341.00007FFE16620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe16620000_dfsvc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7b038f79cf509f5cce939a8b80542ebd7855d5d0c3e250ee53c3796959aa22f1
Instruction ID: ef49ba4a506b2235ca551f492e8eee8224f24c01ae06949e2afd0d2f535e26cf
Opcode Fuzzy Hash: 7b038f79cf509f5cce939a8b80542ebd7855d5d0c3e250ee53c3796959aa22f1
Instruction Fuzzy Hash: 03216F71908A1C9FDB58DF58D449BF9BBE0FB59321F04822FD04AD3651DB74A8068B91

Function 00007FFE166215B2 Relevance: 1.6, APIs: 1, Instructions: 102
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFE16621827

Memory Dump Source

Source File: 00000002.00000002.3190864341.00007FFE16620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe16620000_dfsvc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7b038f79cf509f5cce939a8b80542ebd7855d5d0c3e250ee53c3796959aa22f1
Instruction ID: ef49ba4a506b2235ca551f492e8eee8224f24c01ae06949e2afd0d2f535e26cf
Opcode Fuzzy Hash: 7b038f79cf509f5cce939a8b80542ebd7855d5d0c3e250ee53c3796959aa22f1
Instruction Fuzzy Hash: 03216F71908A1C9FDB58DF58D449BF9BBE0FB59321F04822FD04AD3651DB74A8068B91

Function 00007FFE16629A03 Relevance: 1.6, APIs: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFE16629A7C

Memory Dump Source

Source File: 00000002.00000002.3190864341.00007FFE16620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe16620000_dfsvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: daed92c18ac3962f369b72d178233f770ce85e2e83deb3436d12edf4a2a6915b
Instruction ID: bab91859f5269e55176426fd9da51d1423147ab21b1c4b95e0393598c77c5609
Opcode Fuzzy Hash: daed92c18ac3962f369b72d178233f770ce85e2e83deb3436d12edf4a2a6915b
Instruction Fuzzy Hash: 72218E71A1CB488FDB58DF1DE4457A8BBE0FB99324F14429ED04DD3252CB35A8518B81

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Scan_PDF_3269252267.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Scan_PDF_3269252_fa341ae57d71ae7e7b2778d1ef9fa7b6b7bc40_f83fe985_9d33202f-831e-4896-b8ed-87978e5387c5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DE9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F80.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FCF.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\AD7YJBRP.log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
Scan_PDF_3269252267.exe

Function 00211000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199
encryptionmemorylibraryCOMMON

Function 00216507 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Function 00214330 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Function 00217AB4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Function 00218417 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Function 00211E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Function 0021621B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Function 002123D1 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Function 00214424 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Function 002136FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Function 0021634D Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Function 0021561E Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Function 002144A8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Function 00216176 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Function 00007FFE166215E2 Relevance: 1.8, APIs: 1, Instructions: 258
COMMON