Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 18, 2021, 9:40 a.m.	Aug. 18, 2021, 9:43 a.m.

Size	10.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5711989af8510851baf4fec63d67d1e3`
SHA256	`9e8f02051b24719f3f3382ebefeea17fcadf989f3cf155a81b25eaafe1a2d102`
CRC32	`5A60FEC9`
ssdeep	`49152:snnKhl7OrJv21vo5esN14SAzk6utURvyNoH8T3UwnedLyXh+JcNa9ERLWb9mej1a:se0JO1vo5ebPRv8n5X4uU9seqGhs`
Yara	PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer

Has US policy toward the Palestinian cause changed pdf.exe "C:\Users\test22\AppData\Local\Temp\Has US policy toward the Palestinian cause changed pdf.exe"
2132
- AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Local\Temp\Has US policy toward the Palestinian cause changed .pdf"
  1636
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
kristinthomas.work

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:52062 -> 164.124.101.2:53	2027868	ET INFO Observed DNS Query to .work TLD	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 18, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 18, 2021, 9:41 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.itext
section	.didata
section	.debug

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PDF

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Aug. 18, 2021, 9:41 a.m.	stacktrace: TMethodImplementationIntercept+0x1ccb23 dbkFCallWrapperAddr-0x43b7d has us policy toward the palestinian cause changed pdf+0x2adac3 @ 0x6adac3 TMethodImplementationIntercept+0x1ccd5c dbkFCallWrapperAddr-0x43944 has us policy toward the palestinian cause changed pdf+0x2adcfc @ 0x6adcfc TMethodImplementationIntercept+0x1d7f59 dbkFCallWrapperAddr-0x38747 has us policy toward the palestinian cause changed pdf+0x2b8ef9 @ 0x6b8ef9 TMethodImplementationIntercept+0x1d8239 dbkFCallWrapperAddr-0x38467 has us policy toward the palestinian cause changed pdf+0x2b91d9 @ 0x6b91d9 TMethodImplementationIntercept+0x1d72ab dbkFCallWrapperAddr-0x393f5 has us policy toward the palestinian cause changed pdf+0x2b824b @ 0x6b824b TMethodImplementationIntercept+0x1d7cbe dbkFCallWrapperAddr-0x389e2 has us policy toward the palestinian cause changed pdf+0x2b8c5e @ 0x6b8c5e TMethodImplementationIntercept+0x1dacca dbkFCallWrapperAddr-0x359d6 has us policy toward the palestinian cause changed pdf+0x2bbc6a @ 0x6bbc6a TMethodImplementationIntercept+0x1f7fd1 dbkFCallWrapperAddr-0x186cf has us policy toward the palestinian cause changed pdf+0x2d8f71 @ 0x6d8f71 TMethodImplementationIntercept+0x1f79f3 dbkFCallWrapperAddr-0x18cad has us policy toward the palestinian cause changed pdf+0x2d8993 @ 0x6d8993 TMethodImplementationIntercept+0x1fa057 dbkFCallWrapperAddr-0x16649 has us policy toward the palestinian cause changed pdf+0x2daff7 @ 0x6daff7 TMethodImplementationIntercept+0xbd26e dbkFCallWrapperAddr-0x153432 has us policy toward the palestinian cause changed pdf+0x19e20e @ 0x59e20e __dbk_fcall_wrapper+0x72f6a TMethodImplementationIntercept-0x5cc5a has us policy toward the palestinian cause changed pdf+0x84346 @ 0x484346 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a TMethodImplementationIntercept+0x1427a4 dbkFCallWrapperAddr-0xcdefc has us policy toward the palestinian cause changed pdf+0x223744 @ 0x623744 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1636688 registers.edi: 43498224 registers.eax: 1636688 registers.ebp: 1636768 registers.edx: 0 registers.ebx: 12007 registers.esi: 43498016 registers.ecx: 7	1
__exception__ Aug. 18, 2021, 9:42 a.m.	stacktrace: TMethodImplementationIntercept+0x1ccb23 dbkFCallWrapperAddr-0x43b7d has us policy toward the palestinian cause changed pdf+0x2adac3 @ 0x6adac3 TMethodImplementationIntercept+0x1ccd5c dbkFCallWrapperAddr-0x43944 has us policy toward the palestinian cause changed pdf+0x2adcfc @ 0x6adcfc TMethodImplementationIntercept+0x1d7f59 dbkFCallWrapperAddr-0x38747 has us policy toward the palestinian cause changed pdf+0x2b8ef9 @ 0x6b8ef9 TMethodImplementationIntercept+0x1d8239 dbkFCallWrapperAddr-0x38467 has us policy toward the palestinian cause changed pdf+0x2b91d9 @ 0x6b91d9 TMethodImplementationIntercept+0x1d72ab dbkFCallWrapperAddr-0x393f5 has us policy toward the palestinian cause changed pdf+0x2b824b @ 0x6b824b TMethodImplementationIntercept+0x1d7cbe dbkFCallWrapperAddr-0x389e2 has us policy toward the palestinian cause changed pdf+0x2b8c5e @ 0x6b8c5e TMethodImplementationIntercept+0x1dacca dbkFCallWrapperAddr-0x359d6 has us policy toward the palestinian cause changed pdf+0x2bbc6a @ 0x6bbc6a TMethodImplementationIntercept+0x1f7fd1 dbkFCallWrapperAddr-0x186cf has us policy toward the palestinian cause changed pdf+0x2d8f71 @ 0x6d8f71 TMethodImplementationIntercept+0x1f79f3 dbkFCallWrapperAddr-0x18cad has us policy toward the palestinian cause changed pdf+0x2d8993 @ 0x6d8993 TMethodImplementationIntercept+0x1fa057 dbkFCallWrapperAddr-0x16649 has us policy toward the palestinian cause changed pdf+0x2daff7 @ 0x6daff7 TMethodImplementationIntercept+0xbd26e dbkFCallWrapperAddr-0x153432 has us policy toward the palestinian cause changed pdf+0x19e20e @ 0x59e20e __dbk_fcall_wrapper+0x72f6a TMethodImplementationIntercept-0x5cc5a has us policy toward the palestinian cause changed pdf+0x84346 @ 0x484346 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a TMethodImplementationIntercept+0x1427a4 dbkFCallWrapperAddr-0xcdefc has us policy toward the palestinian cause changed pdf+0x223744 @ 0x623744 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1636688 registers.edi: 43498432 registers.eax: 1636688 registers.ebp: 1636768 registers.edx: 0 registers.ebx: 12007 registers.esi: 43498016 registers.ecx: 7	1
__exception__ Aug. 18, 2021, 9:42 a.m.	stacktrace: TMethodImplementationIntercept+0x1ccb23 dbkFCallWrapperAddr-0x43b7d has us policy toward the palestinian cause changed pdf+0x2adac3 @ 0x6adac3 TMethodImplementationIntercept+0x1ccd5c dbkFCallWrapperAddr-0x43944 has us policy toward the palestinian cause changed pdf+0x2adcfc @ 0x6adcfc TMethodImplementationIntercept+0x1d7f59 dbkFCallWrapperAddr-0x38747 has us policy toward the palestinian cause changed pdf+0x2b8ef9 @ 0x6b8ef9 TMethodImplementationIntercept+0x1d8239 dbkFCallWrapperAddr-0x38467 has us policy toward the palestinian cause changed pdf+0x2b91d9 @ 0x6b91d9 TMethodImplementationIntercept+0x1d72ab dbkFCallWrapperAddr-0x393f5 has us policy toward the palestinian cause changed pdf+0x2b824b @ 0x6b824b TMethodImplementationIntercept+0x1d7cbe dbkFCallWrapperAddr-0x389e2 has us policy toward the palestinian cause changed pdf+0x2b8c5e @ 0x6b8c5e TMethodImplementationIntercept+0x1dacca dbkFCallWrapperAddr-0x359d6 has us policy toward the palestinian cause changed pdf+0x2bbc6a @ 0x6bbc6a TMethodImplementationIntercept+0x1f7fd1 dbkFCallWrapperAddr-0x186cf has us policy toward the palestinian cause changed pdf+0x2d8f71 @ 0x6d8f71 TMethodImplementationIntercept+0x1f79f3 dbkFCallWrapperAddr-0x18cad has us policy toward the palestinian cause changed pdf+0x2d8993 @ 0x6d8993 TMethodImplementationIntercept+0x1fa057 dbkFCallWrapperAddr-0x16649 has us policy toward the palestinian cause changed pdf+0x2daff7 @ 0x6daff7 TMethodImplementationIntercept+0xbd26e dbkFCallWrapperAddr-0x153432 has us policy toward the palestinian cause changed pdf+0x19e20e @ 0x59e20e __dbk_fcall_wrapper+0x72f6a TMethodImplementationIntercept-0x5cc5a has us policy toward the palestinian cause changed pdf+0x84346 @ 0x484346 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a TMethodImplementationIntercept+0x1427a4 dbkFCallWrapperAddr-0xcdefc has us policy toward the palestinian cause changed pdf+0x223744 @ 0x623744 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1636688 registers.edi: 43498432 registers.eax: 1636688 registers.ebp: 1636768 registers.edx: 0 registers.ebx: 12007 registers.esi: 43498224 registers.ecx: 7	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 18, 2021, 9:41 a.m.

stacktrace:

TMethodImplementationIntercept+0x1ccb23 dbkFCallWrapperAddr-0x43b7d has us policy toward the palestinian cause changed pdf+0x2adac3 @ 0x6adac3
TMethodImplementationIntercept+0x1ccd5c dbkFCallWrapperAddr-0x43944 has us policy toward the palestinian cause changed pdf+0x2adcfc @ 0x6adcfc
TMethodImplementationIntercept+0x1d7f59 dbkFCallWrapperAddr-0x38747 has us policy toward the palestinian cause changed pdf+0x2b8ef9 @ 0x6b8ef9
TMethodImplementationIntercept+0x1d8239 dbkFCallWrapperAddr-0x38467 has us policy toward the palestinian cause changed pdf+0x2b91d9 @ 0x6b91d9
TMethodImplementationIntercept+0x1d72ab dbkFCallWrapperAddr-0x393f5 has us policy toward the palestinian cause changed pdf+0x2b824b @ 0x6b824b
TMethodImplementationIntercept+0x1d7cbe dbkFCallWrapperAddr-0x389e2 has us policy toward the palestinian cause changed pdf+0x2b8c5e @ 0x6b8c5e
TMethodImplementationIntercept+0x1dacca dbkFCallWrapperAddr-0x359d6 has us policy toward the palestinian cause changed pdf+0x2bbc6a @ 0x6bbc6a
TMethodImplementationIntercept+0x1f7fd1 dbkFCallWrapperAddr-0x186cf has us policy toward the palestinian cause changed pdf+0x2d8f71 @ 0x6d8f71
TMethodImplementationIntercept+0x1f79f3 dbkFCallWrapperAddr-0x18cad has us policy toward the palestinian cause changed pdf+0x2d8993 @ 0x6d8993
TMethodImplementationIntercept+0x1fa057 dbkFCallWrapperAddr-0x16649 has us policy toward the palestinian cause changed pdf+0x2daff7 @ 0x6daff7
TMethodImplementationIntercept+0xbd26e dbkFCallWrapperAddr-0x153432 has us policy toward the palestinian cause changed pdf+0x19e20e @ 0x59e20e
__dbk_fcall_wrapper+0x72f6a TMethodImplementationIntercept-0x5cc5a has us policy toward the palestinian cause changed pdf+0x84346 @ 0x484346
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a
TMethodImplementationIntercept+0x1427a4 dbkFCallWrapperAddr-0xcdefc has us policy toward the palestinian cause changed pdf+0x223744 @ 0x623744

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7566b727
registers.esp: 1636688
registers.edi: 43498224
registers.eax: 1636688
registers.ebp: 1636768
registers.edx: 0
registers.ebx: 12007
registers.esi: 43498016
registers.ecx: 7

__exception__

Aug. 18, 2021, 9:42 a.m.

stacktrace:

TMethodImplementationIntercept+0x1ccb23 dbkFCallWrapperAddr-0x43b7d has us policy toward the palestinian cause changed pdf+0x2adac3 @ 0x6adac3
TMethodImplementationIntercept+0x1ccd5c dbkFCallWrapperAddr-0x43944 has us policy toward the palestinian cause changed pdf+0x2adcfc @ 0x6adcfc
TMethodImplementationIntercept+0x1d7f59 dbkFCallWrapperAddr-0x38747 has us policy toward the palestinian cause changed pdf+0x2b8ef9 @ 0x6b8ef9
TMethodImplementationIntercept+0x1d8239 dbkFCallWrapperAddr-0x38467 has us policy toward the palestinian cause changed pdf+0x2b91d9 @ 0x6b91d9
TMethodImplementationIntercept+0x1d72ab dbkFCallWrapperAddr-0x393f5 has us policy toward the palestinian cause changed pdf+0x2b824b @ 0x6b824b
TMethodImplementationIntercept+0x1d7cbe dbkFCallWrapperAddr-0x389e2 has us policy toward the palestinian cause changed pdf+0x2b8c5e @ 0x6b8c5e
TMethodImplementationIntercept+0x1dacca dbkFCallWrapperAddr-0x359d6 has us policy toward the palestinian cause changed pdf+0x2bbc6a @ 0x6bbc6a
TMethodImplementationIntercept+0x1f7fd1 dbkFCallWrapperAddr-0x186cf has us policy toward the palestinian cause changed pdf+0x2d8f71 @ 0x6d8f71
TMethodImplementationIntercept+0x1f79f3 dbkFCallWrapperAddr-0x18cad has us policy toward the palestinian cause changed pdf+0x2d8993 @ 0x6d8993
TMethodImplementationIntercept+0x1fa057 dbkFCallWrapperAddr-0x16649 has us policy toward the palestinian cause changed pdf+0x2daff7 @ 0x6daff7
TMethodImplementationIntercept+0xbd26e dbkFCallWrapperAddr-0x153432 has us policy toward the palestinian cause changed pdf+0x19e20e @ 0x59e20e
__dbk_fcall_wrapper+0x72f6a TMethodImplementationIntercept-0x5cc5a has us policy toward the palestinian cause changed pdf+0x84346 @ 0x484346
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a
TMethodImplementationIntercept+0x1427a4 dbkFCallWrapperAddr-0xcdefc has us policy toward the palestinian cause changed pdf+0x223744 @ 0x623744

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7566b727
registers.esp: 1636688
registers.edi: 43498432
registers.eax: 1636688
registers.ebp: 1636768
registers.edx: 0
registers.ebx: 12007
registers.esi: 43498016
registers.ecx: 7

__exception__

Aug. 18, 2021, 9:42 a.m.

stacktrace:

TMethodImplementationIntercept+0x1ccb23 dbkFCallWrapperAddr-0x43b7d has us policy toward the palestinian cause changed pdf+0x2adac3 @ 0x6adac3
TMethodImplementationIntercept+0x1ccd5c dbkFCallWrapperAddr-0x43944 has us policy toward the palestinian cause changed pdf+0x2adcfc @ 0x6adcfc
TMethodImplementationIntercept+0x1d7f59 dbkFCallWrapperAddr-0x38747 has us policy toward the palestinian cause changed pdf+0x2b8ef9 @ 0x6b8ef9
TMethodImplementationIntercept+0x1d8239 dbkFCallWrapperAddr-0x38467 has us policy toward the palestinian cause changed pdf+0x2b91d9 @ 0x6b91d9
TMethodImplementationIntercept+0x1d72ab dbkFCallWrapperAddr-0x393f5 has us policy toward the palestinian cause changed pdf+0x2b824b @ 0x6b824b
TMethodImplementationIntercept+0x1d7cbe dbkFCallWrapperAddr-0x389e2 has us policy toward the palestinian cause changed pdf+0x2b8c5e @ 0x6b8c5e
TMethodImplementationIntercept+0x1dacca dbkFCallWrapperAddr-0x359d6 has us policy toward the palestinian cause changed pdf+0x2bbc6a @ 0x6bbc6a
TMethodImplementationIntercept+0x1f7fd1 dbkFCallWrapperAddr-0x186cf has us policy toward the palestinian cause changed pdf+0x2d8f71 @ 0x6d8f71
TMethodImplementationIntercept+0x1f79f3 dbkFCallWrapperAddr-0x18cad has us policy toward the palestinian cause changed pdf+0x2d8993 @ 0x6d8993
TMethodImplementationIntercept+0x1fa057 dbkFCallWrapperAddr-0x16649 has us policy toward the palestinian cause changed pdf+0x2daff7 @ 0x6daff7
TMethodImplementationIntercept+0xbd26e dbkFCallWrapperAddr-0x153432 has us policy toward the palestinian cause changed pdf+0x19e20e @ 0x59e20e
__dbk_fcall_wrapper+0x72f6a TMethodImplementationIntercept-0x5cc5a has us policy toward the palestinian cause changed pdf+0x84346 @ 0x484346
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a
TMethodImplementationIntercept+0x1427a4 dbkFCallWrapperAddr-0xcdefc has us policy toward the palestinian cause changed pdf+0x223744 @ 0x623744

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7566b727
registers.esp: 1636688
registers.edi: 43498432
registers.eax: 1636688
registers.ebp: 1636768
registers.edx: 0
registers.ebx: 12007
registers.esi: 43498224
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 18, 2021, 9:40 a.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73712000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 18, 2021, 9:40 a.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 9:40 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73712000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 9:40 a.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x708b3000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 18, 2021, 9:34 a.m.	total_number_of_free_bytes: 10847768576 free_bytes_available: 10847768576 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\Has US policy toward the Palestinian cause changed .pdf

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\Has US policy toward the Palestinian cause changed pdf.lnk

Creates a shortcut to an executable file (14 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Has US policy toward the Palestinian cause changed pdf.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Local\Temp\Has US policy toward the Palestinian cause changed pdf.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (47 events)

Time & API	Arguments	Status	Return
Process32FirstW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: [System Process] process_identifier: 0	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: System process_identifier: 4	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: smss.exe process_identifier: 228	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: wininit.exe process_identifier: 348	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: csrss.exe process_identifier: 368	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: winlogon.exe process_identifier: 412	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: services.exe process_identifier: 448	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: lsass.exe process_identifier: 464	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: lsm.exe process_identifier: 472	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: svchost.exe process_identifier: 584	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: svchost.exe process_identifier: 660	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: svchost.exe process_identifier: 736	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: svchost.exe process_identifier: 820	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: svchost.exe process_identifier: 852	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: audiodg.exe process_identifier: 912	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: svchost.exe process_identifier: 1004	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: svchost.exe process_identifier: 312	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: spoolsv.exe process_identifier: 1032	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: svchost.exe process_identifier: 1072	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: taskhost.exe process_identifier: 1140	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: dwm.exe process_identifier: 1204	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: svchost.exe process_identifier: 1432	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: IMEDICTUPDATE.EXE process_identifier: 1476	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: svchost.exe process_identifier: 1844	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: pw.exe process_identifier: 1996	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: SearchIndexer.exe process_identifier: 748	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: taskeng.exe process_identifier: 2932	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: WmiPrvSE.exe process_identifier: 2160	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: svchost.exe process_identifier: 2196	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: mobsync.exe process_identifier: 1684	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: pw.exe process_identifier: 904	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: taskhost.exe process_identifier: 2444	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: SearchProtocolHost.exe process_identifier: 2500	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: SearchFilterHost.exe process_identifier: 2080	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: Has US policy toward the Palestinian cause changed pdf.exe process_identifier: 2132	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: AcroRd32.exe process_identifier: 1636	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: RdrCEF.exe process_identifier: 688	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000374 process_name: RdrCEF.exe process_identifier: 2168	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000378 process_name: RdrCEF.exe process_identifier: 1792	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000378 process_name: cmd.exe process_identifier: 2412	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000378 process_name: conhost.exe process_identifier: 2408	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000378 process_name: pw.exe process_identifier: 2760	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000378 process_name: RdrCEF.exe process_identifier: 2404	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000378 process_name: RdrCEF.exe process_identifier: 3020	1	1
Process32NextW Aug. 18, 2021, 9:41 a.m.	snapshot_handle: 0x00000378 process_name: RdrCEF.exe process_identifier: 784	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 18, 2021, 9:41 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00057400', u'virtual_address': u'0x0033d000', u'entropy': 6.966263731265933, u'name': u'.rsrc', u'virtual_size': u'0x00057400'}

entropy

6.96626373127

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (32 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:41 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 9:34 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW Aug. 18, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x000001f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1	0	0
RegOpenKeyExW Aug. 18, 2021, 9:40 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000208 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1	0	0

Terminates another process (12 events)

Time & API	Arguments	Status
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 688 process_handle: 0x0000034c
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 688 process_handle: 0x0000034c	1
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 2168 process_handle: 0x0000034c
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 2168 process_handle: 0x0000034c	1
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 1792 process_handle: 0x00000374
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 1792 process_handle: 0x00000374	1
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 2404 process_handle: 0x00000374
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 2404 process_handle: 0x00000374	1
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 3020 process_handle: 0x0000034c
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 3020 process_handle: 0x0000034c	1
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 784 process_handle: 0x0000034c
NtTerminateProcess Aug. 18, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 784 process_handle: 0x0000034c	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Local\Temp\Has US policy toward the Palestinian cause changed .pdf"
cmdline	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM AntiVirusProduct

One or more non-whitelisted processes were created (1 event)

parent_process

acrord32.exe

martian_process

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.Win32.Bobik.l!c
MicroWorld-eScan	Trojan.GenericKD.37390514
ALYac	Trojan.Agent.Micropsia
Sangfor	Trojan.Win32.Bobik.gen
K7AntiVirus	Spyware ( 00580e411 )
Alibaba	TrojanSpy:Win32/TrojanX.08d6c7eb
K7GW	Spyware ( 00580e411 )
Arcabit	Trojan.Generic.D23A88B2
Cyren	W32/Trojan.TFAN-7424
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Spy.Delf.QZG
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.Win32.Bobik.gen
BitDefender	Trojan.GenericKD.37390514
Rising	Trojan.Generic@ML.84 (RDML:HvCQDca/EftVryz2UGC45g)
Ad-Aware	Trojan.GenericKD.37390514
Emsisoft	Trojan.GenericKD.37390514 (B)
DrWeb	BackDoor.Siggen2.3556
TrendMicro	TROJ_GEN.R011C0WHE21
McAfee-GW-Edition	BehavesLike.Win32.Dropper.vm
FireEye	Trojan.GenericKD.37390514
Sophos	Mal/Generic-S
Paloalto	generic.ml
Avira	TR/Spy.Agent.xjhlz
MAX	malware (ai score=83)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Tiggre!rfn
GData	Trojan.GenericKD.37390514
AhnLab-V3	Malware/Win.Generic.C4588820
McAfee	Artemis!5711989AF851
VBA32	TScope.Trojan.Delf
TrendMicro-HouseCall	TROJ_GEN.R011C0WHE21
Fortinet	W32/Bobik.QZG!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A
Qihoo-360	Win32/TrojanSpy.Bobik.HgIASaMA

Has US policy toward the Palestinian cause changed pdf.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All