setup.exe
This report is generated from a file or URL submitted to this webservice on March 25th 2020 07:43:25 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Ransomware
- Detected indicator that file is ransomware
- Spyware
- Found a string that may be used as part of an injection method
- Fingerprint
- Reads the active computer name
MITRE ATT&CK™ Techniques Detection
Additional Context
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 4/73 Antivirus vendors marked sample as malicious (5% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/85 Antivirus vendors marked dropped file "elcom_xml.dll" as malicious (classified as "Unavailable" with 1% detection rate)
3/83 Antivirus vendors marked dropped file "APDFPR.EXE" as malicious (classified as "malicious.high.ml" with 3% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
- 3/83 Antivirus vendors marked spawned process "APDFPR.EXE" (PID: 4824) as malicious (classified as "malicious.high.ml" with 3% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Unusual Characteristics
-
References suspicious system modules
- details
- details too long to display
- source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
References suspicious system modules
-
Suspicious Indicators 19
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
-
???
???
???
.rsrc
.moo with unusual entropies 7.99873581049
7.98024768926
7.99949815431
7.73486163199
7.34085155613 - source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
-
"PDFPassRecoveryTool.rar.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"APDFPR.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/70 reputation engines marked "http://www.elcomsoft.com/purchase/buy.php" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
LockResource@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"StartMenu.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"elcom_reg.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"InstallOptions.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"elcom_xml.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"LangDLL.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"GPUManager.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"APDFPR.EXE" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Ransomware/Banking
-
Detected indicator that file is ransomware
- details
- "<OrderTextAEFSDRPro>You're using the Standard version of AEFSDR which allows to decrypt files using the "regular" keys scan method only; however, the keys (needed to decrypt your files) have been found using "Scan by sectors" feature which is available in Professional edition only. You can test the functionality of the software using Standard edition, but only first 512 bytes of file will be decrypted for testing purposes.</OrderTextAEFSDRPro>" (Source: elcom_lang.xml, Indicator: "decrypt your files")
- source
- File/Memory
- relevance
- 7/10
-
Detected indicator that file is ransomware
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
-
"PDFPassRecoveryTool.rar.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
"APDFPR.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"StartMenu.dll" claimed CRC 0 while the actual is CRC 2218709
"elcom_reg.dll" claimed CRC 130102 while the actual is CRC 45840
"GPUManager.exe" claimed CRC 258099 while the actual is CRC 26390
"Uninstall.exe" claimed CRC 2218709 while the actual is CRC 788668 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
RegOpenKeyExA
RegDeleteValueA
RegCreateKeyExA
RegEnumKeyA
GetFileAttributesA
CopyFileA
GetModuleFileNameA
LoadLibraryA
LoadLibraryExA
GetFileSize
CreateDirectoryA
DeleteFileA
GetCommandLineA
GetProcAddress
GetTempPathA
CreateThread
GetModuleHandleA
FindFirstFileA
WriteFile
GetTempFileNameA
FindNextFileA
CreateProcessA
Sleep
CreateFileA
GetTickCount
ShellExecuteA
FindWindowExA
RegOpenKeyExW
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
LoadLibraryW
GetVersionExA
GetStartupInfoA
LockResource
GetModuleHandleW
FindResourceA
VirtualAlloc
VirtualProtect
RegCreateKeyExW
RegEnumKeyW
RegDeleteKeyW
RegOpenKeyW
GetModuleFileNameW
GetVersionExW
GetStartupInfoW
GetCommandLineW
FindResourceW
GetCursorPos
GetLastActivePopup
SetWindowsHookExW
GetWindowThreadProcessId
InternetCloseHandle - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"PDFPassRecoveryTool.rar.exe" wrote bytes "d055327664733b760000000051c1b8759498b875ee9cb87575dcba75273eba750fb3be7500000000acdc29771bf72977c1082b77c0d92977152e297736da2977d5d9297730c62977e0c2297742c629771bc6297786c4297772c6297700000000" to virtual address "0x72C01000" (part of module "SHFOLDER.DLL")
"APDFPR.EXE" wrote bytes "c04e737720547477e0657477b53875770000000000d0297700000000c5ea29770000000088ea297700000000e968887582287577ee29757700000000d2698875000000007dbb29770000000009be887500000000ba18297700000000" to virtual address "0x77601000" (part of module "NSI.DLL")
"APDFPR.EXE" wrote bytes "48124975" to virtual address "0x754A83DC" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "48120000" to virtual address "0x754912DC" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "b88011c372ffe0" to virtual address "0x77611368" (part of module "WS2_32.DLL")
"APDFPR.EXE" wrote bytes "48124975" to virtual address "0x754A8364" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "a011c372" to virtual address "0x7603E324" (part of module "WININET.DLL")
"APDFPR.EXE" wrote bytes "68130000" to virtual address "0x77611680" (part of module "WS2_32.DLL")
"APDFPR.EXE" wrote bytes "b89012c372ffe0" to virtual address "0x75491248" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "f8114975" to virtual address "0x754A834C" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "b81015c372ffe0" to virtual address "0x754911F8" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "f8110000" to virtual address "0x754912CC" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "f8114975" to virtual address "0x754A83C4" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "f8114975" to virtual address "0x754A8368" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "48120000" to virtual address "0x7549139C" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "f8114975" to virtual address "0x754A83E0" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "f8110000" to virtual address "0x75491408" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "48124975" to virtual address "0x754A8348" (part of module "SSPICLI.DLL")
"APDFPR.EXE" wrote bytes "48124975" to virtual address "0x754A83C0" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"PDFPassRecoveryTool.rar.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"APDFPR.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 18
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file contains zero-size sections
- details
-
Raw size of ".ndata" is zero
Raw size of "" is zero
Raw size of ".adata" is zero - source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExA@KERNEL32.dll directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "xor ecx, ebp" (Show Stream)
Found API call GetVersionExW@KERNEL32.dll directly followed by "cmp dword ptr [esp+000000A8h], 05h" and "jne 0040146Bh" (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"PDFPassRecoveryTool.rar.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\PDFPASSRECOVERYTOOL.RAR.EXE")
"PDFPassRecoveryTool.rar.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\PDFPASSRECOVERYTOOL.RAR.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/22 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "StartMenu.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "elcom_reg.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "InstallOptions.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "System.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "LangDLL.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "GPUManager.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Uninstall.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "PDFPassRecoveryTool.rar.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6E620000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"PDFPassRecoveryTool.rar.exe" touched "Shortcut" (Path: "HKCU\CLSID\{00021401-0000-0000-C000-000000000046}")
"PDFPassRecoveryTool.rar.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"PDFPassRecoveryTool.rar.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"PDFPassRecoveryTool.rar.exe" touched "Microsoft Multiple AutoComplete List Container" (Path: "HKCU\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"PDFPassRecoveryTool.rar.exe" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"PDFPassRecoveryTool.rar.exe" touched "Microsoft AutoComplete" (Path: "HKCU\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"PDFPassRecoveryTool.rar.exe" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"APDFPR.EXE" touched "HHCtrl Object" (Path: "HKCU\CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\INPROCSERVER32") - source
- Registry Access
- relevance
- 3/10
-
Scanning for window names
- details
-
"PDFPassRecoveryTool.rar.exe" searching for class "#32770"
"APDFPR.EXE" searching for class "Shell_TrayWnd" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
- Spawned process "APDFPR.EXE" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "APDFPR.EXE" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=VeriSign Time Stamping Services CA, O="VeriSign
Inc.", C=US" (SHA1: AD:A8:AA:A6:43:FF:7D:C3:8D:D4:0F:A4:C9:7A:D5:59:FF:48:46:DE; see report for more information)
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: F4:6A:C0:C6:EF:BB:8C:6A:14:F5:5F:09:E2:D3:7D:F4:C0:DE:01:2D; see report for more information)
The input sample is signed with a certificate issued by "OU=Class 3 Public Primary Certification Authority, O="VeriSign
Inc.", C=US" (SHA1: 19:7A:4A:EB:DB:25:F0:17:00:79:BB:8C:73:CB:2D:65:5E:00:18:A4; see report for more information)
The input sample is signed with a certificate issued by "CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa c04, OU=VeriSign Trust Network, O="VeriSign
Inc.", C=US" (SHA1: 50:FE:1B:5D:B9:0D:41:A1:BA:46:CA:71:16:45:13:BD:CC:9F:D9:25; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops files marked as clean
-
Installation/Persistance
-
Dropped files
- details
-
"StartMenu.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"elcom_reg.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"End-User License Agreement.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Thu Jan 27 13:36:48 2005 mtime=Wed Mar 25 06:47:11 2020 atime=Thu Jan 27 13:36:48 2005 length=36580 window=hide"
"How to order.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Tue Nov 25 13:06:46 2008 mtime=Wed Mar 25 06:47:11 2020 atime=Tue Nov 25 13:06:46 2008 length=1235 window=hide"
"InstallOptions.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"elcom_xml.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Uninstall APDFPR.lnk" has type "MS Windows shortcut Item id list present Has Relative path Has Working directory ctime=Mon Jan 1 00:00:00 1601 mtime=Mon Jan 1 00:00:00 1601 atime=Mon Jan 1 00:00:00 1601 length=0 window=hide"
"Readme.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Tue Nov 25 13:05:46 2008 mtime=Wed Mar 25 06:47:11 2020 atime=Tue Nov 25 13:05:46 2008 length=2766 window=hide"
"apdfpr.chm" has type "MS Windows HtmlHelp Data"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Advanced PDF Password Recovery Help.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Tue Nov 25 13:27:46 2008 mtime=Wed Mar 25 06:47:11 2020 atime=Tue Nov 25 13:27:46 2008 length=164100 window=hide"
"LangDLL.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"GPUManager.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Advanced PDF Password Recovery.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Tue Nov 25 13:23:02 2008 mtime=Wed Mar 25 06:47:11 2020 atime=Tue Nov 25 13:23:02 2008 length=754176 window=hide"
"APDFPR.EXE" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"english.chr" has type "ASCII text with no line terminators"
"file_id.diz" has type "ASCII text with CRLF line terminators"
"elcom_lang.xml" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"german.dic" has type "ISO-8859 text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"PDFPassRecoveryTool.rar.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001f.db"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"PDFPassRecoveryTool.rar.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini"
"PDFPassRecoveryTool.rar.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu"
"PDFPassRecoveryTool.rar.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
"PDFPassRecoveryTool.rar.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ElcomSoft\Advanced PDF Password Recovery\Advanced PDF Password Recovery Help.lnk" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: ">SkIf,.eu"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "http://crl.verisign.com/tss-ca.crl0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "https://www.verisign.com/rpa01"
Pattern match: "http://crl.verisign.com/pca3.crl0"
Pattern match: "http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D"
Pattern match: "https://www.verisign.com/rpa0"
Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0"
Pattern match: "http://www.elcomsoft.com/purchase/buy.php"
Pattern match: "http://www.elcomsoft.com"
Pattern match: "http://www.crackpassword.com"
Pattern match: "http://www.passwords.ru"
Pattern match: "http://www.crackpassword.com/support/upgrade.php?product=%s®_code=%s"
Pattern match: "www.crackpassword.com/support/upgrade.php?product=%s®_code=%s" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"PDFPassRecoveryTool.rar.exe" opened "\Device\KsecDD"
"APDFPR.EXE" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"ACMSETUP.exe.bin" was detected as "Nullsoft PiMP Stub -> SFX"
"elcom_reg.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"elcom_xml.dll" was detected as "Microsoft visual C++ 6.0 DLL"
"GPUManager.exe" was detected as "VC8 -> Microsoft Corporation"
"APDFPR.EXE" was detected as "ASProtect v1.23 RC4 - v1.3.08.24 -> Solodovnikov Alexey"
"Uninstall.exe" was detected as "Nullsoft PiMP Stub -> SFX" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
setup.exe
- Filename
- setup.exe
- Size
- 2.1MiB (2214440 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- 0a9219a50c7db9cc520b5b76493a3cdc4cd7f85c243c8f704899c2a029890959
- MD5
- cbc300f1dd88bf2b828de53ca5a7c418
- SHA1
- a5f4ea4d541a4bee38b4f1e99a383f4c78e6e3ed
- ssdeep
- 49152:mt9p2Y7LBSNekfsvu4SQMOMhkDPosIYE3G0M:ap2Y5SNBfsvu4++DoM
- imphash
- 7fa974366048f9c551ef45714595665e
- authentihash
- 1af57efce827f5bd21c001b438cbcecbb8a38b63e4a5bf2de954d6dcd0d36f92
- Compiler/Packer
- Nullsoft PiMP Stub -> SFX
Classification (TrID)
- 91.7% (.EXE) NSIS - Nullsoft Scriptable Install System
- 3.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 2.9% (.EXE) Win64 Executable (generic)
- 0.7% (.DLL) Win32 Dynamic Link Library (generic)
- 0.4% (.EXE) Win32 Executable (generic)
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 9 .C Files compiled with CL.EXE (Visual Studio 6 Processor Pack) (build: 9044)
- 17 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 2179)
- 2 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 2190)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Error validating certificate: No signature was present in the subject. (0x800b0100)
Download Certificate File (Unknown)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=VeriSign Time Stamping Services Signer - G2, O="VeriSign, Inc.", C=US | CN=VeriSign Time Stamping Services CA, O="VeriSign, Inc.", C=US Serial: 3825d7faf861af9ef490e726b5d65ad5 |
06/15/2007 00:00:00 06/14/2012 23:59:59 |
3B:2A:74:96:89:37:03:9B:31:E5:40:9C:D0:09:D1:FE AD:A8:AA:A6:43:FF:7D:C3:8D:D4:0F:A4:C9:7A:D5:59:FF:48:46:DE |
CN=VeriSign Time Stamping Services CA, O="VeriSign, Inc.", C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 47bf1995df8d524643f7db6d480d31a4 |
12/04/2003 00:00:00 12/03/2013 23:59:59 |
68:23:26:7A:B3:5E:C7:A5:44:99:04:BB:4D:80:41:A7 F4:6A:C0:C6:EF:BB:8C:6A:14:F5:5F:09:E2:D3:7D:F4:C0:DE:01:2D |
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa c04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Serial: 4191a15a3978dfcf496566381d4c75c2 |
07/16/2004 00:00:00 07/15/2014 23:59:59 |
63:FE:60:C5:5A:44:AF:8E:E2:11:5A:27:62:2A:B0:7C 19:7A:4A:EB:DB:25:F0:17:00:79:BB:8C:73:CB:2D:65:5E:00:18:A4 |
CN=ElcomSoft Co.Ltd., OU=Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=ElcomSoft Co.Ltd., L=Moscow, ST=Moscow, C=RU | CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa c04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Serial: 76c04d7ecfe63d62bbe057b5375481f5 |
08/18/2006 00:00:00 09/24/2009 23:59:59 |
03:11:0A:66:DF:49:EE:4E:6E:C3:FC:66:74:B1:F7:16 50:FE:1B:5D:B9:0D:41:A1:BA:46:CA:71:16:45:13:BD:CC:9F:D9:25 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
PDFPassRecoveryTool.rar.exe
(PID: 3064)
4/85
- APDFPR.EXE (PID: 4824) 3/83
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 26 extracted file(s). The remaining 11 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
APDFPR.EXE
- Size
- 737KiB (754176 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "malicious.high.ml" (3/83)
- Runtime Process
- APDFPR.EXE (PID: 4824)
- MD5
- 1444a95815eee7c9a456a9cfe3cf3b02
- SHA1
- 14935a6fe0e0d3fa491491e58158da2631b38081
- SHA256
- faa1c152ec20c1227a92d0befab8a7600c39e750f1abb38a86471745055a4cec
-
elcom_xml.dll
- Size
- 92KiB (94208 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Unavailable" (1/85)
- Runtime Process
- APDFPR.EXE (PID: 4824)
- MD5
- e7db6dab05ed49aa7f3ec3322a42e68c
- SHA1
- 898a9267e1aa780b9b315715d95d2c7acdf3b14f
- SHA256
- db3aa85321440f67dc0786591767a926997ffea748308d50ba569b88029321de
-
-
Clean 7
-
-
GPUManager.exe
- Size
- 252KiB (258048 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/82
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- 627fcc6c70ab10ce8da3400cc9a265f6
- SHA1
- aa29d2cdfc2dbfbd24061c2f87b47f98f747165f
- SHA256
- 268aac8ef5fee396d50d1c0fce4a5a68c9c2ba82207b9b36dce13b9dff457200
-
Uninstall.exe
- Size
- 61KiB (62359 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- AV Scan Result
- 0/83
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- 4a6901a50da44d9947dbe1e242564f5a
- SHA1
- 9ed188ae55b011e11141867f00cc465e90a0c5d1
- SHA256
- 89e91455037f1b3293ed77a7c4798918c2afac01a574fd83261f47d969c92008
-
elcom_reg.dll
- Size
- 111KiB (113152 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/82
- Runtime Process
- APDFPR.EXE (PID: 4824)
- MD5
- d95ec75ab8231c88e652fa5e8f2875e8
- SHA1
- 4cdbcd51ed01d50a297412a198ecf01b85d5ba68
- SHA256
- 8372e5385e3a76a8d5a3e2551c98e93a69674853e8f71427e782e06bc1dcc9be
-
InstallOptions.dll
- Size
- 14KiB (14336 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/82
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- bec6315d69bcfd3588839959d326417f
- SHA1
- 96086501633dea36373557f2b533e648822f1233
- SHA256
- a25228ed00282372cac3349296613884d6c7fa2f041b3ad7df8388659f9e20e5
-
LangDLL.dll
- Size
- 5KiB (5120 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/82
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- 2357801ccb2f2365712ef08be70443b0
- SHA1
- a18377161188b4f2fa60c7f6abbfceb49186f0a7
- SHA256
- 83271293ac30de94c35e835c51a377722790a798c0ca0649092a0a60a9bbc349
-
StartMenu.dll
- Size
- 7KiB (7168 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/83
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- 89ed163bc674b9542c9a45dd50848c98
- SHA1
- c261c7ad98de77f95d252afe24a4ba07bea52a3b
- SHA256
- 4aaf1bc9262288e0a380ec9396d384dc55686f932675a1de0499318499950fa5
-
System.dll
- Size
- 10KiB (10240 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/82
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- a3e10fbd190c0aa81b2b99218838bf83
- SHA1
- 7c370794d0b9b698b5f509ec4a256d8665e3fe6e
- SHA256
- d8d6ffb8436414b44044b58dbf401f89233f6d5c29a2642d49ba85875d997989
-
-
Informative 17
-
-
Advanced PDF Password Recovery Help.lnk
- Size
- 1.3KiB (1287 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Nov 25 13:27:46 2008, mtime=Wed Mar 25 06:47:11 2020, atime=Tue Nov 25 13:27:46 2008, length=164100, window=hide
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- ff9b4ea9369e2b42d9dc179a66d60041
- SHA1
- 1535fd25455399045e97e13861c9b894f77f6132
- SHA256
- b8e465e2e9f25d249a9e7dd1b77f008658d87d5a4fe5ea3f5ee90d06803f62c1
-
Advanced PDF Password Recovery.lnk
- Size
- 1.3KiB (1287 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Nov 25 13:23:02 2008, mtime=Wed Mar 25 06:47:11 2020, atime=Tue Nov 25 13:23:02 2008, length=754176, window=hide
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- fe30a3c3ea25a0e1fb52c343fbf42cb4
- SHA1
- b6c727b304c3787e7566a522415fbf4c588faab0
- SHA256
- 930097078fe7923ceb47fe985e90933f993c0230baf84874af4cbb60d9454585
-
End-User License Agreement.lnk
- Size
- 1.3KiB (1292 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jan 27 13:36:48 2005, mtime=Wed Mar 25 06:47:11 2020, atime=Thu Jan 27 13:36:48 2005, length=36580, window=hide
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- f926692835e0395c438cddd08e78b9bf
- SHA1
- 7af608d815e4cb9d6ab91e57b0f5819481cfbac6
- SHA256
- 615f66ab182bc7685b711f6493fc41e7a4db0d3516f828649afe9601261c5c85
-
How to order.lnk
- Size
- 1.3KiB (1280 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Nov 25 13:06:46 2008, mtime=Wed Mar 25 06:47:11 2020, atime=Tue Nov 25 13:06:46 2008, length=1235, window=hide
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- 798ccbe1029ec704ef8af30143b5d831
- SHA1
- 7be2483338800474bed0239e43d189904e102749
- SHA256
- 3599ac760eee0c58d63cecedbc0dffcb621b76b16446d4998b9a3541a5a2c983
-
Readme.lnk
- Size
- 1.3KiB (1287 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Nov 25 13:05:46 2008, mtime=Wed Mar 25 06:47:11 2020, atime=Tue Nov 25 13:05:46 2008, length=2766, window=hide
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- db776b66a2935197e2b4883e9ec4e912
- SHA1
- 4b7fb9cc1428d73bce4ae3eccbe5323fc198371a
- SHA256
- 2439031b82a7c99d9cc9642cc47d72f0950710cace94d2cade5c09d3329a513b
-
Uninstall APDFPR.lnk
- Size
- 1.1KiB (1076 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hide
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- dfb7cbe6bd4c537106579c9c2a91fb17
- SHA1
- 7cbbe1f3d1e879b64e66fb5f68a1922ccb7c25c8
- SHA256
- bec80373abbff34b6248c10c534fcec900cf49febd79f77ab1e4ade68e8c58f1
-
apdfpr.chm
- Size
- 160KiB (164100 bytes)
- Type
- text mshelp
- Description
- MS Windows HtmlHelp Data
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- 315f62c4ce91c65d925000880e9ffbea
- SHA1
- a5f317715c357606dbf647691bec5f5530deb132
- SHA256
- d47b056f86680ac006029f3c08eac3cf8d72e7daa06c2a4ffbd54045c4db46c1
-
apdfpr4.log
- Size
- 284B (284 bytes)
- Runtime Process
- APDFPR.EXE (PID: 4824)
- MD5
- 805de5b464e18829c1441916ee158e59
- SHA1
- 42ff258c6b27afa752966756fd161e1813abafa8
- SHA256
- 596e1aa6bc5879601f60c435f9f172153e6fab1fbef609c81446c213452f8ef7
-
digits.chr
- Size
- 10B (10 bytes)
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- 781e5e245d69b566979b86e28d23f2c7
- SHA1
- 87acec17cd9dcd20a716cc2cf67417b71c8a7016
- SHA256
- 84d89877f0d4041efb6bf91a16f0248f2fd573e6af05c19f96bedb9f882f7882
-
english.chr
- Size
- 52B (52 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- f72dcf91530ebe0e77808affa3dd0ee0
- SHA1
- 669b371953dd54a8b5668b6806bedcc79649e23c
- SHA256
- 6f7176a0f1ab925b2ddafcfdc98be69f977662cc3ec58975c3da1dedff3b5367
-
english.dic
- Size
- 2.7MiB (2789052 bytes)
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- 6a5aff7bec78dd1e4fc23e571b664b50
- SHA1
- 70154df7a2c71b3a78b7177487178633e89e1897
- SHA256
- 00d6dd5ddea18a32ca5337f8fe275906853109b68cd2df967dbfb0daad804510
-
english.lng
- Size
- 23KiB (23252 bytes)
- Runtime Process
- APDFPR.EXE (PID: 4824)
- MD5
- 75ea04be3ea8336b1fe0640d1ad1db51
- SHA1
- 1d0dd1d8cc2f2b33bb15adebf08a6dfd234bd7ea
- SHA256
- 40c35a414f366b45f0d662743a78f8ba0b7c83d4692651e564415bbcad864631
-
file_id.diz
- Size
- 559B (559 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- 9033ef5460189924db23774b71649b3f
- SHA1
- 52774ad17db00a6191b197a1f3b562c359cfab84
- SHA256
- 42589192fb12c396f85c82c2af6428653021379072452e02e7d78767099b2146
-
german.chr
- Size
- 7B (7 bytes)
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- 3996a260a8fbfb338df2738b107f0055
- SHA1
- dd95cc4cfa978463c3f5ea340d5f86f6b6a82c85
- SHA256
- e6795ad7c8fb99f7740655aaa179662d37298f110f9fa0ffdaec7fe71861e2f5
-
german.dic
- Size
- 1MiB (1086662 bytes)
- Type
- text
- Description
- ISO-8859 text, with CRLF line terminators
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- d05947b675c555547ebdeaf13499fd5e
- SHA1
- 7ca3e6275b33d828a397a37c21ecfe66b46723b0
- SHA256
- 83b61b3bc95f4ee4964fa9f9af76f1f93b860657e859597423b02c4e252b8de9
-
german.lng
- Size
- 25KiB (26084 bytes)
- Runtime Process
- APDFPR.EXE (PID: 4824)
- MD5
- 67e240d97ba4cc3397d651af7c80b442
- SHA1
- fc8e7edf73eb45adce971dcc3fbe106acc47f0a8
- SHA256
- c4a0454fbc503181c29d6cbe95706e8a7713105f16be6d5d068d94990bb0bef1
-
license.txt
- Size
- 36KiB (36580 bytes)
- Runtime Process
- PDFPassRecoveryTool.rar.exe (PID: 3064)
- MD5
- f926b1b77c5eb51568ab2c7a02359130
- SHA1
- 5795f53ec4ba867d7038e7762500a0487140abe3
- SHA256
- 567af50bb60ad9126ea1f9d4f0218f027944257c5de43b1efefc4cc5ecde8182
-
Notifications
-
Runtime
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "string-24" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)