Edit tour

Windows Analysis Report
Ozn#U00e1men#U00ed o poru#U0161en#U00ed autorsk#U00fdch pr#U00e1v.zip

Overview

General Information

Sample name:	Ozn#U00e1men#U00ed o poru#U0161en#U00ed autorsk#U00fdch pr#U00e1v.zip renamed because original name is a hash value
Original sample name:	Oznmen o poruen autorskch prv.zip
Analysis ID:	1541141
MD5:	a8514c77b69afbb14d56ccacaea28149
SHA1:	b3d430ac79e7a27cc32e37d59f61a44de5a5dfc2
SHA256:	b044a842194be9e0a839e6f4bfc16861318a9e98148c89ad7706a0143efe6479
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 6312 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

Ozn men o poru en autorsk ch pr v.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe" MD5: 4864A55CFF27F686023456A22371E790)

Ozn men o poru en autorsk ch pr v.exe (PID: 6264 cmdline: "C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe" MD5: 4864A55CFF27F686023456A22371E790)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source:	Binary string: /app/crashsubmit?appname=SumatraPDFhttp://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5.3.0.pdbSumatraPDF.pdblibmupdf.pdbSumatraPDF-no-MuPDF.pdbhttp://kjkpub.s3.amazonaws.com/sumatrapdf/prerel/SumatraPDF-prerelease-SVN_PRE_RELEASE_VER.pdb.zipsymbols_tmp.ziphttp://kjkpub.s3.amazonaws.com/sumatrapdf/rel/SumatraPDF-1.5.3.0.pdb.zipsymbols_tmp.zipSUMATRAPDF_FULLDUMPHaihaisoft PDF Reader crashedSorry, that shouldn't have happened! source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe
Source:	Binary string: SumatraPDF-no-MuPDF.pdb source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe
Source:	Binary string: SumatraPDF-1.5.3.0.pdb source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe
Source:	Binary string: m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe
Source:	Binary string: xOdx>a0m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe
Source:	Binary string: libmupdf.pdb source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /pdfversion.htm HTTP/1.1Accept: */*User-Agent: HDMHost: www.drm-x.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.drm-x.com

Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://HDMHDMLoading...%s
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://blog.kowalczyk.info/software/sumatrapdf/translations.htmlContribute
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://blog.kowalczyk.info/software/sumatrapdf/translators.htmlThe
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://blog.kowalczyk.infoKrzysztof
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopen
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://cn.haihaisoft.comhttp://www.haihaisoft.comcnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://itexmac.sourceforge.net/SyncTeX.htmlJ
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://mailto:EmbeddedFilesTypeFilespecD%s%dR%s%sA%s%sKids.seen.seen.seenNumsSPStD%s.%d:%d:%dInfoPag
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://mupdf.comMuPDFpdf
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://p.yusukekamiyamane.com/Yusuke
Source: Ozn men o poru en autorsk ch pr v.exe, 0000000A.00000003.1705336227.0000000006A4F000.00000004.00000020.00020000.00000000.sdmp, Ozn men o poru en autorsk ch pr v.exe, 0000000A.00000003.1705490557.0000000006A4F000.00000004.00000020.00020000.00000000.sdmp, Ozn men o poru en autorsk ch pr v.exe, 0000000A.00000003.1593833299.0000000006A4E000.00000004.00000020.00020000.00000000.sdmp, Ozn men o poru en autorsk ch pr v.exe, 0000000A.00000003.1593068846.0000000006A4F000.00000004.00000020.00020000.00000000.sdmp, Ozn men o poru en autorsk ch pr v.exe, 0000000A.00000003.1592860044.0000000006A4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://william.famille-blum.org/William
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.drm-x.com/pdfversion.htm
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.drm-x.com/pdfversion.htm1.5.7.0..http://www.haihaisoft.com/PDF_Reader_download.aspxopenSo
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.drm-x.com/pdfversion.htmV
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.drm-x.com/pdfversion.htmo76
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.drm-x.com/pdfversion.htmt
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.drm-x.com/pdfversion.htmv
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.drm-x.net/http://cn.drm-x.com/LicPrepare2008.aspxLicPrepare20082013.aspx.drm-x.com/2/%s?c
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.flashvidz.tk/Zenonprogram
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.freetype.org/FreeTypefont
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.haihaisoft.com/Contact.aspx
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.haihaisoft.com/Contact.aspx%u%?.Install_DirSoftware
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.haihaisoft.com/PDF_Reader_download.aspxhttp://www.drm-x.com/pdfversion.htmMS
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.haihaisoft.comSumatraPDF
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.winimage.com/zLibDllbad
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	String found in binary or memory: http://www.zeniko.ch/#SumatraPDFSimon
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: https://www.globalsign.com/repository/06

Source: classification engine

Classification label: clean1.winZIP@3/0@1/1

Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe

File created: C:\Users\user\AppData\Roaming\Haihaisoft PDF Reader

Jump to behavior

Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: PdfVersion%d.%d Adobe Extension Level %d%d.%dRootPageLayoutRightTwoViewerPreferencesDirectionR2LRootBaseURITypeFilespecUFF\/EF.pdf%s:%d:%dSGoToRFF\/LaunchURLScrollToEFLaunchEmbeddedLaunchFileGoToRSDScrollToExScrollToExDLaunchEmbeddedFUFEFXYZFitRFitHFitBHFitFitVFitBFitBV%PDF.pdfhttp:https:mailto:<FixedPage<FixedPageFixedPageWidthHeightDeviceRGB%s#%s
Source: Oznmen o poruen autorskch prv.exe	String found in binary or memory: 0WarningVirtual printing was deniedPrinting problem.Cannot print this fileDevices%S,%S,%S,%SPrinting problem.Printer with given name doesn't existPrinting problem.Could not open PrinterPrinting problem.Could not obtain Printer propertiesPrinting problem.Couldn't initialize printerCPDFLoginDlg%I64uhttp://www.drm-x.net/http://cn.drm-x.com/LicPrepare2008.aspxLicPrepare20082013.aspx.drm-x.com/2/%s?cid=%s&kid=%s&ci=%s&vid=%s&lt=%s&session=%sButtonOKButtonCancelres://Loading...3licstore.aspxlicstore.asplicstore.phplicstore.jspLicense_table_DRM-x2<TD></TD><TD></TD><TD></TD><TD></TD><TD></TD> %s\Haihaisoft\XPDF\V%s.lic%s\Haihaisoft\XPDF\Cache</LICSET></CONTENT></LIC></LICSET></CID><CONTENT></KID><CID><LIC><KID></CONTENT></LIC></LICSET></CID><CONTENT></KID><CID><LICSET><LIC><KID>%d, reason is:Cannot write license file licstore.aspxlicstore.asplicstore.phplicstore.jspLicense_table_DRM-x1<TD></TD><TD></TD><TD></TD>"== = =content=name=>%d,%d,%d,%d,%d,%d,%d,%d,Incorrect web page!PlayerVersionSettings %s\Haihaisoft\XPDF\V%s.lic%s\Haihaisoft\XPDF\Cache</LICSET></CONTENT></LIC></LICSET></CID><CONTENT></KID><CID><LIC><KID></CONTENT></LIC></LICSET></CID><CONTENT></KID><CID><LICSET><LIC><KID>%d, reason is:Cannot write license file Cannot get CSIDL_COMMON_APPDATAlicstore.aspxlicstore.asplicstore.phplicstore.jspLicense_table_DRM-x1<TD></TD></LICSET><LIC><KID>%s</KID><CID>%s</CID><CONTENT>%s</CONTENT></LIC></LICSET>Cannot write license file<LICSET><LIC><KID>%s</KID><CID>%s</CID><CONTENT>%s</CONTENT></LIC></LICSET>%s\Haihaisoft\XPDF\bad allocationSUMATRA_PDF_NOTIFICATION_WINDOWSUMATRA_PDF_NOTIFICATION_WINDOWbad allocation&OpenCtrl+O&CloseCtrl+W&Print...Ctrl+P-----Save S&hortcut...Ctrl+Shift+SOpen in &Adobe ReaderOpen in &Foxit ReaderOpen in PDF-XChangeSend by &E-mail...-----P&ropertiesCtrl+D-----E&xitCtrl+Q&Single PageCtrl+6&FacingCtrl+7&Book ViewCtrl+8Show &pages continuously-----Rotate &LeftCtrl+Shift+-Rotate &RightCtrl+Shift++-----Pr&esentationCtrl+LF&ullscreenCtrl+Shift+L-----Book&marksF12Show &Toolbar-----Select &AllCtrl+A&Copy SelectionCtrl+C&Next PageRight Arrow&Previous PageLeft Arrow&First PageHome&Last PageEndPa&ge...Ctrl+G-----&BackAlt+Left ArrowF&orwardAlt+Right Arrow-----Fin&d...Ctrl+FFit &PageCtrl+0&Actual SizeCtrl+1Fit &WidthCtrl+2Fit &ContentCtrl+3Custom &Zoom...Ctrl+Y-----6400%3200%1600%800%400%200%150%125%100%50%25%12.5%8.33%Change Language&Options...Add to favoritesRemove from favoritesShow FavoritesVisit &Website&ManualCheck for &Updates-----&About&Copy SelectionCopy &Link AddressCopy Co&mment-----Select &All-----&Print...P&roperties&Open Document&Pin Document-----&Remove Document&%d) %s-----&File&View&Go To&ZoomF&avorites&Settings&Help&Print... (denied)&OpenCtrl+O&CloseCtrl+W-----E&xitCtrl+QPr&esentationCtrl+LF&ullscreenCtrl+Shift+L-----Book&marksF12Show &Toolbar&Next PageRight Arrow&Previous PageLeft Arrow&First PageHome&Last PageEndPa&ge...Ctrl+G-----&BackAlt+Left ArrowF&orwardAlt+Right

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe "C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe "C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe"

Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: sendmail.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: sendmail.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: windows.ui.fileexplorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: assignedaccessruntime.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Window detected: Number of UI elements: 12
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Window detected: Number of UI elements: 12
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Window detected: Number of UI elements: 13
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Window detected: Number of UI elements: 12

Source: Ozn#U00e1men#U00ed o poru#U0161en#U00ed autorsk#U00fdch pr#U00e1v.zip

Static file information: File size 34365663 > 1048576

Source:	Binary string: /app/crashsubmit?appname=SumatraPDFhttp://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5.3.0.pdbSumatraPDF.pdblibmupdf.pdbSumatraPDF-no-MuPDF.pdbhttp://kjkpub.s3.amazonaws.com/sumatrapdf/prerel/SumatraPDF-prerelease-SVN_PRE_RELEASE_VER.pdb.zipsymbols_tmp.ziphttp://kjkpub.s3.amazonaws.com/sumatrapdf/rel/SumatraPDF-1.5.3.0.pdb.zipsymbols_tmp.zipSUMATRAPDF_FULLDUMPHaihaisoft PDF Reader crashedSorry, that shouldn't have happened! source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe
Source:	Binary string: SumatraPDF-no-MuPDF.pdb source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe
Source:	Binary string: SumatraPDF-1.5.3.0.pdb source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe
Source:	Binary string: m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe
Source:	Binary string: xOdx>a0m:\sumatrapdf\hpreader-windows-standard\hpreader\Release\hpreader.pdb source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe
Source:	Binary string: libmupdf.pdb source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe

Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWkQ/

Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe	Queries volume information: C:\Program Files (x86) VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe

Directory queried: C:\Users\user\Documents

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Rundll32	Security Account Manager	11 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://www.winimage.com/zLibDll	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.drm-x.com.wswebpic.com	163.171.128.241	true	false		unknown
www.drm-x.com	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.drm-x.com/pdfversion.htm	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.zeniko.ch/#SumatraPDFSimon	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	Oznmen o poruen autorskch prv.exe	false		unknown
http://blog.kowalczyk.info/software/sumatrapdf/translators.htmlThe	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.drm-x.net/http://cn.drm-x.com/LicPrepare2008.aspxLicPrepare20082013.aspx.drm-x.com/2/%s?c	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.haihaisoft.comlibmupdf.pdbSumatraPDF.pdbSumatraPDF-prereleaseSumatraPDF.pdbSumatraPDF-1.5	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.drm-x.com/pdfversion.htmV	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://itexmac.sourceforge.net/SyncTeX.htmlJ	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://HDMHDMLoading...%s	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.drm-x.com/pdfversion.htm1.5.7.0..http://www.haihaisoft.com/PDF_Reader_download.aspxopenSo	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.flashvidz.tk/Zenonprogram	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://p.yusukekamiyamane.com/Yusuke	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://mailto:EmbeddedFilesTypeFilespecD%s%dR%s%sA%s%sKids.seen.seen.seenNumsSPStD%s.%d:%d:%dInfoPag	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://purl.oen	Ozn men o poru en autorsk ch pr v.exe, 0000000A.00000003.1705336227.0000000006A4F000.00000004.00000020.00020000.00000000.sdmp, Ozn men o poru en autorsk ch pr v.exe, 0000000A.00000003.1705490557.0000000006A4F000.00000004.00000020.00020000.00000000.sdmp, Ozn men o poru en autorsk ch pr v.exe, 0000000A.00000003.1593833299.0000000006A4E000.00000004.00000020.00020000.00000000.sdmp, Ozn men o poru en autorsk ch pr v.exe, 0000000A.00000003.1593068846.0000000006A4F000.00000004.00000020.00020000.00000000.sdmp, Ozn men o poru en autorsk ch pr v.exe, 0000000A.00000003.1592860044.0000000006A4E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.haihaisoft.com/Contact.aspx	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.freetype.org/FreeTypefont	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.haihaisoft.com/PDF_Reader_download.aspxhttp://www.drm-x.com/pdfversion.htmMS	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://blog.kowalczyk.info/software/sumatrapdf/translations.htmlContribute	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://william.famille-blum.org/William	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.apache.org/licenses/LICENSE-2.0Digitized	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.drm-x.com/pdfversion.htmo76	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.drm-x.com/pdfversion.htmv	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://mupdf.comMuPDFpdf	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.drm-x.com/pdfversion.htmt	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000003.1379495665.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.winimage.com/zLibDllbad	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.winimage.com/zLibDll	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false	URL Reputation: safe	unknown
http://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD%AF%E4%BB%B6PDF%E9%98%85%E8%AF%BB%E5%99%A8.aspxopen	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.haihaisoft.com/Contact.aspx%u%?.Install_DirSoftware	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://cn.haihaisoft.comhttp://www.haihaisoft.comcnhttp://cn.haihaisoft.com/%E6%B5%B7%E6%B5%B7%E8%BD	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://blog.kowalczyk.infoKrzysztof	Ozn men o poru en autorsk ch pr v.exe, 00000009.00000000.1294363218.00000000006C9000.00000002.00000001.01000000.00000006.sdmp, Oznmen o poruen autorskch prv.exe	false		unknown
http://www.haihaisoft.comSumatraPDF	Oznmen o poruen autorskch prv.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
163.171.128.241	www.drm-x.com.wswebpic.com	European Union		54994	QUANTILNETWORKSUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541141
Start date and time:	2024-10-24 14:01:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ozn#U00e1men#U00ed o poru#U0161en#U00ed autorsk#U00fdch pr#U00e1v.zip renamed because original name is a hash value
Original Sample Name:	Oznmen o poruen autorskch prv.zip
Detection:	CLEAN
Classification:	clean1.winZIP@3/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Ozn#U00e1men#U00ed o poru#U0161en#U00ed autorsk#U00fdch pr#U00e1v.zip

Simulations

Behavior and APIs

Time	Type	Description
08:02:33	API Interceptor	2x Sleep call for process: Ozn men o poru en autorsk ch pr v.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
QUANTILNETWORKSUS	byte.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	118.107.170.19
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	116.254.135.50
	https://t.ly/N1B0D	Get hash	malicious	Unknown	Browse	163.171.156.15
	SecuriteInfo.com.Adware.Softcnapp.188.23310.11521.exe	Get hash	malicious	Unknown	Browse	168.235.193.123
	mips.elf	Get hash	malicious	Mirai	Browse	220.242.145.246
	https://pub-6e60812ea6034887a73a58b17a92a80f.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	163.171.138.116
	https://f120987.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	163.171.133.124
	https://kucoinexplora.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	163.171.128.148
	nuklear.arm.elf	Get hash	malicious	Unknown	Browse	116.254.184.24
	na.elf	Get hash	malicious	Unknown	Browse	220.242.145.204

File type:	Zip archive data, at least v2.0 to extract, compression method=store
Entropy (8bit):	7.999985346203378
TrID:	ZIP compressed archive (8000/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	Ozn#U00e1men#U00ed o poru#U0161en#U00ed autorsk#U00fdch pr#U00e1v.zip
File size:	34'365'663 bytes
MD5:	a8514c77b69afbb14d56ccacaea28149
SHA1:	b3d430ac79e7a27cc32e37d59f61a44de5a5dfc2
SHA256:	b044a842194be9e0a839e6f4bfc16861318a9e98148c89ad7706a0143efe6479
SHA512:	27ee5927895e5dd0fd7fedba52d4dba661dd1573f861d4a74888ee179b449503e2b753657f5e48fb0e13cb63bd4ae487313a11dbad3dd5ab1562473971532764
SSDEEP:	786432:R/CKKecn9mHLInAePH3NSbZM3rAWiGuJft1doQ3ZM:G5mrpePK5WqJft1doD
TLSH:	3477336116476F348DA192FC86405A23C2AD04B9D393D76D0E24F27624493FEE6BF4BE
File Content Preview:	PK.........mVY............$.3.Ozn.men. o poru.en. autorsk.ch pr.v/up/..}8..Ozn..men.. o poru..en.. autorsk..ch pr..v/PK..........SY...Bp...m...6.E.Ozn.men. o poru.en. autorsk.ch pr.v/hpreaderfprefs.datupA.....fOzn..men.. o poru..en.. autorsk..ch pr..v/hpr

File Icon


Icon Hash:	1c1c1e4e4ececedc

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 14:02:06.715432882 CEST	49703	80	192.168.2.16	163.171.128.241
Oct 24, 2024 14:02:06.721059084 CEST	80	49703	163.171.128.241	192.168.2.16
Oct 24, 2024 14:02:06.721142054 CEST	49703	80	192.168.2.16	163.171.128.241
Oct 24, 2024 14:02:06.722798109 CEST	49703	80	192.168.2.16	163.171.128.241
Oct 24, 2024 14:02:06.728269100 CEST	80	49703	163.171.128.241	192.168.2.16
Oct 24, 2024 14:02:07.582861900 CEST	80	49703	163.171.128.241	192.168.2.16
Oct 24, 2024 14:02:07.582904100 CEST	80	49703	163.171.128.241	192.168.2.16
Oct 24, 2024 14:02:07.582958937 CEST	49703	80	192.168.2.16	163.171.128.241
Oct 24, 2024 14:02:07.582990885 CEST	49703	80	192.168.2.16	163.171.128.241
Oct 24, 2024 14:02:14.220773935 CEST	49703	80	192.168.2.16	163.171.128.241

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 14:02:05.828272104 CEST	60197	53	192.168.2.16	1.1.1.1
Oct 24, 2024 14:02:06.709875107 CEST	53	60197	1.1.1.1	192.168.2.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 14:02:05.828272104 CEST	192.168.2.16	1.1.1.1	0x964c	Standard query (0)	www.drm-x.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 14:02:06.709875107 CEST	1.1.1.1	192.168.2.16	0x964c	No error (0)	www.drm-x.com	www.drm-x.com.wswebpic.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 14:02:06.709875107 CEST	1.1.1.1	192.168.2.16	0x964c	No error (0)	www.drm-x.com.wswebpic.com		163.171.128.241	A (IP address)	IN (0x0001)	false
Oct 24, 2024 14:02:06.709875107 CEST	1.1.1.1	192.168.2.16	0x964c	No error (0)	www.drm-x.com.wswebpic.com		163.171.156.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.drm-x.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.16	49703	163.171.128.241	80	6636	C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 14:02:06.722798109 CEST	132	OUT	GET /pdfversion.htm HTTP/1.1 Accept: / User-Agent: HDM Host: www.drm-x.com Connection: Keep-Alive Cache-Control: no-cache
Oct 24, 2024 14:02:07.582861900 CEST	656	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 12:02:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Last-Modified: Thu, 05 Feb 2015 14:26:47 GMT ETag: "802dc5c54f41d01:0" Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET Age: 1305 X-Via: 1.1 PS-SJC-04AhS254:13 (Cdn Cache Server V2.0), 1.1 kf104:3 (Cdn Cache Server V2.0) x-ws-request-id: 671a373f_kf104_16360-21370 Cache-Control: no-store Set-Cookie: FECN=5f9462fa81762fd9fdf1814f41b1a94d26d92fee68f971641bc007bf74e27e39280e7f91f30b9e369dfa4e628f9284b96147dd8fc1252f4d4757b4c9e978ffba2f3b8ea5a603ef9908e71e66ed0230a273; Expires=Sun, 22-Oct-34 12:02:07 GMT; Path=/
Oct 24, 2024 14:02:07.582904100 CEST	17	IN	Data Raw: 37 0d 0a 31 2e 35 2e 32 2e 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 71.5.2.00

Target ID:	0
Start time:	08:01:52
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff6b9240000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:02:04
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe"
Imagebase:	0x400000
File size:	6'365'288 bytes
MD5 hash:	4864A55CFF27F686023456A22371E790
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:02:31
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ozn men o poru en autorsk ch pr v\Ozn men o poru en autorsk ch pr v.exe"
Imagebase:	0x400000
File size:	6'365'288 bytes
MD5 hash:	4864A55CFF27F686023456A22371E790
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ozn#U00e1men#U00ed o poru#U0161en#U00ed autorsk#U00fdch pr#U00e1v.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: rundll32.exePID: 6312, Parent PID: 804

General

Chronological Activities

Analysis Process: Ozn men o poru en autorsk ch pr v.exePID: 6636, Parent PID: 4380

General

Chronological Activities

Analysis Process: Ozn men o poru en autorsk ch pr v.exePID: 6264, Parent PID: 4380

General

Chronological Activities

Windows Analysis Report
Ozn#U00e1men#U00ed o poru#U0161en#U00ed autorsk#U00fdch pr#U00e1v.zip