Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PXUVmodpCYqRIPQ.exe |
ReversingLabs: Detection: 42% |
Source: Signed P.O.pdf.exe |
Virustotal: Detection: 39% |
Perma Link |
Source: Signed P.O.pdf.exe |
ReversingLabs: Detection: 57% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.7% probability |
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PXUVmodpCYqRIPQ.exe |
Joe Sandbox ML: detected |
Source: Signed P.O.pdf.exe |
Joe Sandbox ML: detected |
Source: Signed P.O.pdf.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: |
Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Signed P.O.pdf.exe |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75194B190 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, |
0_2_00007FF75194B190 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF7519340BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, |
0_2_00007FF7519340BC |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75195FCA0 FindFirstFileExA, |
0_2_00007FF75195FCA0 |
Source: Joe Sandbox View |
IP Address: 2.23.197.184 2.23.197.184 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: x1.i.lencr.org |
Source: global traffic |
DNS traffic detected: DNS query: x1.i.lencr.org |
Source: 77EC63BDA74BD0D0E0426DC8F80085060.3.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: 2D85F72862B55C4EADD9E66E06947F3D0.3.dr |
String found in binary or memory: http://x1.i.lencr.org/ |
Source: initial sample |
Static PE information: Filename: Signed P.O.pdf.exe |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75192C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, |
0_2_00007FF75192C2F0 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75194B190 |
0_2_00007FF75194B190 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75193A4AC |
0_2_00007FF75193A4AC |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751943484 |
0_2_00007FF751943484 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751950754 |
0_2_00007FF751950754 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751934928 |
0_2_00007FF751934928 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75192F930 |
0_2_00007FF75192F930 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751925E24 |
0_2_00007FF751925E24 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75194CE88 |
0_2_00007FF75194CE88 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751941F20 |
0_2_00007FF751941F20 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75192A310 |
0_2_00007FF75192A310 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75192C2F0 |
0_2_00007FF75192C2F0 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751927288 |
0_2_00007FF751927288 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75193126C |
0_2_00007FF75193126C |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF7519421D0 |
0_2_00007FF7519421D0 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75193F180 |
0_2_00007FF75193F180 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF7519453F0 |
0_2_00007FF7519453F0 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF7519276C0 |
0_2_00007FF7519276C0 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751962550 |
0_2_00007FF751962550 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75193B534 |
0_2_00007FF75193B534 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75195C838 |
0_2_00007FF75195C838 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751924840 |
0_2_00007FF751924840 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751921AA4 |
0_2_00007FF751921AA4 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751942AB0 |
0_2_00007FF751942AB0 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751965AF8 |
0_2_00007FF751965AF8 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751931A48 |
0_2_00007FF751931A48 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75195FA94 |
0_2_00007FF75195FA94 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF7519589A0 |
0_2_00007FF7519589A0 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751943964 |
0_2_00007FF751943964 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75193C96C |
0_2_00007FF75193C96C |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751958C1C |
0_2_00007FF751958C1C |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751944B98 |
0_2_00007FF751944B98 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75193BB90 |
0_2_00007FF75193BB90 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751935B60 |
0_2_00007FF751935B60 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751948DF4 |
0_2_00007FF751948DF4 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751950754 |
0_2_00007FF751950754 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751942D58 |
0_2_00007FF751942D58 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751962080 |
0_2_00007FF751962080 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75193AF18 |
0_2_00007FF75193AF18 |
Source: Signed P.O.pdf.exe, 00000000.00000003.2135250579.000002232AC7C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameKxLf.exe4 vs Signed P.O.pdf.exe |
Source: Signed P.O.pdf.exe, 00000000.00000002.3368859378.0000022326C86000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameAcrobat.exe< vs Signed P.O.pdf.exe |
Source: Signed P.O.pdf.exe, 00000000.00000002.3368859378.0000022326C60000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameAcrobat.exe< vs Signed P.O.pdf.exe |
Source: PXUVmodpCYqRIPQ.exe.0.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Signed P.O.pdf.exe, 00000000.00000002.3368859378.0000022326BD8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ;.VBP |
Source: classification engine |
Classification label: mal80.winEXE@16/49@1/1 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75192B6D8 GetLastError,FormatMessageW,LocalFree, |
0_2_00007FF75192B6D8 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751948624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, |
0_2_00007FF751948624 |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
File created: C:\Users\user\AppData\Local\Temp\RarSFX0 |
Jump to behavior |
Source: Signed P.O.pdf.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
File read: C:\Windows\win.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Signed P.O.pdf.exe |
Virustotal: Detection: 39% |
Source: Signed P.O.pdf.exe |
ReversingLabs: Detection: 57% |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
File read: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\Signed P.O.pdf.exe "C:\Users\user\Desktop\Signed P.O.pdf.exe" |
|
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\Signed P.O.pdf" |
|
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 |
|
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1340,i,6307355302033102829,2540060203262827178,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 |
|
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\Signed P.O.pdf" |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1340,i,6307355302033102829,2540060203262827178,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: dxgidebug.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: policymanager.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: msvcp110_win.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: pcacli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: Signed P.O.pdf.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: Signed P.O.pdf.exe |
Static file information: File size 4315619 > 1048576 |
Source: Signed P.O.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Signed P.O.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Signed P.O.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Signed P.O.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Signed P.O.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Signed P.O.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: Signed P.O.pdf.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: Signed P.O.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Signed P.O.pdf.exe |
Source: Signed P.O.pdf.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: Signed P.O.pdf.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: Signed P.O.pdf.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: Signed P.O.pdf.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: Signed P.O.pdf.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5135000 |
Jump to behavior |
Source: Signed P.O.pdf.exe |
Static PE information: section name: .didat |
Source: Signed P.O.pdf.exe |
Static PE information: section name: _RDATA |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751965156 push rsi; retf |
0_2_00007FF751965157 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751965166 push rsi; retf |
0_2_00007FF751965167 |
Source: PXUVmodpCYqRIPQ.exe.0.dr |
Static PE information: section name: .text entropy: 7.582957382289986 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
File created: C:\Users\user\AppData\Local\Temp\RarSFX0\PXUVmodpCYqRIPQ.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\PXUVmodpCYqRIPQ.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75194B190 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, |
0_2_00007FF75194B190 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF7519340BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, |
0_2_00007FF7519340BC |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75195FCA0 FindFirstFileExA, |
0_2_00007FF75195FCA0 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF7519516A4 VirtualQuery,GetSystemInfo, |
0_2_00007FF7519516A4 |
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751953170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF751953170 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751960D20 GetProcessHeap, |
0_2_00007FF751960D20 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751953170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF751953170 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751952510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00007FF751952510 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751953354 SetUnhandledExceptionFilter, |
0_2_00007FF751953354 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF7519576D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF7519576D8 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF75194B190 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, |
0_2_00007FF75194B190 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\Signed P.O.pdf" |
Jump to behavior |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF7519658E0 cpuid |
0_2_00007FF7519658E0 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: GetLocaleInfoW,GetNumberFormatW, |
0_2_00007FF75194A2CC |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF751950754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, |
0_2_00007FF751950754 |
Source: C:\Users\user\Desktop\Signed P.O.pdf.exe |
Code function: 0_2_00007FF7519351A4 GetVersionExW, |
0_2_00007FF7519351A4 |