Windows Analysis Report
37429345.pdf

Overview

General Information

Sample name: 37429345.pdf
renamed because original name is a hash value
Original sample name: _789337429345.pdf
Analysis ID: 1544035
MD5: 94391b5ded68319abaa7511b25e3661d
SHA1: 5b46961aa35ce1a8700c6db46132e1412a4aa23e
SHA256: 9f678c529e6a46f3cb2e5213932c5e235ac806ee064dd23336170e32ba29f5f9
Infos:

Detection

Score: 26
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Downloads suspicious files via Chrome
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Stores files to the Windows start menu directory

Classification

Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1236057237\LICENSE.txt Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: sets.json.10.dr String found in binary or memory: https://07c225f3.online
Source: sets.json.10.dr String found in binary or memory: https://24.hu
Source: sets.json.10.dr String found in binary or memory: https://aajtak.in
Source: sets.json.10.dr String found in binary or memory: https://abczdrowie.pl
Source: sets.json.10.dr String found in binary or memory: https://alice.tw
Source: sets.json.10.dr String found in binary or memory: https://ambitionbox.com
Source: sets.json.10.dr String found in binary or memory: https://autobild.de
Source: sets.json.10.dr String found in binary or memory: https://baomoi.com
Source: sets.json.10.dr String found in binary or memory: https://bild.de
Source: sets.json.10.dr String found in binary or memory: https://blackrock.com
Source: sets.json.10.dr String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.10.dr String found in binary or memory: https://bluradio.com
Source: sets.json.10.dr String found in binary or memory: https://bolasport.com
Source: sets.json.10.dr String found in binary or memory: https://bonvivir.com
Source: sets.json.10.dr String found in binary or memory: https://bumbox.com
Source: sets.json.10.dr String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.10.dr String found in binary or memory: https://businesstoday.in
Source: sets.json.10.dr String found in binary or memory: https://cachematrix.com
Source: sets.json.10.dr String found in binary or memory: https://cafemedia.com
Source: sets.json.10.dr String found in binary or memory: https://caracoltv.com
Source: sets.json.10.dr String found in binary or memory: https://carcostadvisor.be
Source: sets.json.10.dr String found in binary or memory: https://carcostadvisor.com
Source: sets.json.10.dr String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.10.dr String found in binary or memory: https://cardsayings.net
Source: sets.json.10.dr String found in binary or memory: https://chatbot.com
Source: sets.json.10.dr String found in binary or memory: https://chennien.com
Source: sets.json.10.dr String found in binary or memory: https://citybibleforum.org
Source: sets.json.10.dr String found in binary or memory: https://clarosports.com
Source: sets.json.10.dr String found in binary or memory: https://clmbtech.com
Source: sets.json.10.dr String found in binary or memory: https://closeronline.co.uk
Source: sets.json.10.dr String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.10.dr String found in binary or memory: https://cmxd.com.mx
Source: sets.json.10.dr String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.10.dr String found in binary or memory: https://cognitiveai.ru
Source: sets.json.10.dr String found in binary or memory: https://commentcamarche.com
Source: sets.json.10.dr String found in binary or memory: https://commentcamarche.net
Source: sets.json.10.dr String found in binary or memory: https://computerbild.de
Source: sets.json.10.dr String found in binary or memory: https://content-loader.com
Source: sets.json.10.dr String found in binary or memory: https://cookreactor.com
Source: sets.json.10.dr String found in binary or memory: https://cricbuzz.com
Source: sets.json.10.dr String found in binary or memory: https://css-load.com
Source: sets.json.10.dr String found in binary or memory: https://deccoria.pl
Source: sets.json.10.dr String found in binary or memory: https://deere.com
Source: sets.json.10.dr String found in binary or memory: https://desimartini.com
Source: sets.json.10.dr String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.10.dr String found in binary or memory: https://drimer.io
Source: sets.json.10.dr String found in binary or memory: https://drimer.travel
Source: sets.json.10.dr String found in binary or memory: https://economictimes.com
Source: sets.json.10.dr String found in binary or memory: https://een.be
Source: sets.json.10.dr String found in binary or memory: https://efront.com
Source: sets.json.10.dr String found in binary or memory: https://eleconomista.net
Source: sets.json.10.dr String found in binary or memory: https://elfinancierocr.com
Source: sets.json.10.dr String found in binary or memory: https://elgrafico.com
Source: sets.json.10.dr String found in binary or memory: https://ella.sv
Source: sets.json.10.dr String found in binary or memory: https://elpais.com.uy
Source: sets.json.10.dr String found in binary or memory: https://elpais.uy
Source: sets.json.10.dr String found in binary or memory: https://etfacademy.it
Source: sets.json.10.dr String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.10.dr String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.10.dr String found in binary or memory: https://fakt.pl
Source: sets.json.10.dr String found in binary or memory: https://finn.no
Source: sets.json.10.dr String found in binary or memory: https://firstlook.biz
Source: sets.json.10.dr String found in binary or memory: https://gallito.com.uy
Source: sets.json.10.dr String found in binary or memory: https://geforcenow.com
Source: sets.json.10.dr String found in binary or memory: https://gettalkdesk.com
Source: sets.json.10.dr String found in binary or memory: https://gliadomain.com
Source: sets.json.10.dr String found in binary or memory: https://gnttv.com
Source: sets.json.10.dr String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.10.dr String found in binary or memory: https://grid.id
Source: sets.json.10.dr String found in binary or memory: https://gridgames.app
Source: sets.json.10.dr String found in binary or memory: https://growthrx.in
Source: sets.json.10.dr String found in binary or memory: https://grupolpg.sv
Source: sets.json.10.dr String found in binary or memory: https://gujaratijagran.com
Source: sets.json.10.dr String found in binary or memory: https://hapara.com
Source: sets.json.10.dr String found in binary or memory: https://hazipatika.com
Source: sets.json.10.dr String found in binary or memory: https://hc1.com
Source: sets.json.10.dr String found in binary or memory: https://hc1.global
Source: sets.json.10.dr String found in binary or memory: https://hc1cas.com
Source: sets.json.10.dr String found in binary or memory: https://hc1cas.global
Source: sets.json.10.dr String found in binary or memory: https://healthshots.com
Source: sets.json.10.dr String found in binary or memory: https://hearty.app
Source: sets.json.10.dr String found in binary or memory: https://hearty.gift
Source: sets.json.10.dr String found in binary or memory: https://hearty.me
Source: sets.json.10.dr String found in binary or memory: https://heartymail.com
Source: sets.json.10.dr String found in binary or memory: https://heatworld.com
Source: sets.json.10.dr String found in binary or memory: https://helpdesk.com
Source: sets.json.10.dr String found in binary or memory: https://hindustantimes.com
Source: sets.json.10.dr String found in binary or memory: https://hj.rs
Source: sets.json.10.dr String found in binary or memory: https://hjck.com
Source: sets.json.10.dr String found in binary or memory: https://html-load.cc
Source: sets.json.10.dr String found in binary or memory: https://html-load.com
Source: sets.json.10.dr String found in binary or memory: https://human-talk.org
Source: sets.json.10.dr String found in binary or memory: https://idbs-cloud.com
Source: sets.json.10.dr String found in binary or memory: https://idbs-dev.com
Source: sets.json.10.dr String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.10.dr String found in binary or memory: https://idbs-staging.com
Source: sets.json.10.dr String found in binary or memory: https://img-load.com
Source: sets.json.10.dr String found in binary or memory: https://indiatimes.com
Source: sets.json.10.dr String found in binary or memory: https://indiatoday.in
Source: sets.json.10.dr String found in binary or memory: https://indiatodayne.in
Source: sets.json.10.dr String found in binary or memory: https://infoedgeindia.com
Source: sets.json.10.dr String found in binary or memory: https://interia.pl
Source: sets.json.10.dr String found in binary or memory: https://intoday.in
Source: sets.json.10.dr String found in binary or memory: https://iolam.it
Source: sets.json.10.dr String found in binary or memory: https://ishares.com
Source: sets.json.10.dr String found in binary or memory: https://jagran.com
Source: sets.json.10.dr String found in binary or memory: https://johndeere.com
Source: sets.json.10.dr String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.10.dr String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.10.dr String found in binary or memory: https://journaldunet.com
Source: sets.json.10.dr String found in binary or memory: https://journaldunet.fr
Source: sets.json.10.dr String found in binary or memory: https://joyreactor.cc
Source: sets.json.10.dr String found in binary or memory: https://joyreactor.com
Source: sets.json.10.dr String found in binary or memory: https://kaksya.in
Source: sets.json.10.dr String found in binary or memory: https://knowledgebase.com
Source: sets.json.10.dr String found in binary or memory: https://kompas.com
Source: sets.json.10.dr String found in binary or memory: https://kompas.tv
Source: sets.json.10.dr String found in binary or memory: https://kompasiana.com
Source: sets.json.10.dr String found in binary or memory: https://lanacion.com.ar
Source: sets.json.10.dr String found in binary or memory: https://landyrev.com
Source: sets.json.10.dr String found in binary or memory: https://landyrev.ru
Source: sets.json.10.dr String found in binary or memory: https://laprensagrafica.com
Source: sets.json.10.dr String found in binary or memory: https://lateja.cr
Source: sets.json.10.dr String found in binary or memory: https://libero.it
Source: sets.json.10.dr String found in binary or memory: https://linternaute.com
Source: sets.json.10.dr String found in binary or memory: https://linternaute.fr
Source: sets.json.10.dr String found in binary or memory: https://livechat.com
Source: sets.json.10.dr String found in binary or memory: https://livechatinc.com
Source: sets.json.10.dr String found in binary or memory: https://livehindustan.com
Source: sets.json.10.dr String found in binary or memory: https://livemint.com
Source: sets.json.10.dr String found in binary or memory: https://max.auto
Source: sets.json.10.dr String found in binary or memory: https://medonet.pl
Source: sets.json.10.dr String found in binary or memory: https://meo.pt
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.cl
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.10.dr String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.10.dr String found in binary or memory: https://mercadolivre.com
Source: sets.json.10.dr String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.10.dr String found in binary or memory: https://mercadopago.cl
Source: sets.json.10.dr String found in binary or memory: https://mercadopago.com
Source: sets.json.10.dr String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.10.dr String found in binary or memory: https://mercadopago.com.br
Source: sets.json.10.dr String found in binary or memory: https://mercadopago.com.co
Source: sets.json.10.dr String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.10.dr String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.10.dr String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.10.dr String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.10.dr String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.10.dr String found in binary or memory: https://mercadoshops.cl
Source: sets.json.10.dr String found in binary or memory: https://mercadoshops.com
Source: sets.json.10.dr String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.10.dr String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.10.dr String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.10.dr String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.10.dr String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.10.dr String found in binary or memory: https://mightytext.net
Source: sets.json.10.dr String found in binary or memory: https://mittanbud.no
Source: sets.json.10.dr String found in binary or memory: https://money.pl
Source: sets.json.10.dr String found in binary or memory: https://motherandbaby.com
Source: sets.json.10.dr String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.10.dr String found in binary or memory: https://nacion.com
Source: sets.json.10.dr String found in binary or memory: https://naukri.com
Source: sets.json.10.dr String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.10.dr String found in binary or memory: https://nien.co
Source: sets.json.10.dr String found in binary or memory: https://nien.com
Source: sets.json.10.dr String found in binary or memory: https://nien.org
Source: sets.json.10.dr String found in binary or memory: https://nlc.hu
Source: sets.json.10.dr String found in binary or memory: https://nosalty.hu
Source: sets.json.10.dr String found in binary or memory: https://noticiascaracol.com
Source: sets.json.10.dr String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.10.dr String found in binary or memory: https://nvidia.com
Source: sets.json.10.dr String found in binary or memory: https://o2.pl
Source: sets.json.10.dr String found in binary or memory: https://ocdn.eu
Source: sets.json.10.dr String found in binary or memory: https://onet.pl
Source: sets.json.10.dr String found in binary or memory: https://ottplay.com
Source: sets.json.10.dr String found in binary or memory: https://p106.net
Source: sets.json.10.dr String found in binary or memory: https://p24.hu
Source: sets.json.10.dr String found in binary or memory: https://paula.com.uy
Source: sets.json.10.dr String found in binary or memory: https://pdmp-apis.no
Source: sets.json.10.dr String found in binary or memory: https://phonandroid.com
Source: sets.json.10.dr String found in binary or memory: https://player.pl
Source: sets.json.10.dr String found in binary or memory: https://plejada.pl
Source: sets.json.10.dr String found in binary or memory: https://poalim.site
Source: sets.json.10.dr String found in binary or memory: https://poalim.xyz
Source: sets.json.10.dr String found in binary or memory: https://pomponik.pl
Source: sets.json.10.dr String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.10.dr String found in binary or memory: https://prisjakt.no
Source: sets.json.10.dr String found in binary or memory: https://pudelek.pl
Source: sets.json.10.dr String found in binary or memory: https://punjabijagran.com
Source: 37429345.pdf String found in binary or memory: https://qaz.is/load/fK7NR3/668d3238-49f0-4207-9478-4e8005840fbb)
Source: sets.json.10.dr String found in binary or memory: https://radio1.be
Source: sets.json.10.dr String found in binary or memory: https://radio2.be
Source: sets.json.10.dr String found in binary or memory: https://reactor.cc
Source: sets.json.10.dr String found in binary or memory: https://repid.org
Source: sets.json.10.dr String found in binary or memory: https://reshim.org
Source: sets.json.10.dr String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.10.dr String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.10.dr String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.10.dr String found in binary or memory: https://sackrace.ai
Source: sets.json.10.dr String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.10.dr String found in binary or memory: https://salemovefinancial.com
Source: sets.json.10.dr String found in binary or memory: https://salemovetravel.com
Source: sets.json.10.dr String found in binary or memory: https://samayam.com
Source: sets.json.10.dr String found in binary or memory: https://sapo.io
Source: sets.json.10.dr String found in binary or memory: https://sapo.pt
Source: sets.json.10.dr String found in binary or memory: https://shock.co
Source: sets.json.10.dr String found in binary or memory: https://smaker.pl
Source: sets.json.10.dr String found in binary or memory: https://smoney.vn
Source: sets.json.10.dr String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.10.dr String found in binary or memory: https://socket-to-me.vip
Source: sets.json.10.dr String found in binary or memory: https://songshare.com
Source: sets.json.10.dr String found in binary or memory: https://songstats.com
Source: sets.json.10.dr String found in binary or memory: https://sporza.be
Source: sets.json.10.dr String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.10.dr String found in binary or memory: https://startlap.hu
Source: sets.json.10.dr String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.10.dr String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.10.dr String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.10.dr String found in binary or memory: https://stripe.com
Source: sets.json.10.dr String found in binary or memory: https://stripe.network
Source: sets.json.10.dr String found in binary or memory: https://stripecdn.com
Source: sets.json.10.dr String found in binary or memory: https://supereva.it
Source: sets.json.10.dr String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.10.dr String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.10.dr String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.10.dr String found in binary or memory: https://teacherdashboard.com
Source: sets.json.10.dr String found in binary or memory: https://technology-revealed.com
Source: sets.json.10.dr String found in binary or memory: https://terazgotuje.pl
Source: sets.json.10.dr String found in binary or memory: https://text.com
Source: sets.json.10.dr String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.10.dr String found in binary or memory: https://the42.ie
Source: sets.json.10.dr String found in binary or memory: https://thejournal.ie
Source: sets.json.10.dr String found in binary or memory: https://thirdspace.org.au
Source: sets.json.10.dr String found in binary or memory: https://timesinternet.in
Source: sets.json.10.dr String found in binary or memory: https://timesofindia.com
Source: sets.json.10.dr String found in binary or memory: https://tolteck.app
Source: sets.json.10.dr String found in binary or memory: https://tolteck.com
Source: sets.json.10.dr String found in binary or memory: https://top.pl
Source: sets.json.10.dr String found in binary or memory: https://tribunnews.com
Source: sets.json.10.dr String found in binary or memory: https://trytalkdesk.com
Source: sets.json.10.dr String found in binary or memory: https://tucarro.com
Source: sets.json.10.dr String found in binary or memory: https://tucarro.com.co
Source: sets.json.10.dr String found in binary or memory: https://tucarro.com.ve
Source: sets.json.10.dr String found in binary or memory: https://tvid.in
Source: sets.json.10.dr String found in binary or memory: https://tvn.pl
Source: sets.json.10.dr String found in binary or memory: https://tvn24.pl
Source: sets.json.10.dr String found in binary or memory: https://unotv.com
Source: sets.json.10.dr String found in binary or memory: https://victorymedium.com
Source: sets.json.10.dr String found in binary or memory: https://vrt.be
Source: sets.json.10.dr String found in binary or memory: https://vwo.com
Source: sets.json.10.dr String found in binary or memory: https://welt.de
Source: sets.json.10.dr String found in binary or memory: https://wieistmeineip.de
Source: sets.json.10.dr String found in binary or memory: https://wildix.com
Source: sets.json.10.dr String found in binary or memory: https://wildixin.com
Source: sets.json.10.dr String found in binary or memory: https://wingify.com
Source: sets.json.10.dr String found in binary or memory: https://wordle.at
Source: sets.json.10.dr String found in binary or memory: https://wp.pl
Source: sets.json.10.dr String found in binary or memory: https://wpext.pl
Source: sets.json.10.dr String found in binary or memory: https://www.asadcdn.com
Source: sets.json.10.dr String found in binary or memory: https://ya.ru
Source: sets.json.10.dr String found in binary or memory: https://yours.co.uk
Source: sets.json.10.dr String found in binary or memory: https://zalo.me
Source: sets.json.10.dr String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.10.dr String found in binary or memory: https://zingmp3.vn

System Summary
barindex
Downloads suspicious files via Chrome
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File dump: C:\Users\user\Downloads\1473272810.dps_tax_gov_ua_17622653645.rar (copy) Jump to dropped file
Creates files inside the system directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1211409625 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1211409625\sets.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1211409625\manifest.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1211409625\LICENSE Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1211409625\_metadata\ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1211409625\_metadata\verified_contents.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1211409625\manifest.fingerprint Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_521230152 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_521230152\Google.Widevine.CDM.dll Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_521230152\manifest.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_521230152\_metadata\ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_521230152\_metadata\verified_contents.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_521230152\manifest.fingerprint Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1314818920 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1314818920\cr_en-us_500000_index.bin Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1314818920\manifest.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1314818920\_metadata\ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1314818920\_metadata\verified_contents.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1314818920\manifest.fingerprint Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1236057237 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1236057237\LICENSE.txt Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1236057237\Filtering Rules Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1236057237\manifest.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1236057237\_metadata\ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1236057237\_metadata\verified_contents.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1236057237\manifest.fingerprint Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1677436516 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1677436516\optimization-hints.pb Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1677436516\manifest.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1677436516\_metadata\ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1677436516\_metadata\verified_contents.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1677436516\manifest.fingerprint Jump to behavior
Deletes files inside the Windows folder
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File deleted: C:\Windows\SystemTemp\chrome_BITS_7568_706173810 Jump to behavior
PE file contains more sections than normal
Source: Google.Widevine.CDM.dll.10.dr Static PE information: Number of sections : 12 > 10
Source: unarchiver.exe, 0000000F.00000002.1960912103.00000000010CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;.VBp
Source: classification engine Classification label: sus26.winPDF@45/68@0/5
Source: 37429345.pdf Initial sample: https://qaz.is/load/fK7NR3/668d3238-49f0-4207-9478-4e8005840fbb
Source: 37429345.pdf Initial sample: https://qaz.is/load/fk7nr3/668d3238-49f0-4207-9478-4e8005840fbb
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-28 13-29-01-083.log Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\37429345.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2044 --field-trial-handle=1612,i,2609987279070104200,10577324592718449673,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://qaz.is/load/fK7NR3/668d3238-49f0-4207-9478-4e8005840fbb"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1896,i,12452905871821157740,5775890423641875054,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\1473272810.dps_tax_gov_ua_17622653645.rar"
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\wu5ba1gq.lwu" "C:\Users\user\Downloads\1473272810.dps_tax_gov_ua_17622653645.rar"
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2044 --field-trial-handle=1612,i,2609987279070104200,10577324592718449673,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://qaz.is/load/fK7NR3/668d3238-49f0-4207-9478-4e8005840fbb" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1896,i,12452905871821157740,5775890423641875054,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\1473272810.dps_tax_gov_ua_17622653645.rar" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\wu5ba1gq.lwu" "C:\Users\user\Downloads\1473272810.dps_tax_gov_ua_17622653645.rar" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Section loaded: 7z.dll Jump to behavior
Source: Google Drive.lnk.10.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.10.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.10.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.10.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.10.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.10.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: 37429345.pdf Initial sample: PDF keyword /JS count = 0
Source: 37429345.pdf Initial sample: PDF keyword /JavaScript count = 0
Source: 37429345.pdf Initial sample: PDF keyword /EmbeddedFile count = 0
PE file contains sections with non-standard names
Source: Google.Widevine.CDM.dll.10.dr Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.10.dr Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.10.dr Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.10.dr Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.10.dr Static PE information: section name: _RDATA
Drops PE files
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_521230152\Google.Widevine.CDM.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_521230152\Google.Widevine.CDM.dll Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7568_1236057237\LICENSE.txt Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 1090000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 2F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 4F40000 memory commit | memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\unarchiver.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 7900 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 15_2_00EBB1D6 GetSystemInfo, 15_2_00EBB1D6
Source: C:\Windows\SysWOW64\unarchiver.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\wu5ba1gq.lwu" "C:\Users\user\Downloads\1473272810.dps_tax_gov_ua_17622653645.rar" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544035 Sample: 37429345.pdf Startdate: 28/10/2024 Architecture: WINDOWS Score: 26 41 Downloads suspicious files via Chrome 2->41 8 chrome.exe 59 2->8         started        12 Acrobat.exe 20 60 2->12         started        process3 dnsIp4 37 192.168.2.5 unknown unknown 8->37 39 239.255.255.250 unknown Reserved 8->39 27 1473272810.dps_tax...22653645.rar (copy), RAR 8->27 dropped 29 C:\Windows\...behaviorgraphoogle.Widevine.CDM.dll, PE32+ 8->29 dropped 14 unarchiver.exe 4 8->14         started        16 chrome.exe 8->16         started        19 AcroCEF.exe 102 12->19         started        file5 process6 dnsIp7 21 7za.exe 4 14->21         started        31 80.87.203.251 THEFIRST-ASRU Russian Federation 16->31 33 142.250.185.100 GOOGLEUS United States 16->33 35 1.1.1.1 CLOUDFLARENETUS Australia 16->35 23 AcroCEF.exe 4 19->23         started        process8 process9 25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
142.250.185.100
 unknown United States
15169 GOOGLEUS false
80.87.203.251
 unknown Russian Federation
29182 THEFIRST-ASRU false
239.255.255.250
 unknown Reserved
unknown unknown false

Private

IP
192.168.2.5