Preventivo24.01.11.exe

Status: finished

Submission Time: 2024-01-23 12:07:07 +01:00

Malicious

Ransomware

Trojan

Evader

Comments

Details

Analysis ID:
1379424
API (Web) ID:
1379424
Analysis Started:

2024-01-23 12:07:08 +01:00
Analysis Finished:

2024-01-23 12:28:09 +01:00
MD5:
32f35b78a3dc5949ce3c99f2981def6b
SHA1:
18a24aa0ac052d31fc5b56f5c0187041174ffc61
SHA256:
0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 84	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
	Full Report Management Report IOC Report	malicious Score: 76	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 Run Condition: Run with higher sleep bypass

Third Party Analysis Engines

Open Full Report

malicious

Score: 12/69

IPs

IP	Country	Detection
184.25.164.138	United States
93.184.216.34	European Union
140.228.29.110	United States

Domains

Name	IP	Detection
www.example.com	93.184.216.34
vnvariant2024.ddnsfree.com	140.228.29.110

URLs

Name	Detection
https://forum.uvnc.com
http://.jpg
http://java.sun.com/products/plugin/index.html#download
Click to see the 23 hidden entries
https://www.uvnc.comhttps://forum.uvnc.comnet
https://www.advancedinstaller.com
https://www.thawte.com/repository0W
http://oneocsp.microe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
https://forum.uvnc.comvncMenu::WndProc
https://www.thawte.com/cps0/
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
https://www.uvnc.comcmd
http://html4/loose.dtd
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://www.example.com/download/updates.txt
http://.css
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
https://www.uvnc.com
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
http://www.pdf-tools.com
http://ocsp.thawte.com0
http://ocsp.sectigo.com0
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
https://sectigo.com/CPS0
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe	PE32 executable (GUI) Intel 80386, for MS Windows	#
Click to see the 67 hidden entries
C:\Users\user\AppData\Local\Temp\MSI54C4.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\shi5398.tmp	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	#
C:\Users\user\AppData\Local\Temp\acrocef_low\cec28c92-d6c6-474c-8465-91d556131ed3.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022	#
C:\Users\user\AppData\Local\Temp\acrocef_low\b3834f64-b555-4a46-82f6-4b7902bd13e5.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360	#
C:\Users\user\AppData\Local\Temp\acrocef_low\7b77236c-9ec4-4c37-b7fe-9f4cc6be4abd.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142	#
C:\Users\user\AppData\Local\Temp\acrocef_low\17c198f6-dee4-4333-a45e-2d68a935f042.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	#
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log	ASCII text, with very long lines (393), with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-01-23 12-08-05-283.log	ASCII text, with very long lines (393)	#
C:\Users\user\AppData\Local\Temp\MSI7935f.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.inf	Windows setup INFormation	#
C:\Users\user\AppData\Local\Temp\MSI54A3.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\MSI5406.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin	data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\TempFolder\~.pdf	PDF document, version 1.7, 1 pages	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\uvncvirtualdisplay.cat	data	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UltraVNC.ini	Generic INItialization configuration [admin]	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\on.cmd	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd	ASCII text, with no line terminators	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\powercfg.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1 (…)	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {1CBDA787-08B6-4366-B2DC-C0D053E322DE}, Number of Words: 8, Subject: Photo and vn, Author: Photo and Fax Vn, N (…)	#
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\holder0.aiph	data	#
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	#
\Device\Null	ASCII text, with CRLF, CR line terminators	#
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.6304	PostScript document text	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)	PostScript document text	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)	PostScript document text	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6304	PostScript document text	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)	PostScript document text	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	#
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 66791 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	#
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)	ASCII text	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID	JSON data	#
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	#
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)	JSON data	#
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\22dc0223-1fa2-493b-9b30-3ddc1f4be2d9.tmp	JSON data	#
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)	ASCII text	#
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	#
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	#
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	#
C:\Games\WinVNC.log	ASCII text, with CRLF, LF line terminators	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner	JSON data	#
C:\Games\IDD.txt	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface	JSON data	#
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface	JSON data	#

Preventivo24.01.11.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Preventivo24.01.11.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

Preventivo24.01.11.exe