Windows Analysis Report
Notificacion_juzgadoPdf.exe

Overview

General Information

Sample name: Notificacion_juzgadoPdf.exe
Analysis ID: 1428605
MD5: ae224c5e196ff381836c9e95deebb7d5
SHA1: 910446a2a0f4e53307b6fdeb1a3e236c929e2ef4
SHA256: bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26

Detection

Score: 25
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: Notificacion_juzgadoPdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Notificacion_juzgadoPdf.exe Static PE information: certificate valid
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll Jump to behavior
Source: Notificacion_juzgadoPdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: d:\build\ob\bora-4448491\bora-vmsoft\build\release\tools-for-windows\Win32\services\vmtoolsd\vmtoolsd.pdb source: Notificacion_juzgadoPdf.exe
Contains functionality to get notified if a device is plugged in / out
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00075E20 DeregisterEventSource,UnregisterDeviceNotification,CloseHandle,??3@YAXPAX@Z, 0_2_00075E20
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: http://ocsp.thawte.com0
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: http://www.vmware.com/0
Contains functionality to delete services
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00075190 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle, 0_2_00075190
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: String function: 00071000 appears 33 times
Sample file is different than original file name gathered from version info
Source: Notificacion_juzgadoPdf.exe, 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamevmtoolsd.exe: vs Notificacion_juzgadoPdf.exe
Source: Notificacion_juzgadoPdf.exe Binary or memory string: OriginalFilenamevmtoolsd.exe: vs Notificacion_juzgadoPdf.exe
Uses 32bit PE files
Source: Notificacion_juzgadoPdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: sus25.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: OpenSCManagerW,GetModuleFileNameW,Str_Aswprintf,Str_Aswprintf,Panic,CreateServiceW,free,CloseServiceHandle,Str_Snwprintf,RegCreateKeyW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegSetValueExW,RegSetValueExW,RegSetValueExW,RegCloseKey,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_00075B20
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00075E80 StartServiceCtrlDispatcherW,GetLastError,SetEvent, 0_2_00075E80
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00075E80 StartServiceCtrlDispatcherW,GetLastError,SetEvent, 0_2_00075E80
Source: Notificacion_juzgadoPdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: --help
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: --help
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: --help
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: --help
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: --help--version-v-h-?Failed to set console control handler: %uNamed event for 'DumpEvent' already exists. Exiting.
Source: Notificacion_juzgadoPdf.exe String found in binary or memory: --help--version-v-h-?Failed to set console control handler: %uNamed event for 'DumpEvent' already exists. Exiting.
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Section loaded: intl.dll Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Section loaded: glib-2.0.dll Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Section loaded: gmodule-2.0.dll Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Section loaded: gobject-2.0.dll Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Section loaded: gthread-2.0.dll Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Section loaded: vmtools.dll Jump to behavior
Source: Notificacion_juzgadoPdf.exe Static PE information: certificate valid
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll Jump to behavior
Source: Notificacion_juzgadoPdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Notificacion_juzgadoPdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Notificacion_juzgadoPdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Notificacion_juzgadoPdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Notificacion_juzgadoPdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Notificacion_juzgadoPdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Notificacion_juzgadoPdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Notificacion_juzgadoPdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\build\ob\bora-4448491\bora-vmsoft\build\release\tools-for-windows\Win32\services\vmtoolsd\vmtoolsd.pdb source: Notificacion_juzgadoPdf.exe
Source: Notificacion_juzgadoPdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Notificacion_juzgadoPdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Notificacion_juzgadoPdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Notificacion_juzgadoPdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Notificacion_juzgadoPdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00075620 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00075620
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00076571 push ecx; ret 0_2_00076584
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00075E80 StartServiceCtrlDispatcherW,GetLastError,SetEvent, 0_2_00075E80

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/pluginMgr.c vmtoolsd 0_2_00072600
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: vmtoolsdControlWndClass vmtoolsdControlWndTitle vmtoolsdControlWndClass %S\VMwareToolsQuitEvent_%s %S\VMwareToolsDumpStateEvent_%s 0_2_00071880
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd Runs the VMware Tools daemon. VMware Tools daemon, version vmtoolsd %S\VMwareToolsQuitEvent_%s %S\VMwareToolsDumpStateEvent_%s 0_2_00073AC0
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: @&!*@*@(cmdline.rpcerror)Unable to send command to VMware hypervisor. vmtoolsd 0_2_00073910
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: vmtoolsd vmtoolsd VMware Tools Service VMTools 0_2_00071530
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/threadPool.c vmtoolsd 0_2_000733F0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Notificacion_juzgadoPdf.exe Binary or memory string: Command line parsing failedRuns the VMware Tools daemon.%s %sversion@&!*@*@(cmdline.version)Prints the daemon version and exits.log@&!*@*@(cmdline.log)Ignored, kept for backwards compatibility.debug@&!*@*@(cmdline.debug)Runs in debug mode, using the given plugin.config@&!*@*@(cmdline.config)Uses the config file at the given path.@&!*@*@(cmdline.displayname.argument)namedisplayname@&!*@*@(cmdline.displayname)Service display name (only used with -i).uninstall@&!*@*@(cmdline.uninstall)Uninstalls the service from the Service Control Manager.@&!*@*@(cmdline.install.args)argsinstall@&!*@*@(cmdline.install)Installs the service with the Service Control Manager.@&!*@*@(cmdline.kill)Stops a running instance of a tools service.killdump-state@&!*@*@(cmdline.state)Dumps the internal state of a running service instance to the logs.@&!*@*@(cmdline.rpc.command)commandcmd@&!*@*@(cmdline.rpc)Sends an RPC command to the host and exits.plugin-path@&!*@*@(cmdline.pluginpath)Path to the plugin directory.@&!*@*@(cmdline.path)pathcommon-path@&!*@*@(cmdline.commonpath)Path to the common plugin directory.@&!*@*@(cmdline.name.argument)svcnamename@&!*@*@(cmdline.name)Name of the service being started.D
Source: Notificacion_juzgadoPdf.exe Binary or memory string: http://www.vmware.com/0
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMware Tools daemon, version%s: %s
Source: Notificacion_juzgadoPdf.exe Binary or memory string: file %s: line %d: assertion `%s' failedd:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/pluginMgr.cprov->regType != existing->prov->regTypeCannot find provider for app type %d, plugin %s may not work.
Source: Notificacion_juzgadoPdf.exe Binary or memory string: %S\VMwareToolsQuitEvent_%s
Source: Notificacion_juzgadoPdf.exe Binary or memory string: d:\build\ob\bora-4448491\bora-vmsoft\build\release\tools-for-windows\Win32\services\vmtoolsd\vmtoolsd.pdb
Source: Notificacion_juzgadoPdf.exe Binary or memory string: services/vmtoolsd/svcSignals-gm.c
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMware, Inc.0
Source: Notificacion_juzgadoPdf.exe Binary or memory string: d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/pluginMgr.c
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMware, Inc.1>0<
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_AttachConsole+
Source: Notificacion_juzgadoPdf.exe Binary or memory string: vmtools.dll
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_SuspendLogIO
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_NewHandleSource
Source: Notificacion_juzgadoPdf.exe Binary or memory string: ProductNameVMware ToolsP
Source: Notificacion_juzgadoPdf.exe Binary or memory string: vmtoolsdControlWndTitle
Source: Notificacion_juzgadoPdf.exe Binary or memory string: %S\VMwareToolsDumpStateEvent_%s
Source: Notificacion_juzgadoPdf.exe Binary or memory string: vmtools
Source: Notificacion_juzgadoPdf.exe Binary or memory string: services/vmtoolsd/svcSignals-gm.creturn_value != NULLn_param_values == 3n_param_values == 4n_param_values == 6Service UninstallCould not remove %S. Error %d
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_BindTextDomain0
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_LoadConfig
Source: Notificacion_juzgadoPdf.exe Binary or memory string: %S\VMwareToolsQuitEvent_%sFailed to create control window: %uvmtoolsdControlWndTitlevmtoolsdControlWndClassLocalGlobalWaitForSingleObject failed: %u.
Source: Notificacion_juzgadoPdf.exe Binary or memory string: Runs the VMware Tools daemon.
Source: Notificacion_juzgadoPdf.exe Binary or memory string: FileDescriptionVMware Tools Core Service8
Source: Notificacion_juzgadoPdf.exe Binary or memory string: tools.set.version %utools.set.versiontype %u %uvmtoolsdisable-tools-versionUnable to register guest conf directory capability.
Source: Notificacion_juzgadoPdf.exe Binary or memory string: InternalNamevmtoolsdj#
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMware Tools Service
Source: Notificacion_juzgadoPdf.exe Binary or memory string: %S\VMwareToolsDumpStateEvent_%sNamed event for 'QuitEvent' already exists. Exiting.
Source: Notificacion_juzgadoPdf.exe Binary or memory string: d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/threadPool.c
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_LoadConfigB
Source: Notificacion_juzgadoPdf.exe Binary or memory string: vmtoolsdControlWndClass
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_NewHandleSource4
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_BindTextDomain
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_ConfigLogging
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMware Tools daemon, version
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMToolsVMware Tools ServiceCannot convert to UTF16: %s
Source: Notificacion_juzgadoPdf.exe Binary or memory string: Str_Vasprintfvmtools.dllRCloseHandleY
Source: Notificacion_juzgadoPdf.exe Binary or memory string: @&!*@*@(cmdline.rpcerror)Unable to send command to VMware hypervisor.
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools
Source: Notificacion_juzgadoPdf.exe Binary or memory string: vmtoolsd
Source: Notificacion_juzgadoPdf.exe Binary or memory string: <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="VMware.VMware.vmtoolsd" type="win32"></assemblyIdentity><description>"VMware Tools Core Service"</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings xmlns:settings="http://schemas.microsoft.com/SMI/2005/WindowsSettings"><settings:dpiAware>True/PM</settings:dpiAware></windowsSettings></application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
Source: Notificacion_juzgadoPdf.exe Binary or memory string: tcs_shutdowntcs_capabilitieserror sending work request, executing in service thread: %sd:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/threadPool.cid != 0failed to start thread: %s.error initializing thread pool, running single threaded: %spool.maxUnusedThreadspool.maxIdleTimetcs_prop_thread_poolpool.maxThreads@&!*@*@(cmdline.rpcerror)Unable to send command to VMware hypervisor.%s
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_AttachConsole
Source: Notificacion_juzgadoPdf.exe Binary or memory string: OriginalFilenamevmtoolsd.exe:
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_GetString
Source: Notificacion_juzgadoPdf.exe Binary or memory string: CompanyNameVMware, Inc.\
Source: Notificacion_juzgadoPdf.exe Binary or memory string: 1998-2016 VMware, Inc.B
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_ResumeLogIO8
Source: Notificacion_juzgadoPdf.exe Binary or memory string: VMTools_ResumeLogIO
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_000761F0 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_000761F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00075620 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00075620
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_000762A6 SetUnhandledExceptionFilter, 0_2_000762A6
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_000761F0 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_000761F0
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00071880 AllocateAndInitializeSid,GetLastError,memset,SetEntriesInAclW,malloc,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetSecurityDescriptorOwner,GetLastError,GetModuleHandleW,GetModuleHandleW,RegisterClassW,GetModuleHandleW,GetDesktopWindow,CreateWindowExW,GetLastError,SetWindowLongW,CreateEventW,GetLastError,Str_Aswprintf,CreateEventW,vm_free,GetLastError,Str_Aswprintf,CreateEventW,vm_free,GetLastError,VMTools_NewHandleSource,g_source_set_callback,g_main_loop_get_context,g_source_attach,g_source_unref,VMTools_NewHandleSource,g_source_set_callback,g_main_loop_get_context,g_source_attach,g_source_unref,VMTools_NewHandleSource,g_source_set_callback,g_main_loop_get_context,g_source_attach,g_source_unref,SetConsoleCtrlHandler,GetLastError,GetCurrentProcess,SetPriorityClass,GetCurrentThread,SetThreadPriority,SetEvent,SetConsoleCtrlHandler,FreeSid,LocalFree,free, 0_2_00071880
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00071880 AllocateAndInitializeSid,GetLastError,memset,SetEntriesInAclW,malloc,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetSecurityDescriptorOwner,GetLastError,GetModuleHandleW,GetModuleHandleW,RegisterClassW,GetModuleHandleW,GetDesktopWindow,CreateWindowExW,GetLastError,SetWindowLongW,CreateEventW,GetLastError,Str_Aswprintf,CreateEventW,vm_free,GetLastError,Str_Aswprintf,CreateEventW,vm_free,GetLastError,VMTools_NewHandleSource,g_source_set_callback,g_main_loop_get_context,g_source_attach,g_source_unref,VMTools_NewHandleSource,g_source_set_callback,g_main_loop_get_context,g_source_attach,g_source_unref,VMTools_NewHandleSource,g_source_set_callback,g_main_loop_get_context,g_source_attach,g_source_unref,SetConsoleCtrlHandler,GetLastError,GetCurrentProcess,SetPriorityClass,GetCurrentThread,SetThreadPriority,SetEvent,SetConsoleCtrlHandler,FreeSid,LocalFree,free, 0_2_00071880
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_000765D8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_000765D8
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00072AE0 GuestApp_GetInstallPath,g_strdup_printf,vm_free,g_ptr_array_new,g_strdup_printf,g_file_test_utf8,g_strdup_printf,g_file_test_utf8,g_file_test_utf8,g_ptr_array_new,g_log,g_module_close,g_module_error,g_free,g_free,g_module_make_resident,g_ptr_array_add,VMTools_BindTextDomain,g_module_close,g_module_error,g_free,g_free,g_malloc,VMTools_BindTextDomain,g_ptr_array_add,g_ptr_array_free,g_free, 0_2_00072AE0
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe Code function: 0_2_00071530 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@_N@Z,memset,SetErrorMode,Unicode_InitW,setlocale,VMTools_ConfigLogging,VMTools_BindTextDomain,g_str_has_prefix,VMTools_AttachConsole,CodeSet_Utf8ToUtf16le,CodeSet_Utf8ToUtf16le,vm_free,??2@YAPAXI@Z,vm_free,vm_free,??2@YAPAXI@Z, 0_2_00071530
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428605 Sample: Notificacion_juzgadoPdf.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 25 4 Notificacion_juzgadoPdf.exe 2->4         started        signatures3 7 Contain functionality to detect virtual machines 4->7
No contacted IP infos