Report - Distribution Document.pdf.msc

ScreenShot KeyLogger AntiDebug AntiVM

ScreenShot

Info
Location map


Created	2025.04.28 10:48	Machine	s1_win7_x6403_us
Filename	Distribution Document.pdf.msc
Type	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
AI Score	Not founds	Behavior Score	2.8
ZERO API	file : clean
VT API (file)	13 detected (Dump, Kimsuky, Detected, ABApplication, MSCAgent)
md5	88a97131e57b1a857d13bb0cae48380e
sha256	8f6bd4aad71d11efa46687b9968dae8d735af6f966cdc3e955f859a3fd707fdd
ssdeep	384:RFitBs7D0SrIRFp4jYistqgaqakyBI92vPGOWPnQB+CdFpK:qLm0FpcYiPgaXa92qYzdFpK
imphash
impfuzzy

Network IP location

Signature (7cnts)

Level	Description
watch	File has been identified by 13 AntiVirus engines on VirusTotal as malicious
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Collects information to fingerprint the system (MachineGuid

Rules (12cnts)

Level	Name	Description	Collection
notice	KeyLogger	Run a KeyLogger	memory
notice	ScreenShot	Take ScreenShot	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	vmdetect	Possibly employs anti-virtualization techniques	memory
info	win_hook	Affect hook table	memory

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure